Bug#757994: selinux-policy-default: Patch

Wed, 13 Aug 2014 09:45:31 -0700 

Package: selinux-policy-default
Version: 2:2.20140421-4
Followup-For: Bug #757994

Hello!

Attached you can find a patch which fixes this problem.
One cause was similar to #756729.

The cause was, that it is possible to use a link to /dev/null as
systemd service file - which is done for x11-common:

root@debselinux01:~# ls -lZ /lib/systemd/system/x11-common.service
lrwxrwxrwx. 1 root root system_u:object_r:systemd_unit_file_t:SystemLow 9 Jul 
16 00:52 /lib/systemd/system/x11-common.service -> /dev/null
root@debselinux01:~# ls -lZ /dev/null 
crw-rw-rw-. 1 root root system_u:object_r:null_device_t:SystemLow 1, 3 Aug 13 
16:57 /dev/null
root@debselinux01:~# dpkg -S /lib/systemd/system/x11-common.service
systemd: /lib/systemd/system/x11-common.service

The patch allows to access the null_device_t from systemd and friends.

If it is easier for you, you can also pull the patch from
https://github.com/flonatel/refpolicy-experimental/tree/bugfix/757994-x11-common-fails-to-install

Kind regards

Andre

diff --git a/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null b/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null
new file mode 100644
index 0000000..69692b4
--- /dev/null
+++ b/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null
@@ -0,0 +1,22 @@
+Systemd files can be a link to /dev/null.
+
+Signed-off-by: Andreas Florath <an...@flonatel.org>
+
+Index: refpolicy-experimental/policy/modules/system/systemd.if
+===================================================================
+--- refpolicy-experimental.orig/policy/modules/system/systemd.if
++++ refpolicy-experimental/policy/modules/system/systemd.if
+@@ -621,9 +621,13 @@ interface(`systemd_manage_all_unit_lnk_f
+ interface(`systemd_config_all_services',`
+ 	gen_require(`
+ 		attribute systemd_unit_file_type;
++		type null_device_t;
+ 	')
+ 
+ 	allow $1 systemd_unit_file_type:service all_service_perms;
++	# There is a special feature in systemd, that unit files can be
++	# linked to /dev/null.
++	allow $1 null_device_t:service { stop start status };
+ ')
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 0707cc2..779ac0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
 0080-misc-daemon
 0090-selinux
 0100-chrome
+1001-systemd-unit-files-can-be-linked-to-dev-null

Reply via email to