From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4A4F9158041 for ; Fri, 1 Mar 2024 19:56:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A60E9E2A11; Fri, 1 Mar 2024 19:56:15 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 83BB7E2A11 for ; Fri, 1 Mar 2024 19:56:15 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8D1E3343119 for ; Fri, 1 Mar 2024 19:56:14 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3EAF314FA for ; Fri, 1 Mar 2024 19:56:11 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1709312756.007072b1c66cfb28310f9d0449f8167f496be2ae.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 007072b1c66cfb28310f9d0449f8167f496be2ae X-VCS-Branch: master Date: Fri, 1 Mar 2024 19:56:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 40b9ea79-c6b8-4c7a-bc99-12c00dd27aad X-Archives-Hash: 9fb4707d718fb53a7efd0c6c5f898c7c commit: 007072b1c66cfb28310f9d0449f8167f496be2ae Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:52 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:56 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007072b1 systemd: logind update type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1 p.s.: this might need an overhaul after pidfd handling in the kernel has been improved. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e3af88033..cef49e9a3 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1053,6 +1053,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) + + # pidfd + dbus_use_system_bus_fds(systemd_logind_t) ') optional_policy(`