commit: 06fc14861d2845562804a6ffef47402b13fcbad0
Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Mon Jan 3 21:21:59 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 7 02:09:25 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fc1486
systemd: Additional fixes for fs getattrs.
This may need to be allowed more broadly.
Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.te | 36 +++++++++++++++++++++++++++++-------
1 file changed, 29 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 95939f0f..7ccfbaf2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -482,8 +482,7 @@ files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
fs_list_efivars(systemd_generator_t)
-fs_getattr_cgroup(systemd_generator_t)
-fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_all_fs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
init_manage_runtime_dirs(systemd_generator_t)
@@ -695,6 +694,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
files_search_runtime(systemd_hw_t)
+fs_getattr_all_fs(systemd_hw_t)
+fs_search_cgroup_dirs(systemd_hw_t)
+
selinux_get_fs_mount(systemd_hw_t)
selinux_use_status_page(systemd_hw_t)
@@ -822,6 +824,7 @@ fs_read_cgroup_files(systemd_logind_t)
fs_read_efivarfs_files(systemd_logind_t)
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
logging_send_audit_msgs(systemd_logind_t)
@@ -905,7 +908,6 @@ ifdef(`distro_redhat',`
tunable_policy(`systemd_logind_get_bootloader',`
fs_getattr_dos_fs(systemd_logind_t)
- fs_getattr_xattr_fs(systemd_logind_t)
fs_list_dos(systemd_logind_t)
fs_read_dos_files(systemd_logind_t)
@@ -1072,8 +1074,8 @@ files_read_etc_files(systemd_networkd_t)
files_watch_runtime_dirs(systemd_networkd_t)
files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
-fs_getattr_xattr_fs(systemd_networkd_t)
-fs_getattr_cgroup(systemd_networkd_t)
+
+fs_getattr_all_fs(systemd_networkd_t)
fs_search_cgroup_dirs(systemd_networkd_t)
fs_read_nsfs_files(systemd_networkd_t)
@@ -1412,6 +1414,9 @@ files_watch_root_dirs(systemd_resolved_t)
files_watch_runtime_dirs(systemd_resolved_t)
files_list_runtime(systemd_resolved_t)
+fs_getattr_all_fs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+
init_dgram_send(systemd_resolved_t)
seutil_read_file_contexts(systemd_resolved_t)
@@ -1462,6 +1467,9 @@ allow systemd_sessions_t self:process setfscreate;
allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
+fs_getattr_all_fs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+
kernel_read_kernel_sysctls(systemd_sessions_t)
kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1491,6 +1499,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
files_read_etc_files(systemd_sysctl_t)
+fs_getattr_all_fs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+
systemd_log_parse_environment(systemd_sysctl_t)
#########################################
@@ -1504,6 +1515,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;
files_manage_etc_files(systemd_sysusers_t)
+fs_getattr_all_fs(systemd_sysusers_t)
+fs_search_cgroup_dirs(systemd_sysusers_t)
+
kernel_read_kernel_sysctls(systemd_sysusers_t)
selinux_use_status_page(systemd_sysusers_t)
@@ -1587,10 +1601,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
-fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_getattr_all_fs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
@@ -1679,6 +1693,9 @@ allow systemd_update_done_t systemd_update_run_t:file
manage_file_perms;
files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+fs_getattr_all_fs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+
kernel_read_kernel_sysctls(systemd_update_done_t)
selinux_use_status_page(systemd_update_done_t)
@@ -1787,8 +1804,12 @@ files_read_etc_files(systemd_userdbd_t)
files_read_etc_runtime_files(systemd_userdbd_t)
files_read_usr_files(systemd_userdbd_t)
+fs_getattr_all_fs(systemd_userdbd_t)
+fs_search_cgroup_dirs(systemd_userdbd_t)
fs_read_efivarfs_files(systemd_userdbd_t)
+kernel_read_system_state(systemd_userdbd_t)
+
init_stream_connect(systemd_userdbd_t)
init_search_runtime(systemd_userdbd_t)
init_read_state(systemd_userdbd_t)
@@ -1819,6 +1840,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
fs_read_cgroup_files(systemd_user_runtime_dir_t)
fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
