From 2e1c1c62403224c71dd79c0e53e282cbc55837a1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 6 May 2021 10:30:11 -0400 Subject: [PATCH 1/3] init: Add support for systemd StandardInputText. This normally uses memfd which uses posix shm under the hood. Additionally, a direct shm use is a fallback if memfd is not available. Signed-off-by: Chris PeBenito --- policy/modules/system/init.if | 16 ++++++++++++++++ policy/modules/system/init.te | 8 ++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 56b9e744a..4cb6286db 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -183,9 +183,17 @@ interface(`init_domain',` allow init_t $1:process rlimitinh; ifdef(`init_systemd',` + gen_require(` + type init_tmpfs_t; + ') + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; allow init_t $1:process2 { nnp_transition nosuid_transition }; + + # StandardInputText uses a memfd rw shm segment. + # Cannot deny writes or it breaks. + allow $1 init_tmpfs_t:file rw_inherited_file_perms; ') ') @@ -270,9 +278,17 @@ interface(`init_spec_daemon_domain',` allow init_t $1:process rlimitinh; ifdef(`init_systemd',` + gen_require(` + type init_tmpfs_t; + ') + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; allow init_t $1:process2 { nnp_transition nosuid_transition }; + + # StandardInputText uses a memfd rw shm segment. + # Cannot deny writes or it breaks. + allow $1 init_tmpfs_t:file rw_inherited_file_perms; ') # daemons started from init will diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 820b04a00..eb63457b4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -112,6 +112,9 @@ files_type(initrc_state_t) type initrc_tmp_t; files_tmp_file(initrc_tmp_t) +type init_tmpfs_t; +files_tmpfs_file(init_tmpfs_t) + type initrc_var_log_t; logging_log_file(initrc_var_log_t) @@ -170,6 +173,9 @@ files_runtime_filetrans(init_t, initctl_t, fifo_file) # Modify utmp. allow init_t initrc_runtime_t:file { rw_file_perms setattr }; +allow init_t init_tmpfs_t:file manage_file_perms; +fs_tmpfs_filetrans(init_t, init_tmpfs_t, file) + kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) @@ -292,8 +298,6 @@ ifdef(`init_systemd',` manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) - # /memfd:systemd-state - fs_tmpfs_filetrans(init_t, init_runtime_t, file) # mounton is required for systemd-timesyncd allow init_t init_var_lib_t:dir { manage_dir_perms mounton }; From 998d6a6fda0e3e058d323d0ed2a1f1165acfee59 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 6 May 2021 10:31:30 -0400 Subject: [PATCH 2/3] .gitignore: Ignore vscode data dir. Signed-off-by: Chris PeBenito --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4e4f2e3fb..e703c05fc 100644 --- a/.gitignore +++ b/.gitignore @@ -21,7 +21,8 @@ /policy/modules/kernel/corenetwork.te /tmp/ -.vagrant/ +/.vagrant/ +/.vscode/ # monolithic generated files /file_contexts From 2d0cb88590a455bcfdca8a7ebd94fc5bc02b3ede Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 6 May 2021 10:41:17 -0400 Subject: [PATCH 3/3] .gitignore: Remove duplicate lines. Signed-off-by: Chris PeBenito --- .gitignore | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.gitignore b/.gitignore index e703c05fc..ec4458dc5 100644 --- a/.gitignore +++ b/.gitignore @@ -23,8 +23,3 @@ /.vagrant/ /.vscode/ - -# monolithic generated files -/file_contexts -/homedir_template -/policy.conf