CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
6f88a2fba5
meta-selinux/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-allow-services-to-read-tmpfs-u.patch
Yi Zhao 6f88a2fba5 refpolicy: upgrade 20250213+git -> 20250923+git 
ChangeLog:
https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250618
https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250923

Notable Changes

20250618:
* Updates to support screen 5.0.
* Add labeling for bcachefs.
* Various systemd updates and fixes.

20250923:
* Several updates and fixes for systemd
* Add new permissions and policy capabilities
* Drop reiserfs support (it was removed in kernel 6.13)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2025-10-01 20:36:39 +08:00

108 lines
5.2 KiB
Diff
Raw Blame History

From ea19bb6f4c7d130f0b2d2c025b6359a5a7f82c83 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 30 Aug 2024 12:39:48 +0800
Subject: [PATCH] policy/modules/system: allow services to read tmpfs under
/run/credentials/
$ mount | grep credentials
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
Fixes:
avc: denied { search } for pid=106 comm="systemd-journal" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { open } for pid=114 comm="udevadm"
path="/run/credentials/systemd-udev-load-credentials.service"
dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { open } for pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { getattr } for pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Upstream-Status: Pending
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/getty.te | 1 +
policy/modules/system/logging.te | 1 +
policy/modules/system/systemd.te | 1 +
policy/modules/system/udev.te | 1 +
4 files changed, 4 insertions(+)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index a900226bf..75b94785b 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
fs_search_cgroup_dirs(getty_t)
# for error condition handling
fs_getattr_xattr_fs(getty_t)
+fs_list_tmpfs(getty_t)
mcs_process_set_categories(getty_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 45ed81867..a3afe5525 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
+fs_list_tmpfs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cbc72d6a9..cbae29894 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1467,6 +1467,7 @@ files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
fs_getattr_all_fs(systemd_networkd_t)
+fs_list_tmpfs(systemd_networkd_t)
fs_search_cgroup_dirs(systemd_networkd_t)
fs_read_nsfs_files(systemd_networkd_t)
fs_watch_memory_pressure(systemd_networkd_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e245a66a4..5cc9484eb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -144,6 +144,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_list_tmpfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
fs_list_tmpfs(udev_t)
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink