From 8872d607b7ff44ed4b0e6a022b4e7d2d95317ce8 Mon Sep 17 00:00:00 2001 From: Peter Morrow Date: Wed, 5 Feb 2020 15:47:47 +0000 Subject: [PATCH] systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in sysfs Rules specified in system tmpfiles.d configuration files are often used to change permissions on files in sysfs. https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html Signed-off-by: Peter Morrow --- policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ policy/modules/system/systemd.te | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 513708e0e..5fc57cf3e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4395,6 +4395,26 @@ interface(`dev_relabel_all_sysfs',` allow $1 sysfs_types:lnk_file relabel_lnk_file_perms; ') +######################################## +## +## Set the attributes of sysfs files, directories and symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_all_sysfs',` + gen_require(` + attribute sysfs_types; + ') + + allow $1 sysfs_types:dir { search_dir_perms setattr }; + allow $1 sysfs_types:file setattr; + allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr }; +') + ######################################## ## ## Read and write the TPM device. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f55294e30..cf95a3a8d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1087,6 +1087,7 @@ dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) +dev_setattr_all_sysfs(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) files_create_lock_dirs(systemd_tmpfiles_t)