From 5484cf2066f9df021419165ddcc70d24af4e986f Mon Sep 17 00:00:00 2001 From: Filippo Bonazzi Date: Thu, 5 Dec 2024 14:00:59 +0100 Subject: [PATCH] Add policy for importctl Addresses: type=AVC msg=audit(1733403159.611:427): avc: denied { write } for pid=2293 comm="systemd-pull" name="portables" dev="vda3" ino=787511 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1733403159.612:428): avc: denied { add_name } for pid=2293 comm="systemd-pull" name=".#roothash.p7s5f0cd93e261f3c6c" scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1733403159.612:429): avc: denied { create } for pid=2293 comm="systemd-pull" name=".#roothash.p7s5f0cd93e261f3c6c" scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1733403159.612:430): avc: denied { read write open } for pid=2293 comm="systemd-pull" path="/var/lib/portables/.#roothash.p7s5f0cd93e261f3c6c" dev="vda3" ino=787522 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1733403159.612:431): avc: denied { getattr } for pid=2293 comm="systemd-pull" path="/var/lib/portables/.#roothash.p7s5f0cd93e261f3c6c" dev="vda3" ino=787522 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1733403160.403:432): avc: denied { setattr } for pid=2293 comm="systemd-pull" path="/var/lib/portables/.#rawb2045d0e409d363d" dev="vda3" ino=787525 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Signed-off-by: Filippo Bonazzi --- policy/modules/system/systemd.fc | 3 +++ policy/modules/system/systemd.te | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 58e4d1666b..7d3c208ab8 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -99,6 +99,9 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit /var/cache/systemd(//.*)? gen_context(system_u:object_r:systemd_cache_t,s0) +/var/lib/confexts(/.*)? gen_context(system_u:object_r:systemd_importd_var_lib_t,s0) +/var/lib/extensions(/.*)? gen_context(system_u:object_r:systemd_importd_var_lib_t,s0) +/var/lib/portables(/.*)? gen_context(system_u:object_r:systemd_importd_var_lib_t,s0) /var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 676c497ced..c5df491e74 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -247,6 +247,9 @@ files_type(systemd_machined_var_lib_t) systemd_domain_template(systemd_importd) init_nnp_daemon_domain(systemd_importd_t) +type systemd_importd_var_lib_t; +files_type(systemd_importd_var_lib_t) + type systemd_importd_var_run_t; files_pid_file(systemd_importd_var_run_t) @@ -1660,6 +1663,12 @@ allow systemd_importd_t self:udp_socket create_socket_perms; allow systemd_importd_t self:unix_dgram_socket sendto; allow systemd_importd_t systemd_importd_exec_t:file execute_no_trans; +manage_dirs_pattern(systemd_importd_t, systemd_importd_var_lib_t, systemd_importd_var_lib_t) +manage_files_pattern(systemd_importd_t, systemd_importd_var_lib_t, systemd_importd_var_lib_t) +files_var_lib_filetrans(systemd_importd_t, systemd_importd_var_lib_t, dir, "confexts") +files_var_lib_filetrans(systemd_importd_t, systemd_importd_var_lib_t, dir, "extensions") +files_var_lib_filetrans(systemd_importd_t, systemd_importd_var_lib_t, dir, "portables") + manage_dirs_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t) manage_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t) manage_sock_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)