summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2023-07-27 14:07:48 -0400
committerJoe MacDonald <joe@deserted.net>2023-07-31 15:05:30 -0400
commit1924d975283210f0c36bc3c0e8ce516ccc06961f (patch)
tree494be7575b6219b816613ddefb6072973d8e78d4 /recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
parent4f3ec6e10f13aaf19fbca9a18547f9e72ba1ec0a (diff)
downloadmeta-selinux-dunfell.tar.gz
refpolicy: update to 20200229+gitdunfell
* Drop obsolete and unused patches. * Rebase patches. * Add patches to make systemd and sysvinit can work with all policy types. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> (cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch')
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch110
1 files changed, 0 insertions, 110 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
deleted file mode 100644
index 05543da..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ /dev/null
@@ -1,110 +0,0 @@
1From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:17 +0530
4Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
5 services
6
7fix for systemd tmp files setup service while using refpolicy-minimum and
8systemd as init manager.
9
10these allow rules require kernel domain & files access, so added interfaces
11at systemd.te to merge these allow rules.
12
13without these changes we are getting avc denails like these and below
14systemd services failure:
15
16audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
17path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
18_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
19
20audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
21name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
22systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
23tclass=dir permissive=0
24
25[FAILED] Failed to start Create Static Device Nodes in /dev.
26See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
27
28[FAILED] Failed to start Create Volatile Files and Directories.
29See 'systemctl status systemd-tmpfiles-setup.service' for details.
30
31Upstream-Status: Pending
32
33Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
34Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
35---
36 policy/modules/kernel/files.if | 19 +++++++++++++++++++
37 policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
38 policy/modules/system/systemd.te | 2 ++
39 3 files changed, 42 insertions(+)
40
41diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
42index eb067ad3..ff74f55a 100644
43--- a/policy/modules/kernel/files.if
44+++ b/policy/modules/kernel/files.if
45@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
46
47 typeattribute $1 files_unconfined_type;
48 ')
49+
50+########################################
51+## <summary>
52+## systemd tmp files access to kernel tmp files domain
53+## </summary>
54+## <param name="domain">
55+## <summary>
56+## Domain allowed access.
57+## </summary>
58+## </param>
59+#
60+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
61+ gen_require(`
62+ type tmp_t;
63+ class lnk_file getattr;
64+ ')
65+
66+ allow $1 tmp_t:lnk_file getattr;
67+')
68diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
69index 1ad282aa..342eb033 100644
70--- a/policy/modules/kernel/kernel.if
71+++ b/policy/modules/kernel/kernel.if
72@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
73 allow $1 unlabeled_t:infiniband_endport manage_subnet;
74 ')
75
76+########################################
77+## <summary>
78+## systemd tmp files access to kernel sysctl domain
79+## </summary>
80+## <param name="domain">
81+## <summary>
82+## Domain allowed access.
83+## </summary>
84+## </param>
85+#
86+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
87+ gen_require(`
88+ type sysctl_kernel_t;
89+ class dir search;
90+ class file { open read };
91+ ')
92+
93+ allow $1 sysctl_kernel_t:dir search;
94+ allow $1 sysctl_kernel_t:file { open read };
95+
96+')
97diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
98index f1d26a44..b4c64bc1 100644
99--- a/policy/modules/system/systemd.te
100+++ b/policy/modules/system/systemd.te
101@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
102
103 seutil_read_file_contexts(systemd_update_done_t)
104
105+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
106+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
107 systemd_log_parse_environment(systemd_update_done_t)
108--
1092.19.1
110
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 14:18:20 +0000