[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Fri, 06 Oct 2023 09:44:39 -0700 

commit:     fde90b82b10e32324d96deca43928f448d8dd932
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Thu Sep 21 03:31:31 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde90b82

systemd: allow systemd-networkd to create file in /run/systemd directory

systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f74ab30b4..b60d5729d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1168,7 +1168,7 @@ auth_use_nsswitch(systemd_networkd_t)
 init_dgram_send(systemd_networkd_t)
 init_read_state(systemd_networkd_t)
 init_read_runtime_files(systemd_networkd_t)
-init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, { dir 
file })
 
 logging_send_syslog_msg(systemd_networkd_t)

Reply via email to