1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 4 Feb 2021 10:48:54 +0800
Subject: [PATCH] policy/modules/system/systemd: support systemd --user
Fixes:
$ systemctl status user@0.service
* user@0.service - User Manager for UID 0
Loaded: loaded (/lib/systemd/system/user@.service; static)
Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
Docs: man:user@.service(5)
Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
Main PID: 1502 (code=exited, status=1/FAILURE)
Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/roles/sysadm.te | 2 +
policy/modules/system/init.if | 1 +
policy/modules/system/logging.te | 5 ++-
policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++-
4 files changed, 81 insertions(+), 2 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1642f3b93..1de7e441d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
# Allow sysadm to resolve the username of dynamic users by calling
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
+
+ systemd_sysadm_user(sysadm_t)
')
tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ba533ba1a..98e94283f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
')
allow $1 init_t:unix_stream_socket connectto;
+ allow $1 initrc_t:unix_stream_socket connectto;
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d864cfd3d..bdd97631c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
# for systemd-journal
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
# remove /run/log/journal when switching to permanent storage
@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
+
+ userdom_search_user_runtime(syslogd_t)
+ systemd_search_user_runtime(syslogd_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 6a66a2d79..152139261 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -30,6 +30,7 @@ template(`systemd_role_template',`
attribute systemd_user_session_type, systemd_log_parse_env_type;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_run_exec_t, systemd_analyze_exec_t;
+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
')
#################################
@@ -55,10 +56,42 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
+ allow $1_systemd_t self:process setrlimit;
+
+ kernel_getattr_proc($1_systemd_t)
+ fs_watch_cgroup_files($1_systemd_t)
+ files_watch_etc_dirs($1_systemd_t)
+
+ userdom_search_user_home_dirs($1_systemd_t)
+ allow $1_systemd_t $3:dir search_dir_perms;
+ allow $1_systemd_t $3:file read_file_perms;
+
+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
+
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
# This domain is per-role because of the below transitions.
# See the systemd --user section of systemd.te for the
# remainder of the rules.
- allow $1_systemd_t $3:process { setsched rlimitinh };
+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
allow $1_systemd_t self:process signal;
@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
init_search_runtime($1)
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
init_unix_stream_socket_connectto($1)
')
@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')
+
+#########################################
+## <summary>
+## sysadm user for systemd --user
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_sysadm_user',`
+ gen_require(`
+ type sysadm_systemd_t;
+ ')
+
+ allow sysadm_systemd_t self:capability { mknod sys_admin };
+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
+ allow $1 sysadm_systemd_t:system reload;
+')
+
+#######################################
+## <summary>
+## Search systemd users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_user_runtime',`
+ gen_require(`
+ type systemd_user_runtime_t;
+ ')
+
+ allow $1 systemd_user_runtime_t:dir search_dir_perms;
+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
+')
--
2.17.1
|
