From 3f74036a645da472f17c022a1f6c36cfee931c7d Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 23 Nov 2023 14:47:59 +0100 Subject: [PATCH] Allow all executables bpf map_read and map_write to init These permissions started to be requested after systemd update to v255~rc2-1 with the new systemd-executor binary. This commit addresses the following AVC denial: type=PROCTITLE msg=audit(11/23/2023 05:28:41.166:95) : proctitle=/usr/sbin/sshd -D type=PATH msg=audit(11/23/2023 05:28:41.166:95) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139475 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/23/2023 05:28:41.166:95) : item=0 name=/usr/sbin/sshd inode=162518 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sshd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=EXECVE msg=audit(11/23/2023 05:28:41.166:95) : argc=2 a0=/usr/sbin/sshd a1=-D type=SYSCALL msg=audit(11/23/2023 05:28:41.166:95) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55ec16ae5b10 a1=0x55ec16ae5bb0 a2=0x55ec16ae58b0 a3=0x55ec16ae5c40 items=2 ppid=1 pid=742 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/23/2023 05:28:41.166:95) : avc: denied { map_read map_write } for pid=742 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 Resolves: rhbz#2250930 --- policy/modules/kernel/corecommands.te | 2 ++ policy/modules/system/init.if | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index cc63dcc9c9..839a9453f9 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -10,6 +10,8 @@ policy_module(corecommands, 1.18.1) # attribute exec_type; +init_bpf_map_rw(exec_type) + # # bin_t is the type of files in the system bin/sbin directories. # diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 95881f4756..6fe70555b9 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3569,6 +3569,24 @@ interface(`init_prog_run_bpf',` allow $1 init_t:bpf { map_create map_read map_write prog_load prog_run }; ') +######################################## +## +## Allow caller domain to map_read/map_write to init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_bpf_map_rw',` + gen_require(` + type init_t; + ') + + allow $1 init_t:bpf { map_read map_write }; +') + ####################################### ## ## Allow systemd to watch directories of given type.