diff options
author | Kenton Groombridge <me@concord.sh> | 2023-03-06 10:25:29 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2023-03-31 13:11:32 -0400 |
commit | b08912707a9b728f5c35760cf1b2464594cdaad1 (patch) | |
tree | 8499a5ed2948054ee02e0e655ca2dc801794ad3a | |
parent | various: make /etc/machine-id etc_runtime_t (diff) | |
download | hardened-refpolicy-b08912707a9b728f5c35760cf1b2464594cdaad1.tar.gz hardened-refpolicy-b08912707a9b728f5c35760cf1b2464594cdaad1.tar.bz2 hardened-refpolicy-b08912707a9b728f5c35760cf1b2464594cdaad1.zip |
init, systemd: allow init to create userdb runtime symlinks
At boot, systemd-init will create symlinks in /run/systemd/userdb. This
fixes these AVCs:
avc: denied { create } for pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
avc: denied { create } for pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/system/init.te | 1 | ||||
-rw-r--r-- | policy/modules/system/systemd.if | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 562b45c59..a2b0693b6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -532,6 +532,7 @@ ifdef(`init_systemd',` systemd_relabelto_tmpfiles_conf_files(init_t) systemd_manage_userdb_runtime_sock_files(init_t) systemd_manage_userdb_runtime_dirs(init_t) + systemd_manage_userdb_runtime_symlinks(init_t) systemd_filetrans_userdb_runtime_dirs(init_t) systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_files(init_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 1dd302851..a903282f0 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1404,6 +1404,24 @@ interface(`systemd_read_userdb_runtime_files', ` ######################################## ## <summary> +## Manage symbolic links under /run/systemd/userdb. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_manage_userdb_runtime_symlinks', ` + gen_require(` + type systemd_userdbd_runtime_t; + ') + + manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) +') + +######################################## +## <summary> ## Manage socket files under /run/systemd/userdb . ## </summary> ## <param name="domain"> |