aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch
blob: 1324a17be5854fbe7994059c352fd26811261962 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
From 33bc8d28c406ffd7a6aef2f390734b3f5bdfc5a3 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 30 Aug 2024 12:39:48 +0800
Subject: [PATCH] policy/modules/system: allow services to read tmpfs under
 /run/credentials/

$ mount | grep credentials
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)

Fixes:
avc:  denied  { search } for  pid=106 comm="systemd-journal" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=114 comm="udevadm" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

avc:  denied  { open } for  pid=114 comm="udevadm"
path="/run/credentials/systemd-udev-load-credentials.service"
dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=353 comm="agetty" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

avc:  denied  { open } for  pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1

Upstream-Status: Pending

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/getty.te   | 1 +
 policy/modules/system/logging.te | 1 +
 policy/modules/system/systemd.te | 1 +
 policy/modules/system/udev.te    | 1 +
 4 files changed, 4 insertions(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index a900226bf..75b94785b 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
 fs_search_cgroup_dirs(getty_t)
 # for error condition handling
 fs_getattr_xattr_fs(getty_t)
+fs_list_tmpfs(getty_t)
 
 mcs_process_set_categories(getty_t)
 
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 086498936..dca46f105 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -491,6 +491,7 @@ files_read_kernel_symbol_table(syslogd_t)
 files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
+fs_list_tmpfs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
 
 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9375e8926..24fc90838 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1294,6 +1294,7 @@ files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
 
 fs_getattr_all_fs(systemd_networkd_t)
+fs_list_tmpfs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
 fs_watch_memory_pressure(systemd_networkd_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b2e43aa7d..f543a48d2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
+fs_list_tmpfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 fs_search_tracefs(udev_t)
-- 
2.25.1