@@ -1,4 +1,4 @@
-From 496131601f622dabb953cf3f98c64dd726060d33 Mon Sep 17 00:00:00 2001
+From 40dae32ff55f82d4e4e9d309bc91c0216d616b51 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 18 Feb 2025 15:26:19 +0800
Subject: [PATCH] systemd: allow systemd-tmpfiles to read bin_t symlink
@@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
4 files changed, 23 insertions(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 5fd532202..d51f266e5 100644
+index 0da8a2ddb..007341a65 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -249,6 +249,7 @@ ifdef(`distro_gentoo',`
@@ -61,22 +61,22 @@ index 08ed91f19..0fa4cbf7d 100644
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 0d9ff59e2..da6a30470 100644
+index cc2709551..b67b78a69 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
-@@ -155,6 +155,7 @@ template(`systemd_role_template',`
- userdom_exec_user_bin_files($1_systemd_t)
+@@ -156,6 +156,7 @@ template(`systemd_role_template',`
# user systemd-tmpfiles rules
+ allow $1_systemd_tmpfiles_t self:process setfscreate;
+ allow $1_systemd_tmpfiles_t self:capability net_admin;
allow $1_systemd_tmpfiles_t $1_systemd_t:unix_stream_socket rw_socket_perms;
domtrans_pattern($1_systemd_t, systemd_tmpfiles_exec_t, $1_systemd_tmpfiles_t)
read_files_pattern($1_systemd_t, $1_systemd_tmpfiles_t, $1_systemd_tmpfiles_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index b9af00ec8..e79dec101 100644
+index 1ae8e3a7d..e1cc0cfde 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
-@@ -2148,6 +2148,9 @@ kernel_getattr_proc(systemd_tmpfiles_t)
+@@ -2161,6 +2161,9 @@ kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
@@ -2,7 +2,7 @@ PV = "2.20260312+git"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy = "cffa6e2c93e9f9be74ffbd65237f45ad6e9d7c55"
+SRCREV_refpolicy = "fbae939176fed7163730506878d92d3b1da433e4"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
* fbae93917 btrfs (#1144) * da94ce004 dmesg: allow dmesg_t access to init script stream sockets * 78f8b23d4 fapolicyd: fix issue with tmpfs_t write * 319ac618d fsadm (#1129) * 7d1dc1f06 systemd: allow tmpfiles to handle auditd_log_t * d30582816 systemd: allow tmpfiles to relabel various unlabeled objects * 01f6bb2bc systemd: allow tmpfiles to setrlimit * d156ca9a6 sshd: guard dbus calls with optional_policy * 6b7da9b01 sudo: guard auth_use_pam_systemd call * cd06b5f4b authlogin: guard auth_use_pam_systemd->dbus_system_bus_client calls with optional_policy * 586caeace Add SELinux policy support for Userspace Resource Manager (URM) (#1097) * 4e360aab8 tor_pluggable_transports2 (#1133) * 444f9a669 apt_dpkg_strict (#1131) * 2cc5c825b corecommands: label /usr/share/pam/security/namespace.init as bin_t * 6aeb605e8 authlogin: allow pam_domain to read /usr/share/pam * d97274873 systemd: resolved has a systemd-networkd hook * fac3aba88 systemd: allow resolved access to /etc/localtime * a57ca559e authlogin: systemd reads /proc/sys/kernel/random/boot_id via nss * f6e4064fe Add boolean user_ptrace to allow user domains to strace themselves * d25098a7d incus: Update module to reflect new incus selinux support * 73be75170 selinux: Add selinux_read_fs interface * a75373c3b incus: Allow setting of per instance oom_score_adj * a8ff7c56b incus: Add incus_entry_type interface * e4684de6d incus: Fix start of virtual networking in incus >=6.15 * 4b38f2f05 virt: Add virt_relabel_images interface * 3b11df9e2 container: Add container_write_all_container_state interface * 0dbad021c qemu: Update incus support * 69141a369 qemu: Add qemu_manage_image_symlinks interface * 373d1ee9f qemu: Add qemu_write_state interface * 6ef6df8b0 qemu: Add qemu_getattr interface * 5684dae89 selinux: allow ModemManager to send DBus messages to initrc_t. * a7d4c1333 libvirt_leasesh: Added read and search permission on kernel sysctls * 75079752d systemd-coredum: Added sepolicy permission to read namespace file * e0fd56a58 refpolicy: Addressing denial seen on alsa to allow write on event dev node * 694c913f8 tee_supplicant: Add necessary SELinux policy for qtee_supplicant * eb28c5a1b su: use auth_use_pam * e396a31e2 systemd: allow user systemd-tmpfiles to setfscreate * 26f457f50 systemd: allow systemd-userwork to speak to systemd-machined * 8762d07ad systemd: allow systemd-nsresourced to interact w/ bpf * 0b7c88000 kernel: treat /efi similarly to /boot * 99d522a1d snmpd: snmpd doesn't seem to need dac_override capability * 192fe63a2 gpg: adapt to Gentoo's app-alternatives/gpg * ebafd639e selinux: allow seatd to use unallocated TTYs * cea89176e https://picasa.google.com/ * 8d49a23bd matrixd: gatekeep postgresql calls in an optional policy block * 169f725b3 newrole_t, run_init_t: call auth_run_pam() * ffadd83c7 ping: allow execution and PTY access * e15ac27e0 devices: Add label for /dev/isst_interface * d4084b9fa Add new kernel security class memfd_file and new kernel permissions * 928e3bcbb Add new policy cababilities * 559688316 userdomain: kernel_dontaudit_request_load_module for all users * 0e76a2a30 Add op-tee based tee supplicant policy Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- ...ow-systemd-tmpfiles-to-read-bin_t-symlink.patch | 14 +++++++------- recipes-security/refpolicy/refpolicy_git.inc | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-)