allow dbus to create systemd sessions

2020-05-23 10:17:55 +02:00 · 2020-05-23 10:17:55 +02:00 · ad1e3f9e0b
parent 32adc20d89
commit ad1e3f9e0b
3 changed files with 28 additions and 1 deletions
--- a/sec-policy/selinux-base-policy/Manifest
+++ b/sec-policy/selinux-base-policy/Manifest
@ -1,3 +1,4 @@
+AUX allow_dbus_session_creation.patch 1315 BLAKE2B 5e028683e3c8f0db652dd54275e647935e744fb7c2561989c85d4ac52638d9af572792ba7c5f3aca1de729609a0ece6a973ec1ab97915bba1168f6812c5708b9 SHA512 095ee38d4668c2fe06e84fff5396fa99bdb4a1df1e49c939f0f29665bfceccc9b2aacc27834e1438bc4cfc91c50a32f2d504431d4b283c487c257dae286f94b9
 AUX cron_allow_watch_crontabs.patch 305 BLAKE2B bcc4c3663c7100c8c40531e5a5832efeaad3cfe8ba343dd29976f84e62676bf21a5e5aaf38edfb5e2e3fa960fcaa3f6b15bdf5ce8532ccc6c4c2d201b664e680 SHA512 8ddacea7990bdbfec2cbb4d542f739704fe6e8379877c3c6578f09f5a93aac1f57cfedc4e7d0ccf13eb9d4c9269fe5817b4b9ad74c8907831de353c06558e0fc
 AUX git_portage_repo_fix.patch 366 BLAKE2B d78d6fe0913a51071ba4a594cbfdc2c665e98c14789e2bcd45a691c5d4a62ccfd6f4f802dd32e6792a346cc3f44fbd164b5a72eaf04efc75ea57b4d4f9c45d5a SHA512 ce4b013d7038a40f9dc25803fe7af94cfbab9cc071f8334c241f1704b1d410c3843c42c3c57fb0f2ef1e8274237fcaf355a168593b7fe6e9e14ba24c19d2e777
 AUX init_paths.patch 427 BLAKE2B adaa31a8df2ba0ad77b58a0b1bddfd9bcbd48e19c8790ac51f2e679463413c237e12977363ad6156fe329da0b976d277d352db19429870a6df9a50da223c9e9f SHA512 8275af9ef8a1ad2bd57bde249b6d7e72518897e4acc864170c69274f08e410c9b888820c9c936b2e8a7682663c5311e5d2a47da20acf9297da64eae4875d142c
@ -8,4 +9,4 @@ AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385
 AUX sysadm_allow_watch.patch 317 BLAKE2B 5b54c9bcc242d6a8bc5ffb77d7774f325bb54dec9e370d25ce01b8597f91dee19b16aff9dd50bb12aa1420cb09ff463b3dc2ea6322c5fcc16f8f55274a438699 SHA512 730c9ad70817216f122ed4a7fad8931b6aec42e6dcc72f7e97ab1986b4d3900daeb1403380028db009c640fa4f1d1fff97e9c03913f24ba0023638b0782eb059
 DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
 DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
-EBUILD selinux-base-policy-2.20190609-r1.ebuild 4113 BLAKE2B 6b340a9535c63ce7a9206a6929828ec5bda4e9bea2cfe9369d37332f4ccb48bea5cce7efd0bb20353d1e8572f0727944b207a494d00226660d240fcd602a7f66 SHA512 a2c75d9b362bb7f4f65aeb0cc3894f5df546c7cecc11bd7afa43e54873618eab799a678696fd672432944457f7269cde31975c0b2b9c8f980a4694c0a4709c84
+EBUILD selinux-base-policy-2.20190609-r1.ebuild 4160 BLAKE2B 8c8d71386f13be801d44f91d7560706f9248ed1123ac38527b54083254cbd7fbca16eb62d9eff261d73091e8d88fde4cbcde8c5c53a3d34750a8f031cb8cd035 SHA512 d0a366213bc346656c536536316acf4497497f2aae254fe6a8c86d959b99ae07ccdbab0f031b4431755360901a15f9a7944dea720329a3e244ac3071520de662
--- a/sec-policy/selinux-base-policy/files/allow_dbus_session_creation.patch
+++ b/sec-policy/selinux-base-policy/files/allow_dbus_session_creation.patch
@ -0,0 +1,25 @@
+--- work/refpolicy/policy/modules/system/systemd.te.orig        2020-05-23 10:09:48.508450458 +0200
+++ work/refpolicy/policy/modules/system/systemd.te     2020-05-23 10:10:26.840453410 +0200
+@@ -490,6 +490,22 @@
+ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
+ allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
+ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
+optional_policy(`
+  gen_require(`
+    type system_dbusd_t;
+  ')
+  allow system_dbusd_t systemd_sessions_runtime_t:dir manage_dir_perms;
+  allow system_dbusd_t systemd_sessions_runtime_t:file manage_file_perms;
+  allow system_dbusd_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
+
+  manage_fifo_files_pattern(system_dbusd_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
+  manage_files_pattern(system_dbusd_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
+  allow system_dbusd_t systemd_logind_runtime_t:dir manage_dir_perms;
+
+  allow system_dbusd_t systemd_machined_runtime_t:dir manage_dir_perms;
+  manage_files_pattern(system_dbusd_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
+  allow system_dbusd_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
+')
+
+ kernel_read_kernel_sysctls(systemd_logind_t)
+
--- a/sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild
+++ b/sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild
@ -37,6 +37,7 @@ PATCHES=(
 	${FILESDIR}/git_portage_repo_fix.patch
 	${FILESDIR}/sysadm_allow_watch.patch
 	${FILESDIR}/cron_allow_watch_crontabs.patch
+	${FILESDIR}/allow_dbus_session_creation.patch
 )

 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on