selinux-policy/add-avc-for-systemd.patch

From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 19:09:57 +0800
Subject: [PATCH] add avc for systemd

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/contrib/dbus.te   |  3 +++
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.te |  4 ++++
 4 files changed, 26 insertions(+)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 4cf41a5..2e2732d 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -384,6 +384,9 @@ optional_policy(`
 	xserver_append_xdm_home_files(session_bus_type)
 ')
 
+# avc for openEuler
+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
+allow init_t system_dbusd_var_run_t:sock_file read;
 ########################################
 #
 # Unconfined access to this module
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index eb8c5c6..846bb94 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7361,3 +7361,21 @@ type kmsg_device_t;
 
 allow $1 kmsg_device_t:chr_file read;
 ')
+
+########################################
+## <summary>
+##      Allow to read the clock device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`dev_read_clock_device',`
+gen_require(`
+type clock_device_t;
+')
+
+allow $1 clock_device_t:chr_file read;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6bccd0b..b7a4114 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t)
 kernel_netlink_audit_socket(init_t, getattr)
 dev_read_kernel_msg(init_t)
 logging_journal(init_t)
+dev_read_clock_device(init_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 72f413c..0a65c1d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
 allow init_t systemd_logind_var_run_t:dir mounton;
 init_nnp_daemon_domain(systemd_hostnamed_t)
 init_nnp_daemon_domain(systemd_logind_t)
+init_nnp_daemon_domain(systemd_coredump_t)
+init_nnp_daemon_domain(systemd_initctl_t)
+init_nnp_daemon_domain(systemd_localed_t)
+init_nnp_daemon_domain(systemd_machined_t)
 
 ########################################
 #
-- 
1.8.3.1
update selinux-policy 2020-07-27 09:36:04 +08:00			`From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`From: guoxiaoqi <guoxiaoqi2@huawei.com>`
update selinux-policy 2020-07-27 09:36:04 +08:00			`Date: Thu, 16 Jul 2020 19:09:57 +0800`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`Subject: [PATCH] add avc for systemd`

			`Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>`
			`---`
update selinux-policy 2020-07-27 09:36:04 +08:00			`policy/modules/contrib/dbus.te \| 3 +++`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`policy/modules/kernel/devices.if \| 18 ++++++++++++++++++`
			`policy/modules/system/init.te \| 1 +`
update selinux-policy 2020-07-27 09:36:04 +08:00			`policy/modules/system/systemd.te \| 4 ++++`
			`4 files changed, 26 insertions(+)`
update avc for openEuler 2020-02-26 14:13:26 +08:00
			`diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			`index 4cf41a5..2e2732d 100644`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`--- a/policy/modules/contrib/dbus.te`
			`+++ b/policy/modules/contrib/dbus.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			@@ -384,6 +384,9 @@ optional_policy(`
			`xserver_append_xdm_home_files(session_bus_type)`
			`')`
update avc for openEuler 2020-02-26 14:13:26 +08:00
			`+# avc for openEuler`
			`+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };`
			`+allow init_t system_dbusd_var_run_t:sock_file read;`
update selinux-policy 2020-07-27 09:36:04 +08:00			`########################################`
			`#`
			`# Unconfined access to this module`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if`
update selinux-policy 2020-07-27 09:36:04 +08:00			`index eb8c5c6..846bb94 100644`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`--- a/policy/modules/kernel/devices.if`
			`+++ b/policy/modules/kernel/devices.if`
update selinux-policy 2020-07-27 09:36:04 +08:00			`@@ -7361,3 +7361,21 @@ type kmsg_device_t;`
update avc for openEuler 2020-02-26 14:13:26 +08:00
			`allow $1 kmsg_device_t:chr_file read;`
			`')`
			`+`
			`+########################################`
			`+## <summary>`
			`+## Allow to read the clock device.`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain to allow.`
			`+## </summary>`
			`+## </param>`
			`+#`
			+interface(`dev_read_clock_device',`
			+gen_require(`
			`+type clock_device_t;`
			`+')`
			`+`
			`+allow $1 clock_device_t:chr_file read;`
			`+')`
			`diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			`index 6bccd0b..b7a4114 100644`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`--- a/policy/modules/system/init.te`
			`+++ b/policy/modules/system/init.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			`@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t)`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`kernel_netlink_audit_socket(init_t, getattr)`
			`dev_read_kernel_msg(init_t)`
			`logging_journal(init_t)`
			`+dev_read_clock_device(init_t)`
			`diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			`index 72f413c..0a65c1d 100644`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`--- a/policy/modules/system/systemd.te`
			`+++ b/policy/modules/system/systemd.te`
update selinux-policy 2020-07-27 09:36:04 +08:00			`@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`allow init_t systemd_logind_var_run_t:dir mounton;`
			`init_nnp_daemon_domain(systemd_hostnamed_t)`
			`init_nnp_daemon_domain(systemd_logind_t)`
			`+init_nnp_daemon_domain(systemd_coredump_t)`
			`+init_nnp_daemon_domain(systemd_initctl_t)`
			`+init_nnp_daemon_domain(systemd_localed_t)`
			`+init_nnp_daemon_domain(systemd_machined_t)`
update selinux-policy 2020-07-27 09:36:04 +08:00
			`########################################`
			`#`
update avc for openEuler 2020-02-26 14:13:26 +08:00			`--`
			`1.8.3.1`