From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F1C2D1582EF for ; Sat, 08 Mar 2025 23:55:36 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id DDBED3409EC for ; Sat, 08 Mar 2025 23:55:36 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id D2F2B110475; Sat, 08 Mar 2025 23:55:08 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id C4351110474 for ; Sat, 08 Mar 2025 23:55:08 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7EA9F335D6A for ; Sat, 08 Mar 2025 23:55:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DB8BA28B0 for ; Sat, 08 Mar 2025 23:55:04 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1741476403.045344366ca42f82ed70a053accc05d0a8f13f39.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 045344366ca42f82ed70a053accc05d0a8f13f39 X-VCS-Branch: master Date: Sat, 08 Mar 2025 23:55:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b4beb5fb-b37c-4919-a7a8-1e12fd3a8187 X-Archives-Hash: a8ea99cb7232d7c3bfc16a6b8d378d3c commit: 045344366ca42f82ed70a053accc05d0a8f13f39 Author: Yi Zhao windriver com> AuthorDate: Thu Feb 13 13:51:55 2025 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Mar 8 23:26:43 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04534436 systemd: allow system --user to get attributes of nsfs inodes Fixes: avc: denied { getattr } for pid=502 comm="systemd" path="cgroup:[4026531835]" dev="nsfs" ino=4026531835 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=0 avc: denied { getattr } for pid=502 comm="systemd" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=0 avc: denied { getattr } for pid=506 comm="30-systemd-envi" path="cgroup:[4026531835]" dev="nsfs" ino=4026531835 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=0 avc: denied { getattr } for pid=506 comm="30-systemd-envi" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=0 avc: denied { getattr } for pid=508 comm="systemd-tmpfile" path="cgroup:[4026531835]" dev="nsfs" ino=4026531835 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=0 avc: denied { getattr } for pid=508 comm="systemd-tmpfile" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t tcontext=system_u:object_r:nsf _t tclass=file permissive=0 avc: denied { search } for pid=508 comm="systemd-tmpfile" name="1" dev="proc" ino=575 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t tcontext=system_u:system_r:init_t tclass=dir permissive=0 avc: denied { getattr } for pid=508 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/system/systemd.if | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index b6b50bca9..0f92c23bd 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -99,6 +99,7 @@ template(`systemd_role_template',` files_watch_etc_dirs($1_systemd_t) fs_getattr_xattr_fs($1_systemd_t) + fs_getattr_nsfs_files($1_systemd_t) fs_manage_cgroup_files($1_systemd_t) fs_watch_cgroup_files($1_systemd_t) @@ -152,6 +153,11 @@ template(`systemd_role_template',` files_list_runtime($1_systemd_tmpfiles_t) files_read_etc_files($1_systemd_tmpfiles_t) + fs_getattr_nsfs_files($1_systemd_tmpfiles_t) + + init_read_state($1_systemd_tmpfiles_t) + + kernel_dontaudit_getattr_proc($1_systemd_tmpfiles_t) kernel_read_kernel_sysctls($1_systemd_tmpfiles_t) kernel_read_system_state($1_systemd_tmpfiles_t)