diff options
author | Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2022-05-23 14:56:55 +0000 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2022-09-03 11:41:55 -0700 |
commit | 7444d063ef6c79bb3d360f6e59ade90a19d6efbd (patch) | |
tree | 2c27004cc972a1edf113d5a394545fb08c9f9f0f | |
parent | files: Make etc_runtime_t a config file. (diff) | |
download | hardened-refpolicy-7444d063ef6c79bb3d360f6e59ade90a19d6efbd.tar.gz hardened-refpolicy-7444d063ef6c79bb3d360f6e59ade90a19d6efbd.tar.bz2 hardened-refpolicy-7444d063ef6c79bb3d360f6e59ade90a19d6efbd.zip |
systemd: Fixes for coredumps in containers.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/kernel/filesystem.if | 18 | ||||
-rw-r--r-- | policy/modules/system/systemd.te | 18 |
2 files changed, 32 insertions, 4 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index fcdb49b6..ecf291aa 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -3943,6 +3943,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## <summary> +## Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_getattr_nsfs_files',` + gen_require(` + type nsfs_t; + ') + + allow $1 nsfs_t:file getattr_file_perms; +') + +######################################## +## <summary> ## Read nsfs inodes (e.g. /proc/pid/ns/uts) ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b5c13274..886cb878 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -423,29 +423,39 @@ ifdef(`enable_mls',` # coredump local policy # -allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; -allow systemd_coredump_t self:capability { setgid setuid setpcap }; -allow systemd_coredump_t self:cap_userns sys_ptrace; +allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace }; allow systemd_coredump_t self:process { getcap setcap setfscreate }; +allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; +allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms; +dontaudit systemd_coredump_t self:capability net_admin; -manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) +mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t) kernel_read_kernel_sysctls(systemd_coredump_t) kernel_read_system_state(systemd_coredump_t) kernel_rw_pipes(systemd_coredump_t) kernel_use_fds(systemd_coredump_t) +kernel_read_crypto_sysctls(systemd_coredump_t) corecmd_exec_bin(systemd_coredump_t) corecmd_read_all_executables(systemd_coredump_t) dev_write_kmsg(systemd_coredump_t) +domain_read_all_domains_state(systemd_coredump_t) + files_getattr_all_mountpoints(systemd_coredump_t) files_read_etc_files(systemd_coredump_t) files_search_var_lib(systemd_coredump_t) +files_mounton_root(systemd_coredump_t) fs_getattr_xattr_fs(systemd_coredump_t) +fs_getattr_nsfs_files(systemd_coredump_t) +fs_search_cgroup_dirs(systemd_coredump_t) +fs_getattr_cgroup(systemd_coredump_t) selinux_getattr_fs(systemd_coredump_t) |