[meta-selinux][master][kirkstone][PATCH 1/2] refpolicy: backport patches to fix policy issues for systemd 250

* [meta-selinux][master][kirkstone][PATCH 1/2] refpolicy: backport patches to fix policy issues for systemd 250
@ 2022-05-24 15:52 Yi Zhao
  2022-05-24 15:52 ` [meta-selinux][master][kirkstone][PATCH 2/2] refpolicy: add file context for findfs alternative Yi Zhao
  0 siblings, 1 reply; 2+ messages in thread
From: Yi Zhao @ 2022-05-24 15:52 UTC (permalink / raw)
  To: yocto, joe_macdonald, joe

Backport the following patches to fix systemd-resolved and
systemd-netowrkd policy issues:
  systemd-systemd-resolved-is-linked-to-libselinux.patch
  sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
  term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
  systemd-add-file-transition-for-systemd-networkd-run.patch
  systemd-add-missing-file-context-for-run-systemd-net.patch
  systemd-add-file-contexts-for-systemd-network-genera.patch
  systemd-udev-allow-udev-to-read-systemd-networkd-run.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...emd-resolved-is-linked-to-libselinux.patch | 33 +++++++
 ...md-allow-DNS-resolution-over-io.syst.patch | 63 +++++++++++++
 ...systemd-to-watch-and-watch-reads-on-.patch | 94 +++++++++++++++++++
 ...-transition-for-systemd-networkd-run.patch | 32 +++++++
 ...ing-file-context-for-run-systemd-net.patch | 29 ++++++
 ...-contexts-for-systemd-network-genera.patch | 38 ++++++++
 ...ow-udev-to-read-systemd-networkd-run.patch | 34 +++++++
 .../refpolicy/refpolicy_common.inc            |  7 ++
 8 files changed, 330 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
 create mode 100644 recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch

