63 lines
2.0 KiB
Diff
63 lines
2.0 KiB
Diff
From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Wed, 21 Dec 2022 12:32:15 +0100
|
|
Subject: [PATCH] Allow systemd-resolved watch tmpfs directories
|
|
|
|
This permission is required when the system is booted with
|
|
systemd.volatile=overlay. Overlay filesystems are mounted as ramfs
|
|
or tmpfs, the tmpfs_t type is assigned to "/".
|
|
|
|
The files_watch_tmpfs_dirs() interface was added.
|
|
|
|
Addresses the following AVC denial:
|
|
|
|
type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
|
|
|
|
Resolves: rhbz#2128246
|
|
---
|
|
policy/modules/kernel/files.if | 18 ++++++++++++++++++
|
|
policy/modules/system/systemd.te | 1 +
|
|
2 files changed, 19 insertions(+)
|
|
|
|
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
|
index eb9e6e032c..1a57076567 100644
|
|
--- a/policy/modules/kernel/files.if
|
|
+++ b/policy/modules/kernel/files.if
|
|
@@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',`
|
|
allow $1 tmpfsfile:file { read write };
|
|
')
|
|
|
|
+##########################################
|
|
+## <summary>
|
|
+## Watch a tmpfs directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`files_watch_tmpfs_dirs',`
|
|
+ gen_require(`
|
|
+ type root_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 tmpfs_t:dir watch_dir_perms;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read security files
|
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|
index 3a6fd02c3e..77187a80e4 100644
|
|
--- a/policy/modules/system/systemd.te
|
|
+++ b/policy/modules/system/systemd.te
|
|
@@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t)
|
|
dev_read_sysfs(systemd_resolved_t)
|
|
|
|
files_watch_root_dirs(systemd_resolved_t)
|
|
+files_watch_tmpfs_dirs(systemd_resolved_t)
|
|
files_watch_var_run_dirs(systemd_resolved_t)
|
|
|
|
init_watch_pid_dir(systemd_resolved_t)
|