commit: 495622d3b23f95f5645afa087020240af0951f97
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec 7 15:27:48 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:34 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=495622d3
filesystem, init: allow systemd to setattr on ramfs dirs
This is needed by systemd-creds on system boot. Without this access,
many services fail to start. Observed on systemd-252 on Gentoo.
type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)"
type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711
dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0
nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1670295099.238:180306): cwd="/"
type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91
success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1
ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)"
exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for
pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0
tclass=dir permissive=0
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index c1078d796..af2023e62 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
dontaudit $1 ramfs_t:dir search_dir_perms;
')
+########################################
+## <summary>
+## Set the attributes of directories on
+## a ramfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_ramfs_dirs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir setattr;
+')
+
########################################
## <summary>
## Create, read, write, and delete
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 310655045..7249dd13f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -473,6 +473,8 @@ ifdef(`init_systemd',`
fs_create_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
+ # needed by systemd-creds
+ fs_setattr_ramfs_dirs(init_t)
init_manage_all_unit_files(init_t)
init_read_script_state(init_t)