diff --git a/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch b/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
new file mode 100644
index 0000000..e0db7d3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0062-systemd-systemd-resolved-is-linked-to-libselinux.patch
@@ -0,0 +1,33 @@
+From 52a4222397f5d3b28ca15a45bb2ace209a4afc3e Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Thu, 31 Mar 2022 13:09:10 -0400
+Subject: [PATCH] systemd: systemd-resolved is linked to libselinux
+
+systemd-resolved as of systemd 250 fails to start with this error:
+
+Failed to initialize SELinux labeling handle: No such file or directory
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/3a22db2410de479e5baa88f3f668a7a4ac198950]
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 8cea6baa1..beb301cc6 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1261,6 +1261,7 @@ fs_getattr_cgroup(systemd_resolved_t)
+ 
+ init_dgram_send(systemd_resolved_t)
+ 
++seutil_libselinux_linked(systemd_resolved_t)
+ seutil_read_file_contexts(systemd_resolved_t)
+ 
+ systemd_log_parse_environment(systemd_resolved_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch b/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
new file mode 100644
index 0000000..63da7cd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch
@@ -0,0 +1,63 @@
+From 1ba0911e157c64ea15636c5707f38f1bdc9a46c8 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Wed, 27 Apr 2022 01:09:52 -0400
+Subject: [PATCH] sysnetwork, systemd: allow DNS resolution over
+ io.systemd.Resolve
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/1a0acc9c0d8c7c49ad4ca2cabd44bc66450f45e0]
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/sysnetwork.if |  1 +
+ policy/modules/system/systemd.if    | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 8664a67c8..140d48508 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -844,6 +844,7 @@ interface(`sysnet_dns_name_resolve',`
+ 	ifdef(`init_systemd',`
+ 		optional_policy(`
+ 			systemd_dbus_chat_resolved($1)
++			systemd_stream_connect_resolved($1)
+ 		')
+ 		# This seems needed when the mymachines NSS module is used
+ 		optional_policy(`
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 5f2038f22..9143fb4c0 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -1835,6 +1835,27 @@ interface(`systemd_tmpfilesd_managed',`
+ 	')
+ ')
+ 
++#######################################
++## <summary>
++##	Connect to systemd resolved over
++##	/run/systemd/resolve/io.systemd.Resolve .
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_stream_connect_resolved',`
++	gen_require(`
++		type systemd_resolved_t;
++		type systemd_resolved_runtime_t;
++	')
++
++	files_search_runtime($1)
++	stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
++')
++
+ ########################################
+ ## <summary>
+ ##   Send and receive messages from
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch b/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
new file mode 100644
index 0000000..88f070d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch
@@ -0,0 +1,94 @@
+From 50670946f04257cc2110facbc61884e2cf0d8327 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Fri, 6 May 2022 21:16:29 -0400
+Subject: [PATCH] term, init: allow systemd to watch and watch reads on
+ unallocated ttys
+
+As of systemd 250, systemd needs to be able to add a watch on and watch
+reads on unallocated ttys in order to start getty.
+
+systemd[55548]: getty@tty1.service: Failed to set up standard input: Permission denied
+systemd[55548]: getty@tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied
+
+time->Fri May  6 21:17:58 2022
+type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
+type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(1651886278.452:1770): cwd="/"
+type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=AVC msg=audit(1651886278.452:1770): avc:  denied  { watch watch_reads } for  pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/308ab9f69a4623f5dace8da151e70c6316f055a8]
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/terminal.if | 38 +++++++++++++++++++++++++++++++
+ policy/modules/system/init.te     |  2 ++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index e8c0735eb..6e9f654ac 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -1287,6 +1287,44 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ 	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Watch unallocated ttys.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`term_watch_unallocated_ttys',`
++	gen_require(`
++		type tty_device_t;
++	')
++
++	dev_list_all_dev_nodes($1)
++	allow $1 tty_device_t:chr_file watch;
++')
++
++########################################
++## <summary>
++##	Watch reads on unallocated ttys.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`term_watch_reads_unallocated_ttys',`
++	gen_require(`
++		type tty_device_t;
++	')
++
++	dev_list_all_dev_nodes($1)
++	allow $1 tty_device_t:chr_file watch_reads;
++')
++
+ ########################################
+ ## <summary>
+ ##	Get the attributes of all tty device nodes.
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 5a19f0e43..24cef0924 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -518,6 +518,8 @@ ifdef(`init_systemd',`
+ 	term_create_devpts_dirs(init_t)
+ 	term_create_ptmx(init_t)
+ 	term_create_controlling_term(init_t)
++	term_watch_unallocated_ttys(init_t)
++	term_watch_reads_unallocated_ttys(init_t)
+ 
+ 	# udevd is a "systemd kobject uevent socket activated daemon"
+ 	udev_create_kobject_uevent_sockets(init_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
new file mode 100644
index 0000000..1029490
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0065-systemd-add-file-transition-for-systemd-networkd-run.patch
@@ -0,0 +1,32 @@
+From 6f8a8ecd8bafd6e8a3515b53db2a2982a02ff254 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Thu, 31 Mar 2022 13:22:37 -0400
+Subject: [PATCH] systemd: add file transition for systemd-networkd runtime
+
+systemd-networkd creates the /run/systemd/network directory which should
+be labeled appropriately.
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/663b62f27cb12c22f056eba9326cf3f7f78d8a9e]
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index beb301cc6..654c6a42a 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -917,6 +917,7 @@ auth_use_nsswitch(systemd_networkd_t)
+ 
+ init_dgram_send(systemd_networkd_t)
+ init_read_state(systemd_networkd_t)
++init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
+ 
+ logging_send_syslog_msg(systemd_networkd_t)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch b/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
new file mode 100644
index 0000000..f84eb4a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0066-systemd-add-missing-file-context-for-run-systemd-net.patch
@@ -0,0 +1,29 @@
+From 2e3f371b59bee343c42e4c69495df0f3719b6e24 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Sat, 2 Apr 2022 15:44:01 -0400
+Subject: [PATCH] systemd: add missing file context for /run/systemd/network
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/f2fe1ae15485da7b6269b7d0d7dbed9a834f1876]
+
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+index 34db8c034..d21914227 100644
+--- a/policy/modules/system/systemd.fc
++++ b/policy/modules/system/systemd.fc
+@@ -85,6 +85,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
+ 
+ /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+ /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
++/run/systemd/network(/.*)?  gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+ /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
+ /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+ /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch b/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
new file mode 100644
index 0000000..0aaf096
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0067-systemd-add-file-contexts-for-systemd-network-genera.patch
@@ -0,0 +1,38 @@
+From 143d339b2e6611c56cd0210279757ebee9632731 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Thu, 19 May 2022 11:42:51 -0400
+Subject: [PATCH] systemd: add file contexts for systemd-network-generator
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/73adba0a39b7409bc4bbfa0e962108c2b1e5f2a5]
+
+Thanks-To: Zhao Yi
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+index d21914227..1a35bd65c 100644
+--- a/policy/modules/system/systemd.fc
++++ b/policy/modules/system/systemd.fc
+@@ -35,6 +35,7 @@
+ /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+ /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
+ /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
++/usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+ /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
+ /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+ /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
+@@ -60,6 +61,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
+ /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
+ /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+ /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
++/usr/lib/systemd/system/systemd-network-generator.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
+ /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
+ /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
+ 
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch b/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
new file mode 100644
index 0000000..259863c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch
@@ -0,0 +1,34 @@
+From 6508bc8a3440525384fcfcd8ad55a4cd5c79b912 Mon Sep 17 00:00:00 2001
+From: Kenton Groombridge <me@concord.sh>
+Date: Thu, 19 May 2022 11:43:44 -0400
+Subject: [PATCH] systemd, udev: allow udev to read systemd-networkd runtime
+
+udev searches for .link files and applies custom udev rules to devices
+as they come up.
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/998ef975f38c70d57e7220b88ae5e62c88ebb770]
+
+Thanks-To: Zhao Yi
+Signed-off-by: Kenton Groombridge <me@concord.sh>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/udev.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 4c5a690fb..8e243c0f2 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -270,6 +270,8 @@ ifdef(`init_systemd',`
+ 	systemd_read_hwdb(udev_t)
+ 	systemd_read_logind_sessions_files(udev_t)
+ 	systemd_read_logind_runtime_files(udev_t)
++	# udev searches for .link files and applies custom udev rules
++	systemd_read_networkd_runtime(udev_t)
+ 
+ 	optional_policy(`
+ 		init_dbus_chat(udev_t)
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 96d0da1..1d5a5c0 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -77,6 +77,13 @@ SRC_URI += " \
         file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0062-systemd-systemd-resolved-is-linked-to-libselinux.patch \
+        file://0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch \
+        file://0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch \
+        file://0065-systemd-add-file-transition-for-systemd-networkd-run.patch \
+        file://0066-systemd-add-missing-file-context-for-run-systemd-net.patch \
+        file://0067-systemd-add-file-contexts-for-systemd-network-genera.patch \
+        file://0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch \
         "
 
 S = "${WORKDIR}/refpolicy"
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread