aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2024-08-26 19:48:29 +0800
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:30 -0700
commitfe7e3605b466b15a2cbcc21e622451fa7266ef3d (patch)
tree7d1de789945d62f3827b005704700cbfa4bddbc5
parentdevices: add label vsock_device_t for /dev/vsock (diff)
downloadhardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.tar.gz
hardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.tar.bz2
hardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.zip
systemd: fix policy for systemd-ssh-generator
Fixes: avc: denied { getattr } for pid=121 comm="systemd-ssh-gen" path="/usr/sbin/sshd" dev="vda" ino=7787 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1 avc: denied { execute } for pid=121 comm="systemd-ssh-gen" name="sshd" dev="vda" ino=7787 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1 avc: denied { create } for pid=121 comm="systemd-ssh-gen" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket permissive=1 avc: denied { read } for pid=121 comm="systemd-ssh-gen" name="vsock" dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 avc: denied { open } for pid=121 comm="systemd-ssh-gen" path="/dev/vsock" dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=121 comm="systemd-ssh-gen" path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r--policy/modules/system/systemd.te9
1 files changed, 9 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2f9d12fcb..f0c7a4347 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -542,6 +542,8 @@ seutil_search_default_contexts(systemd_coredump_t)
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
allow systemd_generator_t self:process { getcap getsched setfscreate signal };
+# for systemd-ssh-generator
+allow systemd_generator_t self:vsock_socket create;
corecmd_exec_shell(systemd_generator_t)
corecmd_exec_bin(systemd_generator_t)
@@ -552,6 +554,8 @@ dev_write_sysfs_dirs(systemd_generator_t)
dev_read_urand(systemd_generator_t)
dev_create_sysfs_files(systemd_generator_t)
dev_write_sysfs(systemd_generator_t)
+# for systemd-ssh-generator
+dev_read_vsock(systemd_generator_t)
files_read_etc_files(systemd_generator_t)
files_read_etc_runtime_files(systemd_generator_t)
@@ -640,6 +644,11 @@ optional_policy(`
')
optional_policy(`
+ # needed by systemd-ssh-generator
+ ssh_exec_sshd(systemd_generator_t)
+')
+
+optional_policy(`
# needed by zfs-mount-generator
zfs_read_config(systemd_generator_t)
')