commit: 862c31bbaa0af5a4ccba3529cc6876da978d113e
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Nov 28 10:19:06 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=862c31bb
systemd: getattr namespace files
systemd v257 started to access various namespace files, e.g.:
type=PROCTITLE msg=audit(28/11/24 11:14:28.210:154) :
proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator
/run/systemd/generator /run/systemd/generator.early /run/systemd/gene
type=PATH msg=audit(28/11/24 11:14:28.210:154) : item=0
name=/proc/self/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(28/11/24 11:14:28.210:154) : cwd=/
type=SYSCALL msg=audit(28/11/24 11:14:28.210:154) : arch=x86_64
syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD
a1=0x7ffff9715f90 a2=0x7ffff9715fb0 a3=0x0 items=1 ppid=8046 pid=8049
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=systemd-fstab-g
exe=/usr/lib/systemd/system-generators/systemd-fstab-generator
subj=system_u:system_r:systemd_generator_t:s0 key=(null)
type=AVC msg=audit(28/11/24 11:14:28.210:154) : avc: denied { getattr }
for pid=8049 comm=systemd-fstab-g path=cgroup:[4026531835] dev="nsfs"
ino=4026531835 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ntp.te | 1 +
policy/modules/system/logging.te | 1 +
policy/modules/system/systemd.te | 9 +++++++++
policy/modules/system/udev.te | 1 +
4 files changed, 12 insertions(+)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 27f86ae18..72ef1067e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -127,6 +127,7 @@ files_watch_runtime_dirs(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+fs_getattr_nsfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ed01f0e4a..589c756e4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -532,6 +532,7 @@ ifdef(`init_systemd',`
fs_list_cgroup_dirs(syslogd_t)
fs_watch_memory_pressure(syslogd_t)
+ fs_getattr_nsfs_files(syslogd_t)
init_create_runtime_dirs(syslogd_t)
init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 80ad48873..05c9e55e4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -460,6 +460,7 @@ fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
fs_getattr_cgroup(systemd_binfmt_t)
fs_search_cgroup_dirs(systemd_binfmt_t)
+fs_getattr_nsfs_files(systemd_binfmt_t)
######################################
#
@@ -575,6 +576,7 @@ files_dontaudit_read_etc_runtime_files(systemd_generator_t)
fs_list_efivars(systemd_generator_t)
fs_getattr_all_fs(systemd_generator_t)
+fs_getattr_nsfs_files(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
init_manage_runtime_dirs(systemd_generator_t)
@@ -878,6 +880,7 @@ manage_files_pattern(systemd_journal_init_t,
systemd_journal_t, systemd_journal_
fs_getattr_all_fs(systemd_journal_init_t)
fs_search_cgroup_dirs(systemd_journal_init_t)
+fs_getattr_nsfs_files(systemd_journal_init_t)
kernel_getattr_proc(systemd_journal_init_t)
kernel_read_kernel_sysctls(systemd_journal_init_t)
@@ -1023,6 +1026,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
fs_getattr_xattr_fs(systemd_logind_t)
fs_watch_memory_pressure(systemd_logind_t)
+fs_getattr_nsfs_files(systemd_logind_t)
logging_send_audit_msgs(systemd_logind_t)
@@ -1265,6 +1269,7 @@ init_read_state(systemd_machine_id_setup_t)
fs_getattr_cgroup(systemd_modules_load_t)
fs_getattr_xattr_fs(systemd_modules_load_t)
+fs_getattr_nsfs_files(systemd_modules_load_t)
kernel_load_module(systemd_modules_load_t)
kernel_read_kernel_sysctls(systemd_modules_load_t)
@@ -1826,6 +1831,7 @@ fs_getattr_all_fs(systemd_sessions_t)
fs_search_cgroup_dirs(systemd_sessions_t)
fs_search_tmpfs(systemd_sessions_t)
fs_search_ramfs(systemd_sessions_t)
+fs_getattr_nsfs_files(systemd_sessions_t)
kernel_read_kernel_sysctls(systemd_sessions_t)
kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1860,6 +1866,7 @@ fs_getattr_all_fs(systemd_sysctl_t)
fs_search_cgroup_dirs(systemd_sysctl_t)
fs_search_ramfs(systemd_sysctl_t)
fs_search_tmpfs(systemd_sysctl_t)
+fs_getattr_nsfs_files(systemd_sysctl_t)
systemd_log_parse_environment(systemd_sysctl_t)
@@ -1974,6 +1981,7 @@ fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
fs_getattr_all_fs(systemd_tmpfiles_t)
fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_nsfs_files(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
@@ -2224,6 +2232,7 @@ fs_read_cgroup_files(systemd_user_runtime_dir_t)
fs_getattr_cgroup(systemd_user_runtime_dir_t)
fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
+fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ccf2c310e..bf6b8b53e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -273,6 +273,7 @@ ifdef(`init_systemd',`
fs_create_cgroup_dirs(udev_t)
fs_create_cgroup_files(udev_t)
fs_rw_cgroup_files(udev_t)
+ fs_getattr_nsfs_files(udev_t)
init_dgram_send(udev_t)
init_get_generic_units_status(udev_t)
