commit: ea5b8bd01a5db82b9fa80b8a62372bb038b180d2
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Jul 28 14:43:25 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 22:02:19 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea5b8bd0
systemd (#995)
* Some small systemd patches, includes a fix for breakage on systemd-logind,
if it can't statfs /proc it can abort, fail to respond to dbus messages,
and cause a 25 second delay on login.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.te | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d16c07018..334d2c5fc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1093,7 +1093,7 @@ stream_connect_pattern(systemd_logind_t,
systemd_userdbd_runtime_t, systemd_user
ps_process_pattern(systemd_logind_t, systemd_user_session_type,
systemd_user_session_type)
-kernel_dontaudit_getattr_proc(systemd_logind_t)
+kernel_getattr_proc(systemd_logind_t)
kernel_read_kernel_sysctls(systemd_logind_t)
auth_write_login_records(systemd_logind_t)
@@ -1290,6 +1290,7 @@ optional_policy(`
xserver_dbus_chat(systemd_logind_t)
xserver_dbus_chat_xdm(systemd_logind_t)
xserver_read_xdm_state(systemd_logind_t)
+ xserver_use_xdm_fds(systemd_logind_t)
')
optional_policy(`
@@ -1401,6 +1402,8 @@ kernel_read_system_state(systemd_machine_id_setup_t)
init_read_runtime_files(systemd_machine_id_setup_t)
init_read_state(systemd_machine_id_setup_t)
+logging_send_syslog_msg(systemd_machine_id_setup_t)
+
systemd_log_parse_environment(systemd_machine_id_setup_t)
optional_policy(`
@@ -1836,6 +1839,7 @@ miscfiles_read_localization(systemd_passwd_agent_t)
seutil_search_default_contexts(systemd_passwd_agent_t)
userdom_use_user_terminals(systemd_passwd_agent_t)
+userdom_search_user_runtime(systemd_passwd_agent_t)
systemd_search_user_runtime(systemd_passwd_agent_t)
optional_policy(`
@@ -2068,7 +2072,7 @@ systemd_log_parse_environment(systemd_sessions_t)
# sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
# sys_ptrace for kernel.yama.ptrace_scope
# net_admin for network sysctls
-allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace };
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace
sys_resource };
kernel_read_kernel_sysctls(systemd_sysctl_t)
kernel_request_load_module(systemd_sysctl_t)
@@ -2475,7 +2479,7 @@ fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
-kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
+kernel_getattr_proc(systemd_user_runtime_dir_t)
selinux_use_status_page(systemd_user_runtime_dir_t)
