diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2024-08-26 19:48:29 +0800 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:30 -0700 |
commit | fe7e3605b466b15a2cbcc21e622451fa7266ef3d (patch) | |
tree | 7d1de789945d62f3827b005704700cbfa4bddbc5 | |
parent | devices: add label vsock_device_t for /dev/vsock (diff) | |
download | hardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.tar.gz hardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.tar.bz2 hardened-refpolicy-fe7e3605b466b15a2cbcc21e622451fa7266ef3d.zip |
systemd: fix policy for systemd-ssh-generator
Fixes:
avc: denied { getattr } for pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { execute } for pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { create } for pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1
avc: denied { read } for pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { open } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/system/systemd.te | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 2f9d12fcb..f0c7a4347 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -542,6 +542,8 @@ seutil_search_default_contexts(systemd_coredump_t) allow systemd_generator_t self:fifo_file rw_fifo_file_perms; allow systemd_generator_t self:capability { dac_override sys_admin sys_resource }; allow systemd_generator_t self:process { getcap getsched setfscreate signal }; +# for systemd-ssh-generator +allow systemd_generator_t self:vsock_socket create; corecmd_exec_shell(systemd_generator_t) corecmd_exec_bin(systemd_generator_t) @@ -552,6 +554,8 @@ dev_write_sysfs_dirs(systemd_generator_t) dev_read_urand(systemd_generator_t) dev_create_sysfs_files(systemd_generator_t) dev_write_sysfs(systemd_generator_t) +# for systemd-ssh-generator +dev_read_vsock(systemd_generator_t) files_read_etc_files(systemd_generator_t) files_read_etc_runtime_files(systemd_generator_t) @@ -640,6 +644,11 @@ optional_policy(` ') optional_policy(` + # needed by systemd-ssh-generator + ssh_exec_sshd(systemd_generator_t) +') + +optional_policy(` # needed by zfs-mount-generator zfs_read_config(systemd_generator_t) ') |