From 3ee8fe2590c37f451ad2ff2271b13daa128335d8 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Sat, 18 Jan 2020 12:03:36 +0800 Subject: [PATCH] add allowed avc for systemd Signed-off-by: guoxiaoqi --- policy/modules/kernel/kernel.if | 17 +++++++++++++++++ policy/modules/system/init.te | 1 + policy/modules/system/systemd.te | 2 ++ 3 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index cb9602c..be3f313 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -4108,3 +4108,20 @@ interface(`kernel_unlabeled_entry_type',` allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; ') +######################################## +## +## add for systemd mounton +## +## +## +## The domain for sysctl_kernel_t. +## +## +## +interface(`kernel_file_mounton',' + gen_require(` + type sysctl_kernel_t; + ') + + allow $1 sysctl_kernel_t:file mounton; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ffe5293..035720b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t) kernel_read_core_if(init_t) kernel_mounton_core_if(init_t) kernel_get_sysvipc_info(init_t) +kernel_file_mounton(init_t) # There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing kernel_dontaudit_request_load_module(init_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 22ddccf..d6ce679 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1140,3 +1140,5 @@ optional_policy(` optional_policy(` gpg_exec(systemd_importd_t) ') +allow init_t systemd_logind_inhibit_var_run_t:dir mounton; +allow init_t systemd_logind_sessions_t:dir mounton; -- 1.8.3.1