From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 21 Dec 2022 12:32:15 +0100 Subject: [PATCH] Allow systemd-resolved watch tmpfs directories This permission is required when the system is booted with systemd.volatile=overlay. Overlay filesystems are mounted as ramfs or tmpfs, the tmpfs_t type is assigned to "/". The files_watch_tmpfs_dirs() interface was added. Addresses the following AVC denial: type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 Resolves: rhbz#2128246 --- policy/modules/kernel/files.if | 18 ++++++++++++++++++ policy/modules/system/systemd.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index eb9e6e032c..1a57076567 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',` allow $1 tmpfsfile:file { read write }; ') +########################################## +## +## Watch a tmpfs directory. +## +## +## +## Domain allowed access +## +## +# +interface(`files_watch_tmpfs_dirs',` + gen_require(` + type root_t; + ') + + allow $1 tmpfs_t:dir watch_dir_perms; +') + ######################################## ## ## Do not audit attempts to read security files diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 3a6fd02c3e..77187a80e4 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t) dev_read_sysfs(systemd_resolved_t) files_watch_root_dirs(systemd_resolved_t) +files_watch_tmpfs_dirs(systemd_resolved_t) files_watch_var_run_dirs(systemd_resolved_t) init_watch_pid_dir(systemd_resolved_t)