path: root/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch

From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 28 Sep 2021 10:03:04 +0800
Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
 attributes of tmpfs and cgroups

Fixes:
avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 448905ff7..847895e63 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
 
 files_search_var_lib(systemd_backlight_t)
 
+fs_getattr_tmpfs(systemd_backlight_t)
+fs_search_cgroup_dirs(systemd_backlight_t)
+fs_getattr_cgroup(systemd_backlight_t)
+
 #######################################
 #
 # Binfmt local policy
@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
 fs_list_efivars(systemd_generator_t)
 fs_getattr_cgroup(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
 # Allow reading /run/udev/data/+dmi:id
 udev_read_runtime_files(systemd_hostnamed_t)
 
+fs_getattr_tmpfs(systemd_hostnamed_t)
+fs_search_cgroup_dirs(systemd_hostnamed_t)
+fs_getattr_cgroup(systemd_hostnamed_t)
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 	dbus_system_bus_client(systemd_hostnamed_t)
@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
 files_mmap_read_kernel_modules(systemd_modules_load_t)
 files_read_etc_files(systemd_modules_load_t)
 
+fs_getattr_tmpfs(systemd_modules_load_t)
+fs_search_cgroup_dirs(systemd_modules_load_t)
+fs_getattr_cgroup(systemd_modules_load_t)
+
 modutils_read_module_config(systemd_modules_load_t)
 modutils_read_module_deps(systemd_modules_load_t)
 
@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
 fs_getattr_xattr_fs(systemd_networkd_t)
+fs_getattr_tmpfs(systemd_networkd_t)
 fs_getattr_cgroup(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
 
 systemd_log_parse_environment(systemd_rfkill_t)
 
+fs_getattr_tmpfs(systemd_rfkill_t)
+fs_search_cgroup_dirs(systemd_rfkill_t)
+fs_getattr_cgroup(systemd_rfkill_t)
+
 #########################################
 #
 # Resolved local policy
@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
 files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)
+fs_getattr_tmpfs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+fs_getattr_cgroup(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 
@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
 
 systemd_log_parse_environment(systemd_sessions_t)
 
+fs_getattr_tmpfs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+fs_getattr_cgroup(systemd_sessions_t)
+
 ########################################
 #
 # sysctl local policy
@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
 kernel_dontaudit_getattr_proc(systemd_sysctl_t)
 
 files_read_etc_files(systemd_sysctl_t)
+fs_getattr_tmpfs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+fs_getattr_cgroup(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 
@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_cgroup(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
+fs_getattr_tmpfs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+fs_getattr_cgroup(systemd_update_done_t)
+
 kernel_read_kernel_sysctls(systemd_update_done_t)
 
 selinux_use_status_page(systemd_update_done_t)
@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
-- 
2.17.1