1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 4 Feb 2021 10:48:54 +0800
Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
Fixes:
systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
--user to connect to bus of other user)
avc: denied { connectto } for pid=293 comm="login"
path="/run/systemd/userdb/io.systemd.Multiplexer"
scontext=system_u:system_r:local_login_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=0
avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn"
dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
permissive=0
avc: denied { read } for pid=293 comm="login"
name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
permissive=0
avc: denied { connectto } for pid=244 comm="systemd-logind"
path="/run/systemd/userdb/io.systemd.Multiplexer"
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=0
avc: denied { read } for pid=244 comm="systemd-logind"
name="io.systemd.DropIn" dev="tmpfs" ino=44
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
permissive=0
avc: denied { read } for pid=244 comm="systemd-logind"
name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
permissive=0
avc: denied { mknod } for pid=297 comm="systemd" capability=27
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
avc: denied { setrlimit } for pid=297 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
avc: denied { bpf } for pid=297 comm="systemd" capability=39
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
avc: denied { perfmon } for pid=297 comm="systemd" capability=38
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
ino=173 scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:etc_t tclass=dir permissive=0
avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
ino=2 scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/roles/sysadm.te | 2 ++
policy/modules/system/init.if | 1 +
policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
3 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 46d3e2f0b..e1933a5bd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
# Allow sysadm to query and set networking settings on the system.
systemd_dbus_chat_networkd(sysadm_t)
fs_read_nsfs_files(sysadm_t)
+
+ systemd_sysadm_user(sysadm_t)
')
tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0171ee299..8ca29f654 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
')
allow $1 init_t:unix_stream_socket connectto;
+ allow $1 initrc_t:unix_stream_socket connectto;
')
########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 38adf050c..5c44d8d8a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -57,7 +57,7 @@ template(`systemd_role_template',`
allow $1_systemd_t self:process { getsched signal };
allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
@@ -88,8 +88,11 @@ template(`systemd_role_template',`
fs_manage_cgroup_files($1_systemd_t)
fs_watch_cgroup_files($1_systemd_t)
+ files_watch_etc_dirs($1_systemd_t)
+ fs_getattr_xattr_fs($1_systemd_t)
kernel_dontaudit_getattr_proc($1_systemd_t)
+ kernel_read_network_state($1_systemd_t)
selinux_use_status_page($1_systemd_t)
@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
init_search_runtime($1)
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
init_unix_stream_socket_connectto($1)
')
@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')
+
+#########################################
+## <summary>
+## sysadm user for systemd --user
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_sysadm_user',`
+ gen_require(`
+ type sysadm_systemd_t;
+ ')
+
+ allow sysadm_systemd_t self:capability { mknod sys_admin };
+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
+ allow sysadm_systemd_t self:process setrlimit;
+ allow $1 sysadm_systemd_t:system reload;
+')
--
2.17.1
|
