diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch | 111 |
1 files changed, 0 insertions, 111 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch deleted file mode 100644 index a7338e1..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ /dev/null | |||
| @@ -1,111 +0,0 @@ | |||
| 1 | From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 | ||
| 4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files | ||
| 5 | services | ||
| 6 | |||
| 7 | fix for systemd tmp files setup service while using refpolicy-minimum and | ||
| 8 | systemd as init manager. | ||
| 9 | |||
| 10 | these allow rules require kernel domain & files access, so added interfaces | ||
| 11 | at systemd.te to merge these allow rules. | ||
| 12 | |||
| 13 | without these changes we are getting avc denails like these and below | ||
| 14 | systemd services failure: | ||
| 15 | |||
| 16 | audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" | ||
| 17 | path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd | ||
| 18 | _tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file | ||
| 19 | |||
| 20 | audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" | ||
| 21 | name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: | ||
| 22 | systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 | ||
| 23 | tclass=dir permissive=0 | ||
| 24 | |||
| 25 | [FAILED] Failed to start Create Static Device Nodes in /dev. | ||
| 26 | See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. | ||
| 27 | |||
| 28 | [FAILED] Failed to start Create Volatile Files and Directories. | ||
| 29 | See 'systemctl status systemd-tmpfiles-setup.service' for details. | ||
| 30 | |||
| 31 | Upstream-Status: Pending | ||
| 32 | |||
| 33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 34 | --- | ||
| 35 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ | ||
| 36 | policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++ | ||
| 37 | policy/modules/system/systemd.te | 3 +++ | ||
| 38 | 3 files changed, 45 insertions(+) | ||
| 39 | |||
| 40 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
| 41 | index 1cedea2..4ea7d55 100644 | ||
| 42 | --- a/policy/modules/kernel/files.if | ||
| 43 | +++ b/policy/modules/kernel/files.if | ||
| 44 | @@ -6729,3 +6729,22 @@ interface(`files_unconfined',` | ||
| 45 | |||
| 46 | typeattribute $1 files_unconfined_type; | ||
| 47 | ') | ||
| 48 | + | ||
| 49 | +######################################## | ||
| 50 | +## <summary> | ||
| 51 | +## systemd tmp files access to kernel tmp files domain | ||
| 52 | +## </summary> | ||
| 53 | +## <param name="domain"> | ||
| 54 | +## <summary> | ||
| 55 | +## Domain allowed access. | ||
| 56 | +## </summary> | ||
| 57 | +## </param> | ||
| 58 | +# | ||
| 59 | +interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` | ||
| 60 | + gen_require(` | ||
| 61 | + type tmp_t; | ||
| 62 | + class lnk_file getattr; | ||
| 63 | + ') | ||
| 64 | + | ||
| 65 | + allow $1 tmp_t:lnk_file getattr; | ||
| 66 | +') | ||
| 67 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
| 68 | index f1130d1..4604441 100644 | ||
| 69 | --- a/policy/modules/kernel/kernel.if | ||
| 70 | +++ b/policy/modules/kernel/kernel.if | ||
| 71 | @@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` | ||
| 72 | typeattribute $1 kern_unconfined; | ||
| 73 | kernel_load_module($1) | ||
| 74 | ') | ||
| 75 | + | ||
| 76 | +######################################## | ||
| 77 | +## <summary> | ||
| 78 | +## systemd tmp files access to kernel sysctl domain | ||
| 79 | +## </summary> | ||
| 80 | +## <param name="domain"> | ||
| 81 | +## <summary> | ||
| 82 | +## Domain allowed access. | ||
| 83 | +## </summary> | ||
| 84 | +## </param> | ||
| 85 | +# | ||
| 86 | +interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` | ||
| 87 | + gen_require(` | ||
| 88 | + type sysctl_kernel_t; | ||
| 89 | + class dir search; | ||
| 90 | + class file { open read }; | ||
| 91 | + ') | ||
| 92 | + | ||
| 93 | + allow $1 sysctl_kernel_t:dir search; | ||
| 94 | + allow $1 sysctl_kernel_t:file { open read }; | ||
| 95 | + | ||
| 96 | +') | ||
| 97 | + | ||
| 98 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 99 | index 22021eb..8813664 100644 | ||
| 100 | --- a/policy/modules/system/systemd.te | ||
| 101 | +++ b/policy/modules/system/systemd.te | ||
| 102 | @@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
| 103 | allow systemd_tmpfiles_t self:capability net_admin; | ||
| 104 | |||
| 105 | allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
| 106 | + | ||
| 107 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | ||
| 108 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | ||
| 109 | -- | ||
| 110 | 1.9.1 | ||
| 111 | |||