From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1452624-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 080BE158020
	for <garchives@archives.gentoo.org>; Wed,  2 Nov 2022 14:42:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 51FECE09B0;
	Wed,  2 Nov 2022 14:42:55 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3B900E09B0
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:55 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 74042340D19
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:54 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 98D2B6E8
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:51 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1667398022.cec2de860f7eb541711fc5a6dc0adf873970068d.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/init.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: cec2de860f7eb541711fc5a6dc0adf873970068d
X-VCS-Branch: master
Date: Wed,  2 Nov 2022 14:42:51 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 7616ca97-7568-4396-a032-6d909a2f0ce3
X-Archives-Hash: 16285088c7c626a4f5d3747d143a2093

commit:     cec2de860f7eb541711fc5a6dc0adf873970068d
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Sat Sep 17 02:28:33 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:02 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cec2de86

Seeing long delay during shutdown saying: 'A stop job is running for Restore /run/initramfs on shutdown'

These were the denials in audit.log related to this

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { write } for  pid=3594 comm="cpio" name="initramfs" dev="tmpfs" ino=18 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { add_name } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5083): avc:  denied  { create } for  pid=3594 comm="cpio" name="dev" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5084): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="dev" dev="tmpfs" ino=1356 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { create } for  pid=3594 comm="cpio" name="systemd.conf" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { write open } for pid=3594 comm="cpio" path="/run/initramfs/etc/conf.d/systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5088): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { read } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { link } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Also seeing the following, but seems to function without related rules:

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { create } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5082): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="bin" dev="tmpfs" ino=1355 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5085): avc:  denied  { create } for  pid=3594 comm="cpio" name="console" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5086): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="console" dev="tmpfs" ino=1357 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0c4fb9dd1..249775e52 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1019,6 +1019,8 @@ ifdef(`distro_redhat',`
 
 	fs_read_tmpfs_symlinks(initrc_t)
 	fs_rw_tmpfs_chr_files(initrc_t)
+	fs_manage_tmpfs_dirs(initrc_t)
+	fs_manage_tmpfs_files(initrc_t)
 
 	storage_manage_fixed_disk(initrc_t)
 	storage_dev_filetrans_fixed_disk(initrc_t)