selinux-policy/backport-Allow-login_userdomain-read-systemd-runtime-files.patch

From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:30:24 +0100
Subject: [PATCH] Allow login_userdomain read systemd runtime files

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a
Conflict: NA

Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user
type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/
type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc:  denied  { read } for  pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/system/userdomain.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index bcb3043..f1f68f7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain)
 
 optional_policy(`
 	init_mmap_read_var_lib_files(login_userdomain)
+	init_read_pid_files(login_userdomain)
 ')
 
 optional_policy(`
-- 
1.8.3.1
update upstream patches 2022-09-13 20:45:40 +08:00			`From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001`
			`From: Zdenek Pytela <zpytela@redhat.com>`
			`Date: Wed, 9 Feb 2022 21:30:24 +0100`
			`Subject: [PATCH] Allow login_userdomain read systemd runtime files`

			`Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a`
			`Conflict: NA`

			`Addresses the following AVC denial:`
			`type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user`
			`type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0`
			`type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/`
			`type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY\|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)`
			`type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc: denied { read } for pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0`

			`Signed-off-by: lujie54 <lujie54@huawei.com>`
			`---`
			`policy/modules/system/userdomain.te \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te`
			`index bcb3043..f1f68f7 100644`
			`--- a/policy/modules/system/userdomain.te`
			`+++ b/policy/modules/system/userdomain.te`
			`@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain)`

			optional_policy(`
			`init_mmap_read_var_lib_files(login_userdomain)`
			`+ init_read_pid_files(login_userdomain)`
			`')`

			optional_policy(`
			`--`
			`1.8.3.1`