From 02e930bd076e2914f196fcea0b7472d3c1a8b53d Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Apr 01 2021 15:55:25 +0000 Subject: More selinux fixes --- diff --git a/SOURCES/systemd_hs.if b/SOURCES/systemd_hs.if new file mode 100644 index 0000000..6695e0e --- /dev/null +++ b/SOURCES/systemd_hs.if @@ -0,0 +1,20 @@ +######################################## +## +## Allows the caller to use the SELinux status page. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`selinux_use_status_page',` + gen_require(` + type security_t; + ') + + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file mmap_read_file_perms; +') diff --git a/SOURCES/systemd_hs.te b/SOURCES/systemd_hs.te index 5498233..577a0a3 100644 --- a/SOURCES/systemd_hs.te +++ b/SOURCES/systemd_hs.te @@ -9,11 +9,14 @@ gen_require(` type policykit_auth_t; type policykit_t; type proc_kmsg_t; + type rpm_t; type system_dbusd_t; type systemd_hostnamed_t; type systemd_localed_t; type systemd_logind_t; type systemd_machined_t; + type systemd_resolved_t; + type systemd_tmpfiles_t; type security_t; type syslogd_t; type user_tmp_t; @@ -29,11 +32,16 @@ allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto; allow policykit_t systemd_machined_t:unix_stream_socket connectto; allow syslogd_t user_tmp_t:lnk_file read; allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto; -allow systemd_hostnamed_t security_t:file map; -allow systemd_localed_t security_t:file map; allow systemd_logind_t self:netlink_selinux_socket create; allow systemd_logind_t self:netlink_selinux_socket bind; -allow systemd_logind_t security_t:file map; allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; allow systemd_machined_t init_var_run_t:sock_file create; allow xdm_t systemd_machined_t:unix_stream_socket connectto; + +selinux_use_status_page(init_t) +selinux_use_status_page(rpm_t) +selinux_use_status_page(systemd_hostnamed_t) +selinux_use_status_page(systemd_localed_t) +selinux_use_status_page(systemd_logind_t) +selinux_use_status_page(systemd_resolved_t) +selinux_use_status_page(systemd_tmpfiles_t) diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index cdacde0..387a925 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -26,7 +26,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 247.3 -Release: 7%{?dist} +Release: 8%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -65,6 +65,7 @@ Source24: sysusers.generate-pre.sh # Needed for selinux subpackage Source100: Makefile.selinux Source101: systemd_hs.te +Source102: systemd_hs.if %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable @@ -391,7 +392,7 @@ runs properly under an environment with SELinux enabled. %if %{with selinux} mkdir selinux -cp %SOURCE100 %SOURCE101 selinux +cp %SOURCE100 %SOURCE101 %SOURCE102 selinux %endif %build @@ -957,6 +958,10 @@ fi %endif %changelog +* Thu Apr 1 2021 Davide Cavalca - 247.3-8 +- Backport https://github.com/SELinuxProject/refpolicy/pull/308 to fix + systemd-hostnamed and systemd-localed when SELinux is enabled. + * Thu Apr 1 2021 Anita Zhang - 247.3-7 - Downgrade sysv-generator warning even more (to debug)