Skip to content

Commit

Permalink
Allow systemd-sleep read/write efivarfs variables
Browse files Browse the repository at this point in the history 
The commit addresses the following AVC denial examples:
type=AVC msg=audit(09/25/2023 04:21:31.281:610) : avc:  denied  { write open } for  pid=18107 comm=systemd-sleep path=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67 dev="efivarfs" ino=160797 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/25/2023 05:05:33.538:650) : avc:  denied  { linux_immutable } for  pid=20005 comm=systemd-sleep capability=linux_immutable  scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:system_r:systemd_sleep_t:s0 tclass=capability permissive=1

The fs_rw_efivarfs_files() interface was added.

Resolves: rhbz#2240320
  • Loading branch information
@zpytela
zpytela committed Sep 29, 2023
1 parent b56ae8a commit 6382cb2
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
19 changes: 19 additions & 0 deletions policy/modules/kernel/filesystem.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6986,6 +6986,25 @@ interface(`fs_read_efivarfs_files',`
read_files_pattern($1, efivarfs_t, efivarfs_t)
')

#######################################
## <summary>
## Read and write files in efivarfs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_rw_efivarfs_files',`
gen_require(`
type efivarfs_t;
')

rw_files_pattern($1, efivarfs_t, efivarfs_t)
')

#######################################
## <summary>
## Manage efivarfs files
Expand Down
4 changes: 3 additions & 1 deletion policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1515,7 +1515,7 @@ systemd_read_efivarfs(systemd_userdbd_t)
# systemd_sleep local policy
#

allow systemd_sleep_t self:capability sys_resource;
allow systemd_sleep_t self:capability { linux_immutable sys_resource };
# systemd-sleep needs to set timer for suspend-then-hibernate
allow systemd_sleep_t self:capability2 wake_alarm;
dontaudit systemd_sleep_t self:capability sys_ptrace;
Expand All @@ -1533,6 +1533,8 @@ dev_create_sysfs_files(systemd_sleep_t)
dev_rw_sysfs(systemd_sleep_t)
dev_write_kmsg(systemd_sleep_t)

fs_rw_efivarfs_files(systemd_sleep_t)

fstools_rw_swap_files(systemd_sleep_t)

init_search_var_lib_dirs(systemd_sleep_t)
Expand Down

0 comments on commit 6382cb2

Please sign in to comment.