refpolicy: files, init - filetrans /run/machine-id etc_runtime_t

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2026-01-01 13:58:04 +00:00 · 2025-04-07 10:58:35 -06:00 · 2025-04-07 10:58:35 -06:00 · 928c820a1d
commit 928c820a1d
parent 311c945900
2 changed files with 110 additions and 0 deletions
--- a/recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch
+++ b/recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch
@ -0,0 +1,109 @@
+From befa4fcb91c883c9ff93f0080d12d3d5004dc8cc Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Fri, 14 Mar 2025 09:04:49 -0600
+Subject: [PATCH] files, init: filetrans /run/machine-id etc_runtime_t
+
+type=PROCTITLE proctitle=/usr/lib/systemd/systemd-logind
+
+type=SYSCALL arch=armeb syscall=openat per=PER_LINUX success=yes exit=21
+a0=AT_FDCWD a1=0xb6eb6c2c a2=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC
+a3=0x0 items=0 ppid=1 pid=435 auid=unset uid=root gid=root euid=root
+suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=systemd-logind exe=/usr/lib/systemd/systemd-logind
+subj=system_u:system_r:systemd_logind_t:s0 key=(null)
+
+type=AVC avc:  denied  { open } for  pid=435 comm=systemd-logind
+path=/etc/machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+type=AVC avc:  denied  { read } for  pid=435 comm=systemd-logind
+name=machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+--
+
+https://www.spinics.net/lists/systemd-devel/msg09631.html
+Reproduction and suggestion to use dedicated type (TODO)
+
+--
+
+Fedora:
+
+$ matchpathcon /run/machine-id
+/run/machine-id system_u:object_r:machineid_t:s0
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.fc#L67
+
+$ sesearch --type_transition --class file --source init_t
+--target var_run_t | grep machine
+type_transition init_t var_run_t:file machineid_t machine-id;
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.te#L241
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/e053fced8c911bc390a81ca5ee7f3baccecb70e1]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/kernel/files.fc |  1 +
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/system/init.te  |  1 +
+ 3 files changed, 21 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c5012e6b4..3cdfd2f80 100644
+--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
+@@ -154,6 +154,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
+ /run			-l	gen_context(system_u:object_r:var_run_t,s0)
+ /run/shm		-l	gen_context(system_u:object_r:var_run_t,s0)
+ /run/.*				<<none>>
+/run/machine-id		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ 
+ #
+ # /selinux
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f2c714579..9ade962a9 100644
+--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
+@@ -3734,6 +3734,25 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
+ 	dontaudit $1 etc_runtime_t:file setattr;
+ ')
+ 
+########################################
+## <summary>
+##	Create a machine-id file in
+##	the runtime directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_runtime_filetrans_machine_id',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	files_runtime_filetrans($1, etc_runtime_t, file, "machine-id")
+')
+
+ ########################################
+ ## <summary>
+ ##	Read files in /etc that are dynamically
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 8af34aa7e..026f77c16 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -178,6 +178,7 @@ allow init_t init_linkable_keyring_type:key link;
+ # For /var/run/shutdown.pid.
+ allow init_t init_runtime_t:file manage_file_perms;
+ files_runtime_filetrans(init_t, init_runtime_t, file)
+files_runtime_filetrans_machine_id(init_t)
+ 
+ # for /run/initctl
+ allow init_t init_runtime_t:fifo_file manage_fifo_file_perms;
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@ -77,6 +77,7 @@ SRC_URI += " \
        file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
        file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
        file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
+        file://0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch \
        "

 S = "${WORKDIR}/refpolicy"