packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch
zcfsite 70654a7719 backport upstream patches
2023-06-30 17:29:07 +08:00

60 lines
2.1 KiB
Diff
Raw Permalink Blame History

From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 22 Aug 2022 16:01:10 +0200
Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets
Systemd creates and starts to listen on the socket before
SELinux policy is loaded and it inherits the kernel secid as its label.
Allow system_dbusd ioctl kernel with a unix stream sockets
Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets.
Fix: bz#2085392
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index a0f5679d61..eadbbab2a7 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+kernel_ioctl_stream_sockets(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
kernel_stream_connect(system_dbusd_t)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 76613d1967..253b542688 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',`
allow $1 kernel_t:fd use;
')
+#######################################
+## <summary>
+## Allow the specified domain to ioctl a
+## kernel with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_ioctl_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket { getopt ioctl };
+')
+
########################################
## <summary>
## Make the specified type usable for regular entries in proc
Reference in New Issue View Git Blame Copy Permalink