Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.
Also changed a comment about ia64 to correctly mention EFI.
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.
Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903
AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
Even if there is not FHS provision for this, systemd is using
/dev/hugepages to mount the hugetlbfs fs by default.
The needed file contexts are already present
Associate the new xattrfs attribute to fs_t and the pseudo filesystems
that we know support xattr
This patch adds the attribute to the following (pseudo) filesystems
- device_t
- devpts_t
- fs_t
- hugetlbfs
- sysfs_t
- tmpfs_t
