diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-05-06 15:53:46 -0400 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:31 -0400 |
| commit | b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca (patch) | |
| tree | 6d2e82b4e43a696ff6587a6441a4894fd0c2d2b7 /policy/modules/system | |
| parent | files context for merged-usr profile on gentoo (diff) | |
| download | hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.tar.gz hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.tar.bz2 hardened-refpolicy-b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca.zip | |
init: allow systemd to use sshd pidfds
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.
May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out
type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy/modules/system')
| -rw-r--r-- | policy/modules/system/init.te | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8f3772dc..03d0de8e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -631,6 +631,10 @@ ifdef(`init_systemd',` ') optional_policy(` + ssh_use_sshd_pidfds(init_t) + ') + + optional_policy(` # for systemd --user: unconfined_search_keys(init_t) unconfined_create_keys(init_t) |