From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 37E5315827B for ; Tue, 02 Sep 2025 22:15:39 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 24406340DD5 for ; Tue, 02 Sep 2025 22:15:39 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 2015D11057B; Tue, 02 Sep 2025 22:15:21 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 15D9611057A for ; Tue, 02 Sep 2025 22:15:21 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C2029340DCB for ; Tue, 02 Sep 2025 22:15:20 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 647DD3521 for ; Tue, 02 Sep 2025 22:15:18 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1756850539.ea5b8bd01a5db82b9fa80b8a62372bb038b180d2.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: ea5b8bd01a5db82b9fa80b8a62372bb038b180d2 X-VCS-Branch: master Date: Tue, 02 Sep 2025 22:15:18 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 0228af41-74fe-45c3-822e-a2512270e00f X-Archives-Hash: 697f5e6988ae558d511c4170517b76b4 commit: ea5b8bd01a5db82b9fa80b8a62372bb038b180d2 Author: Russell Coker coker com au> AuthorDate: Mon Jul 28 14:43:25 2025 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Sep 2 22:02:19 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea5b8bd0 systemd (#995) * Some small systemd patches, includes a fix for breakage on systemd-logind, if it can't statfs /proc it can abort, fail to respond to dbus messages, and cause a 25 second delay on login. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/system/systemd.te | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index d16c07018..334d2c5fc 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1093,7 +1093,7 @@ stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_user ps_process_pattern(systemd_logind_t, systemd_user_session_type, systemd_user_session_type) -kernel_dontaudit_getattr_proc(systemd_logind_t) +kernel_getattr_proc(systemd_logind_t) kernel_read_kernel_sysctls(systemd_logind_t) auth_write_login_records(systemd_logind_t) @@ -1290,6 +1290,7 @@ optional_policy(` xserver_dbus_chat(systemd_logind_t) xserver_dbus_chat_xdm(systemd_logind_t) xserver_read_xdm_state(systemd_logind_t) + xserver_use_xdm_fds(systemd_logind_t) ') optional_policy(` @@ -1401,6 +1402,8 @@ kernel_read_system_state(systemd_machine_id_setup_t) init_read_runtime_files(systemd_machine_id_setup_t) init_read_state(systemd_machine_id_setup_t) +logging_send_syslog_msg(systemd_machine_id_setup_t) + systemd_log_parse_environment(systemd_machine_id_setup_t) optional_policy(` @@ -1836,6 +1839,7 @@ miscfiles_read_localization(systemd_passwd_agent_t) seutil_search_default_contexts(systemd_passwd_agent_t) userdom_use_user_terminals(systemd_passwd_agent_t) +userdom_search_user_runtime(systemd_passwd_agent_t) systemd_search_user_runtime(systemd_passwd_agent_t) optional_policy(` @@ -2068,7 +2072,7 @@ systemd_log_parse_environment(systemd_sessions_t) # sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict # sys_ptrace for kernel.yama.ptrace_scope # net_admin for network sysctls -allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace }; +allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_resource }; kernel_read_kernel_sysctls(systemd_sysctl_t) kernel_request_load_module(systemd_sysctl_t) @@ -2475,7 +2479,7 @@ fs_getattr_xattr_fs(systemd_user_runtime_dir_t) fs_getattr_nsfs_files(systemd_user_runtime_dir_t) kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) -kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) +kernel_getattr_proc(systemd_user_runtime_dir_t) selinux_use_status_page(systemd_user_runtime_dir_t)