diff options
| author |   Yi Zhao <yi.zhao@windriver.com> | 2024-08-12 16:17:29 +0800 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:29 -0700 |
| commit | a909c09a7716cdd655acc0bd96210e6bfa244e0b (patch) | |
| tree | a04256169fa7a5b74c699979ed6aabc08598a3fa | |
| parent | systemd: allow systemd-networkd to manage sock files under /run/systemd/netif (diff) | |
| download | hardened-refpolicy-a909c09a7716cdd655acc0bd96210e6bfa244e0b.tar.gz hardened-refpolicy-a909c09a7716cdd655acc0bd96210e6bfa244e0b.tar.bz2 hardened-refpolicy-a909c09a7716cdd655acc0bd96210e6bfa244e0b.zip | |
systemd: allow system --user to create netlink_route_socket
Fixes:
avc: denied { create } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { setopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { bind } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getattr } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { write } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { nlmsg_read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { sendto } for pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/system/systemd.if | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index a9c8a1a5a..b9dbd97cc 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -61,6 +61,8 @@ template(`systemd_role_template',` # remainder of the rules. allow $1_systemd_t self:process { getsched signal }; allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_systemd_t self:netlink_route_socket r_netlink_socket_perms; + allow $1_systemd_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; allow $1_systemd_t $3:process { rlimitinh setsched signal_perms }; corecmd_shell_domtrans($1_systemd_t, $3) |