master

分支 (14)

标签 (13)

管理

管理

master

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.09

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

selinux-policy
/
backport-Allow-systemd-read-unlabeled...

From 07b06a7f6cb1f41b92de5d29d21ac89c4d362457 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 Dec 2021 17:15:44 +0100
Subject: [PATCH] Allow systemd read unlabeled symbolic links

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/07b06a7f6cb1f41b92de5d29d21ac89c4d362457
Conflict: NA

On a system boot systemd starts to launch services in the current target.
When it attempts to access a symbolic link which is critical for systemd
to continue and the symlink is unlabeled, the autorelabel target cannot
be reached to start relabeling and fix the unlabeled files.
This scenario applies to /etc/localtime when it was changed in SELinux
disabled mode.

Since this commit, systemd is allowed the read access to symbolic links
with the unlabeled_t type.

Resolves: rhbz#2021835
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
 policy/modules/system/init.te   |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 62845c1..1b684f5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2922,6 +2922,24 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`

 ########################################
 ## <summary>
+##	Read unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_lnk_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write unlabeled block device nodes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 22e363a..0de5f4a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -588,6 +588,7 @@ tunable_policy(`deny_bluetooth',`',`
 ')

 kernel_list_unlabeled(init_t)
+kernel_read_unlabeled_lnk_files(init_t)
 kernel_read_network_state(init_t)
 kernel_rw_all_sysctls(init_t)
 kernel_rw_security_state(init_t)
--
1.8.3.1