diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-01-12 17:26:02 -0500 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:49 -0500 |
| commit | e57d102d4f0eafbb548549efd792347c32d47f64 (patch) | |
| tree | f4b3f56afec6df22143c6838d9f18fa9e2031b23 | |
| parent | systemd: label systemd-tpm2-setup as systemd-pcrphase (diff) | |
| download | hardened-refpolicy-e57d102d4f0eafbb548549efd792347c32d47f64.tar.gz hardened-refpolicy-e57d102d4f0eafbb548549efd792347c32d47f64.tar.bz2 hardened-refpolicy-e57d102d4f0eafbb548549efd792347c32d47f64.zip | |
bootloader, init, udev: misc minor fixes
Resolve these AVCs seen during early boot with systemd 255:
Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0
Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc: denied { setrlimit } for pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc: denied { write } for pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc: denied { net_admin } for pid=3033 comm="bootctl" capability=12 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/admin/bootloader.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/init.te | 1 | ||||
| -rw-r--r-- | policy/modules/system/udev.te | 3 |
3 files changed, 4 insertions, 2 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index abe387424..294ce7e0c 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -42,7 +42,7 @@ dev_node(bootloader_tmp_t) # allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; -dontaudit bootloader_t self:capability sys_resource; +dontaudit bootloader_t self:capability { net_admin sys_resource }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index cbccbbd1b..8f3772dcb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -271,6 +271,7 @@ ifdef(`init_systemd',` allow init_t self:process { getcap setcap getsched setsched }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; + allow init_t self:netlink_netfilter_socket create_socket_perms; allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:system { status reboot halt reload }; # Until systemd is fixed diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index c48c291b9..4d708f977 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -40,7 +40,7 @@ optional_policy(` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; allow udev_t self:capability2 { wake_alarm block_suspend }; -allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate setrlimit getrlimit }; +allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit setrlimit }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; allow udev_t self:sock_file read_sock_file_perms; @@ -96,6 +96,7 @@ kernel_read_device_sysctls(udev_t) kernel_read_hotplug_sysctls(udev_t) kernel_read_modprobe_sysctls(udev_t) kernel_read_kernel_sysctls(udev_t) +kernel_rw_fs_sysctls(udev_t) kernel_rw_hotplug_sysctls(udev_t) kernel_rw_unix_dgram_sockets(udev_t) kernel_signal(udev_t) |