[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Sat, 21 Sep 2024 17:03:52 -0700 

commit:     a909c09a7716cdd655acc0bd96210e6bfa244e0b
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Aug 12 08:17:29 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a909c09a

systemd: allow system --user to create netlink_route_socket

Fixes:
avc:  denied  { create } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { setopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { bind } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getattr } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { write } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { nlmsg_read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { sendto } for  pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a9c8a1a5a..b9dbd97cc 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -61,6 +61,8 @@ template(`systemd_role_template',`
        # remainder of the rules.
        allow $1_systemd_t self:process { getsched signal };
        allow $1_systemd_t self:netlink_kobject_uevent_socket 
create_socket_perms;
+       allow $1_systemd_t self:netlink_route_socket r_netlink_socket_perms;
+       allow $1_systemd_t self:unix_dgram_socket { create_socket_perms sendto 
};
        allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
        allow $1_systemd_t $3:process { rlimitinh setsched signal_perms };
        corecmd_shell_domtrans($1_systemd_t, $3)

Reply via email to