From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001 From: Nikola Knazekova Date: Mon, 22 Aug 2022 16:01:10 +0200 Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets Systemd creates and starts to listen on the socket before SELinux policy is loaded and it inherits the kernel secid as its label. Allow system_dbusd ioctl kernel with a unix stream sockets Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets. Fix: bz#2085392 --- policy/modules/contrib/dbus.te | 1 + policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index a0f5679d61..eadbbab2a7 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) +kernel_ioctl_stream_sockets(system_dbusd_t) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) kernel_stream_connect(system_dbusd_t) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 76613d1967..253b542688 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',` allow $1 kernel_t:fd use; ') +####################################### +## +## Allow the specified domain to ioctl a +## kernel with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_ioctl_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 kernel_t:unix_stream_socket { getopt ioctl }; +') + ######################################## ## ## Make the specified type usable for regular entries in proc