Allow all executables bpf map_read and map_write to init

These permissions started to be requested after systemd update to v255~rc2-1 with the new systemd-executor binary. This commit addresses the following AVC denial: type=PROCTITLE msg=audit(11/23/2023 05:28:41.166:95) : proctitle=/usr/sbin/sshd -D type=PATH msg=audit(11/23/2023 05:28:41.166:95) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139475 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/23/2023 05:28:41.166:95) : item=0 name=/usr/sbin/sshd inode=162518 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sshd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=EXECVE msg=audit(11/23/2023 05:28:41.166:95) : argc=2 a0=/usr/sbin/sshd a1=-D type=SYSCALL msg=audit(11/23/2023 05:28:41.166:95) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55ec16ae5b10 a1=0x55ec16ae5bb0 a2=0x55ec16ae58b0 a3=0x55ec16ae5c40 items=2 ppid=1 pid=742 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/23/2023 05:28:41.166:95) : avc: denied { map_read map_write } for pid=742 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 Resolves: rhbz#2250930
zpytela · Nov 23, 2023 · 3f74036 · 3f74036
1 parent eba81d0
commit 3f74036
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
@@ -10,6 +10,8 @@ policy_module(corecommands, 1.18.1)
 #
 attribute exec_type;
 
+init_bpf_map_rw(exec_type)
+
 #
 # bin_t is the type of files in the system bin/sbin directories.
 #

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
@@ -3569,6 +3569,24 @@ interface(`init_prog_run_bpf',`
     allow $1 init_t:bpf { map_create map_read map_write prog_load prog_run };
 ')
 
+########################################
+## <summary>
+##	Allow caller domain to map_read/map_write to init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_bpf_map_rw',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:bpf { map_read map_write };
+')
+
 #######################################
 ## <summary>
 ##     Allow systemd to watch directories of given type.
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,8 @@ policy_module(corecommands, 1.18.1) @@
     #
     attribute exec_type;
+    init_bpf_map_rw(exec_type)
     #
     # bin_t is the type of files in the system bin/sbin directories.
     #
@@ Expand Down @@