From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 28 Sep 2021 10:03:04 +0800 Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the attributes of tmpfs and cgroups Fixes: avc: denied { getattr } for pid=245 comm="systemd-network" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 avc: denied { search } for pid=293 comm="systemd-user-ru" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0 Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao --- policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 448905ff7..847895e63 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t) files_search_var_lib(systemd_backlight_t) +fs_getattr_tmpfs(systemd_backlight_t) +fs_search_cgroup_dirs(systemd_backlight_t) +fs_getattr_cgroup(systemd_backlight_t) + ####################################### # # Binfmt local policy @@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t) fs_list_efivars(systemd_generator_t) fs_getattr_cgroup(systemd_generator_t) fs_getattr_xattr_fs(systemd_generator_t) +fs_getattr_tmpfs(systemd_generator_t) init_create_runtime_files(systemd_generator_t) init_manage_runtime_dirs(systemd_generator_t) @@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t) # Allow reading /run/udev/data/+dmi:id udev_read_runtime_files(systemd_hostnamed_t) +fs_getattr_tmpfs(systemd_hostnamed_t) +fs_search_cgroup_dirs(systemd_hostnamed_t) +fs_getattr_cgroup(systemd_hostnamed_t) + optional_policy(` dbus_connect_system_bus(systemd_hostnamed_t) dbus_system_bus_client(systemd_hostnamed_t) @@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t) files_mmap_read_kernel_modules(systemd_modules_load_t) files_read_etc_files(systemd_modules_load_t) +fs_getattr_tmpfs(systemd_modules_load_t) +fs_search_cgroup_dirs(systemd_modules_load_t) +fs_getattr_cgroup(systemd_modules_load_t) + modutils_read_module_config(systemd_modules_load_t) modutils_read_module_deps(systemd_modules_load_t) @@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t) files_watch_root_dirs(systemd_networkd_t) files_list_runtime(systemd_networkd_t) fs_getattr_xattr_fs(systemd_networkd_t) +fs_getattr_tmpfs(systemd_networkd_t) fs_getattr_cgroup(systemd_networkd_t) fs_search_cgroup_dirs(systemd_networkd_t) fs_read_nsfs_files(systemd_networkd_t) @@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t) systemd_log_parse_environment(systemd_rfkill_t) +fs_getattr_tmpfs(systemd_rfkill_t) +fs_search_cgroup_dirs(systemd_rfkill_t) +fs_getattr_cgroup(systemd_rfkill_t) + ######################################### # # Resolved local policy @@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t) files_watch_root_dirs(systemd_resolved_t) files_watch_runtime_dirs(systemd_resolved_t) files_list_runtime(systemd_resolved_t) +fs_getattr_tmpfs(systemd_resolved_t) +fs_search_cgroup_dirs(systemd_resolved_t) +fs_getattr_cgroup(systemd_resolved_t) init_dgram_send(systemd_resolved_t) @@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t) systemd_log_parse_environment(systemd_sessions_t) +fs_getattr_tmpfs(systemd_sessions_t) +fs_search_cgroup_dirs(systemd_sessions_t) +fs_getattr_cgroup(systemd_sessions_t) + ######################################## # # sysctl local policy @@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t) kernel_dontaudit_getattr_proc(systemd_sysctl_t) files_read_etc_files(systemd_sysctl_t) +fs_getattr_tmpfs(systemd_sysctl_t) +fs_search_cgroup_dirs(systemd_sysctl_t) +fs_getattr_cgroup(systemd_sysctl_t) systemd_log_parse_environment(systemd_sysctl_t) @@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) fs_list_tmpfs(systemd_tmpfiles_t) fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) +fs_search_cgroup_dirs(systemd_tmpfiles_t) +fs_getattr_cgroup(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_use_status_page(systemd_tmpfiles_t) @@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file) files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file) +fs_getattr_tmpfs(systemd_update_done_t) +fs_search_cgroup_dirs(systemd_update_done_t) +fs_getattr_cgroup(systemd_update_done_t) + kernel_read_kernel_sysctls(systemd_update_done_t) selinux_use_status_page(systemd_update_done_t) @@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t) fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t) fs_read_cgroup_files(systemd_user_runtime_dir_t) fs_getattr_cgroup(systemd_user_runtime_dir_t) +fs_search_cgroup_dirs(systemd_user_runtime_dir_t) kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) -- 2.17.1