diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch | 103 |
1 files changed, 0 insertions, 103 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 27cbc9f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:09 +0530 -Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal - service - -1. fix for systemd services: login & journal wile using refpolicy-minimum and -systemd as init manager. -2. fix login duration after providing root password. - -without these changes we are getting avc denails like these and below -systemd services failure: - -audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ -systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: -local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 -tclass=fifo_file permissive=0 - -audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path -="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file - -audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: -system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path -="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl ---flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: -lib_t:s0 tclass=service - -[FAILED] Failed to start Flush Journal to Persistent Storage. -See 'systemctl status systemd-journal-flush.service' for details. - -[FAILED] Failed to start Login Service. -See 'systemctl status systemd-logind.service' for details. - -[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. -See 'systemctl status avahi-daemon.service' for details. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/locallogin.te | 3 +++ - policy/modules/system/systemd.if | 6 ++++-- - policy/modules/system/systemd.te | 2 +- - 4 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index d6a0270a..035c7ad2 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; - - allow initrc_t init_t:system { start status reboot }; - allow initrc_t init_var_run_t:service { start status }; -+ -+allow initrc_t init_var_run_t:service stop; -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 75750e4c..2c2cfc7d 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; - allow local_login_t var_run_t:sock_file write; - allow local_login_t tmpfs_t:dir { add_name write search}; - allow local_login_t tmpfs_t:file { create open read write lock }; -+allow local_login_t init_var_run_t:fifo_file write; -+allow local_login_t initrc_t:dbus send_msg; -+allow initrc_t local_login_t:dbus send_msg; -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 8fc61843..1166505f 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',` - # - interface(`systemd_service_lib_function',` - gen_require(` -- class service start; -+ class service { start status stop }; -+ class file { execmod open }; - ') - -- allow initrc_t $1:service start; -+ allow initrc_t $1:service { start status stop }; -+ allow initrc_t $1:file execmod; - - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a1ef6990..a62c3c38 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; - - allow systemd_tmpfiles_t init_t:dir search; - allow systemd_tmpfiles_t proc_t:filesystem getattr; --allow systemd_tmpfiles_t init_t:file read; -+allow systemd_tmpfiles_t init_t:file { open getattr read }; - allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; - - kernel_getattr_proc(systemd_tmpfiles_t) --- -2.19.1 - |