selinux-policy/add-allowed-avc-for-systemd.patch

From 3ee8fe2590c37f451ad2ff2271b13daa128335d8 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Sat, 18 Jan 2020 12:03:36 +0800
Subject: [PATCH] add allowed avc for systemd

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/kernel/kernel.if  | 17 +++++++++++++++++
 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.te |  2 ++
 3 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index cb9602c..be3f313 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -4108,3 +4108,20 @@ interface(`kernel_unlabeled_entry_type',`
 	allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
 ')
 
+########################################
+## <summary>
+##     add for systemd mounton
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain for sysctl_kernel_t.
+##     </summary>
+## </param>
+##
+interface(`kernel_file_mounton','
+       gen_require(`
+               type sysctl_kernel_t;
+       ')
+
+       allow $1 sysctl_kernel_t:file mounton;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ffe5293..035720b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t)
 kernel_read_core_if(init_t)
 kernel_mounton_core_if(init_t)
 kernel_get_sysvipc_info(init_t)
+kernel_file_mounton(init_t)
 
 # There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
 kernel_dontaudit_request_load_module(init_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 22ddccf..d6ce679 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1140,3 +1140,5 @@ optional_policy(`
 optional_policy(`
     gpg_exec(systemd_importd_t)
 ')
+allow init_t systemd_logind_inhibit_var_run_t:dir mounton;
+allow init_t systemd_logind_sessions_t:dir mounton;
-- 
1.8.3.1
enable selinux 2020-01-17 18:18:35 +08:00			`From 3ee8fe2590c37f451ad2ff2271b13daa128335d8 Mon Sep 17 00:00:00 2001`
			`From: guoxiaoqi <guoxiaoqi2@huawei.com>`
			`Date: Sat, 18 Jan 2020 12:03:36 +0800`
			`Subject: [PATCH] add allowed avc for systemd`

			`Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>`
			`---`
			`policy/modules/kernel/kernel.if \| 17 +++++++++++++++++`
			`policy/modules/system/init.te \| 1 +`
			`policy/modules/system/systemd.te \| 2 ++`
			`3 files changed, 20 insertions(+)`

			`diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if`
			`index cb9602c..be3f313 100644`
			`--- a/policy/modules/kernel/kernel.if`
			`+++ b/policy/modules/kernel/kernel.if`
			@@ -4108,3 +4108,20 @@ interface(`kernel_unlabeled_entry_type',`
			`allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };`
			`')`

			`+########################################`
			`+## <summary>`
			`+## add for systemd mounton`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## The domain for sysctl_kernel_t.`
			`+## </summary>`
			`+## </param>`
			`+##`
			+interface(`kernel_file_mounton','
			+ gen_require(`
			`+ type sysctl_kernel_t;`
			`+ ')`
			`+`
			`+ allow $1 sysctl_kernel_t:file mounton;`
			`+')`
			`diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te`
			`index ffe5293..035720b 100644`
			`--- a/policy/modules/system/init.te`
			`+++ b/policy/modules/system/init.te`
			`@@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t)`
			`kernel_read_core_if(init_t)`
			`kernel_mounton_core_if(init_t)`
			`kernel_get_sysvipc_info(init_t)`
			`+kernel_file_mounton(init_t)`

			`# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing`
			`kernel_dontaudit_request_load_module(init_t)`
			`diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te`
			`index 22ddccf..d6ce679 100644`
			`--- a/policy/modules/system/systemd.te`
			`+++ b/policy/modules/system/systemd.te`
			@@ -1140,3 +1140,5 @@ optional_policy(`
			optional_policy(`
			`gpg_exec(systemd_importd_t)`
			`')`
			`+allow init_t systemd_logind_inhibit_var_run_t:dir mounton;`
			`+allow init_t systemd_logind_sessions_t:dir mounton;`
			`--`
			`1.8.3.1`