filesystem, init: allow systemd to setattr on ramfs dirs

This is needed by systemd-creds on system boot. Without this access, many services fail to start. Observed on systemd-252 on Gentoo. type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)" type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1670295099.238:180306): cwd="/" type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-12-07 10:27:48 -05:00 · 2022-12-07 10:27:48 -05:00 · d34dd9571e
commit d34dd9571e
parent a6db7cb87f
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
 	dontaudit $1 ramfs_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	Set the attributes of directories on
+##	a ramfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_ramfs_dirs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -472,6 +472,8 @@ ifdef(`init_systemd',`
 	fs_create_pstore_dirs(init_t)
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
+	# needed by systemd-creds
+	fs_setattr_ramfs_dirs(init_t)

 	init_manage_all_unit_files(init_t)
 	init_read_script_state(init_t)