Skip to content

Commit

Permalink
systemd: fix policy for systemd-ssh-generator
Browse files Browse the repository at this point in the history 
Fixes:
avc:  denied  { getattr } for  pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { execute } for  pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { create } for  pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1

avc:  denied  { read } for  pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { open } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { ioctl } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
  • Loading branch information
@yizhao1
yizhao1 committed Aug 26, 2024
1 parent 43c5ac5 commit b07fc4c
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,8 @@ seutil_search_default_contexts(systemd_coredump_t)
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
allow systemd_generator_t self:process { getcap getsched setfscreate signal };
# for systemd-ssh-generator
allow systemd_generator_t self:vsock_socket create;

corecmd_exec_shell(systemd_generator_t)
corecmd_exec_bin(systemd_generator_t)
Expand All @@ -548,6 +550,8 @@ dev_write_sysfs_dirs(systemd_generator_t)
dev_read_urand(systemd_generator_t)
dev_create_sysfs_files(systemd_generator_t)
dev_write_sysfs(systemd_generator_t)
# for systemd-ssh-generator
dev_read_generic_chr_files(systemd_generator_t)

files_read_etc_files(systemd_generator_t)
files_read_etc_runtime_files(systemd_generator_t)
Expand Down Expand Up @@ -635,6 +639,11 @@ optional_policy(`
rpc_read_exports(systemd_generator_t)
')

optional_policy(`
# needed by systemd-ssh-generator
ssh_exec_sshd(systemd_generator_t)
')

optional_policy(`
# needed by zfs-mount-generator
zfs_read_config(systemd_generator_t)
Expand Down

0 comments on commit b07fc4c

Please sign in to comment.