From: Shrikant Bobade <shrikant_bob...@mentor.com>
1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
...007-systemd-fix-for-login-journal-service.patch | 104 +++++++++++++++++++++
.../refpolicy/refpolicy_2.20151208.inc | 1 +
2 files changed, 105 insertions(+)
create mode 100644
recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
diff --git
a/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
new file mode 100644
index 0000000..9af0469
--- /dev/null
+++
b/recipes-security/refpolicy/refpolicy-2.20151208/0007-systemd-fix-for-login-journal-service.patch
@@ -0,0 +1,104 @@
+From b767672932ecafa14480cffa0494a44dc78962fa Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bob...@mentor.com>
+Date: Wed, 27 Jul 2016 18:09:34 +0530
+Subject: [PATCH 7/8] systemd: fix for login & journal service
+
+1. fix for systemd services: login & journal wile using refpolicy-minimum and
+systemd as init manager.
+2. fix login duration after providing root password.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
+systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
+tclass=fifo_file permissive=0
+
+audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
+="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
+
+audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
+system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
+="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
+--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
+lib_t:s0 tclass=service
+
+[FAILED] Failed to start Flush Journal to Persistent Storage.
+See 'systemctl status systemd-journal-flush.service' for details.
+
+[FAILED] Failed to start Login Service.
+See 'systemctl status systemd-logind.service' for details.
+
+[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
+See 'systemctl status avahi-daemon.service' for details.
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+---
+ policy/modules/system/init.te | 5 +++++
+ policy/modules/system/locallogin.te | 3 +++
+ policy/modules/system/systemd.if | 6 ++++--
+ policy/modules/system/systemd.te | 3 ++-
+ 4 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 19a7a20..cefa59d 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1105,3 +1105,8 @@ allow init_t self:capability2 audit_read;
+
+ allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
++
++allow initrc_t init_var_run_t:service stop;
++allow initrc_t init_t:dbus send_msg;
++
++allow init_t initrc_t:dbus { send_msg acquire_svc };
+diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
+index 09ec33f..be25c82 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock};
+ allow local_login_t var_run_t:sock_file write;
+ allow local_login_t tmpfs_t:dir { add_name write search};
+ allow local_login_t tmpfs_t:file { create open read write lock };
++allow local_login_t init_var_run_t:fifo_file write;
++allow local_login_t initrc_t:dbus send_msg;
++allow initrc_t local_login_t:dbus send_msg;
+diff --git a/policy/modules/system/systemd.if
b/policy/modules/system/systemd.if
+index 822c03d..8723527 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',`
+ #
+ interface(`systemd_service_lib_function',`
+ gen_require(`
+- class service start;
++ class service { start status stop };
++ class file { execmod open };
+ ')
+
+- allow initrc_t $1:service start;
++ allow initrc_t $1:service { start status stop };
++ allow initrc_t $1:file execmod;
+
+ ')
+diff --git a/policy/modules/system/systemd.te
b/policy/modules/system/systemd.te
+index 70ccb0e..22021eb 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+
+ allow systemd_tmpfiles_t init_t:dir search;
+ allow systemd_tmpfiles_t proc_t:filesystem getattr;
+-allow systemd_tmpfiles_t init_t:file read;
+ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+ allow systemd_tmpfiles_t self:capability net_admin;
++
++allow systemd_tmpfiles_t init_t:file { open getattr read };
+--
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index b62167f..74f7e19 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -68,6 +68,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
+ file://0007-systemd-fix-for-login-journal-service.patch \
"
--
1.9.1
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
