diff mbox series

[meta-selinux] refpolicy: backport systemd user runtime userdb fix

Message ID 20260316093619.3748852-1-jaihindy@qti.qualcomm.com
State New
Headers show
Series [meta-selinux] refpolicy: backport systemd user runtime userdb fix | expand

Commit Message

Jaihind Yadav March 16, 2026, 9:36 a.m. UTC 
Backport upstream refpolicy change that switches systemd user runtime
client to use systemd_stream_connect_userdb().

This fixes AVC denials for connectto and sock_file write on
io.systemd.Multiplexer when systemd-userdbd is enabled.

Upstream-Commit: b3060023318b474d0112fbe70cdbbf6dbb1f37ab
Link: https://github.com/SELinuxProject/refpolicy/pull/1092

Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com>
---
 ...d-fix-user-runtime-userdb-connection.patch | 34 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-systemd-fix-user-runtime-userdb-connection.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-systemd-fix-user-runtime-userdb-connection.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-systemd-fix-user-runtime-userdb-connection.patch
new file mode 100644
index 0000000..0b15d9b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-systemd-fix-user-runtime-userdb-connection.patch
@@ -0,0 +1,34 @@ 
+From b3060023318b474d0112fbe70cdbbf6dbb1f37ab Mon Sep 17 00:00:00 2001
+From: Jaihind Yadav <jaihindy@qti.qualcomm.com>
+Date: Thu, 5 Mar 2026 11:59:31 +0530
+Subject: [PATCH] systemd: use systemd_stream_connect_userdb() for user runtime
+ client
+
+Replace a direct stream_connect_pattern() usage with the existing
+systemd_stream_connect_userdb() interface. This allows systemd user
+runtime helper to connect to systemd-userdbd and access the related
+runtime socket/link objects under /run/systemd/userdb.
+
+Fixes AVCs for connectto and sock_file write on io.systemd.Multiplexer.
+
+Upstream-Status: Backport [b3060023318b474d0112fbe70cdbbf6dbb1f37ab]
+Link: https://github.com/SELinuxProject/refpolicy/pull/1092
+
+Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com>
+---
+ policy/modules/system/systemd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 4c81584706..d8a62eb882 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -2443,7 +2443,7 @@ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file delete_
+ 
+ allow systemd_user_runtime_dir_t systemd_userdbd_runtime_t:dir list_dir_perms;
+ 
+-stream_connect_pattern(systemd_user_runtime_dir_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
++systemd_stream_connect_userdb(systemd_user_runtime_dir_t)
+ 
+ files_read_etc_files(systemd_user_runtime_dir_t)
+ # read /etc/machine-id
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 2e1a929..998be7c 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -74,6 +74,7 @@  SRC_URI += " \
         file://0056-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0059-policy-modules-systemd-fix-user-runtime-userdb-connection.patch \
         "
 
 S = "${UNPACKDIR}/refpolicy"