systemd-timesyncd.service sandbox requried permissions

For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-17 13:36:56 +02:00 · 2020-05-17 13:36:56 +02:00 · e20db26b7b
parent 83a39ad4fd
commit e20db26b7b
6 changed files with 24 additions and 1 deletions
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -197,6 +197,10 @@ type mtrr_device_t;
 dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)

+optional_policy(`
+	init_mountpoint(mtrr_device_t)
+')
+
 #
 # null_device_t is the type of /dev/null.
 #
@ -285,7 +289,7 @@ type tpm_device_t;
 dev_node(tpm_device_t)

 #
-# uhid_device_t is the thpe of /dev/uhid - 
+# uhid_device_t is the type of /dev/uhid -
 # User-space I/O driver support for HID subsystem
 #
 type uhid_device_t;
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -136,6 +136,10 @@ type system_map_t;
 files_type(system_map_t)
 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)

+optional_policy(`
+	init_mountpoint(system_map_t)
+')
+
 #
 # tmp_t is the type of the temporary directories
 #
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -181,6 +181,10 @@ type tracefs_t;
 fs_type(tracefs_t)
 genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)

+optional_policy(`
+	init_mountpoint(tracefs_t)
+')
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -95,6 +95,10 @@ type proc_kcore_t, proc_type;
 neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)

+optional_policy(`
+	init_mountpoint(proc_kcore_t)
+')
+
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)

@ -119,6 +123,10 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
 type sysctl_irq_t, sysctl_type;
 genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)

+optional_policy(`
+	init_mountpoint(sysctl_irq_t)
+')
+
 # /proc/net/rpc directory and files
 type sysctl_rpc_t, sysctl_type;
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@ -12,6 +12,7 @@ files_config_file(ntp_conf_t)

 type ntp_drift_t;
 files_type(ntp_drift_t)
+init_mountpoint(ntp_drift_t)

 type ntpd_t;
 type ntpd_exec_t;
@ -33,6 +34,7 @@ logging_log_file(ntpd_log_t)

 type ntpd_pid_t;
 files_pid_file(ntpd_pid_t)
+init_mountpoint(ntpd_pid_t)

 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -408,6 +408,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
 	fs_relabelfrom_tmpfs_sockets(init_t)
+	fs_manage_tmpfs_symlinks(init_t)
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)