packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-systemd-read-unlabeled-symbolic-links.patch
lujie54 3c7c076926 backport upstream patches
2022-09-05 10:17:25 +08:00

70 lines
2.1 KiB
Diff
Raw Blame History

From 07b06a7f6cb1f41b92de5d29d21ac89c4d362457 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 Dec 2021 17:15:44 +0100
Subject: [PATCH] Allow systemd read unlabeled symbolic links
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/07b06a7f6cb1f41b92de5d29d21ac89c4d362457
Conflict: NA
On a system boot systemd starts to launch services in the current target.
When it attempts to access a symbolic link which is critical for systemd
to continue and the symlink is unlabeled, the autorelabel target cannot
be reached to start relabeling and fix the unlabeled files.
This scenario applies to /etc/localtime when it was changed in SELinux
disabled mode.
Since this commit, systemd is allowed the read access to symbolic links
with the unlabeled_t type.
Resolves: rhbz#2021835
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 62845c1..1b684f5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2922,6 +2922,24 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
########################################
## <summary>
+## Read unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_lnk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Read and write unlabeled block device nodes.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 22e363a..0de5f4a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -588,6 +588,7 @@ tunable_policy(`deny_bluetooth',`',`
')
kernel_list_unlabeled(init_t)
+kernel_read_unlabeled_lnk_files(init_t)
kernel_read_network_state(init_t)
kernel_rw_all_sysctls(init_t)
kernel_rw_security_state(init_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink