1 |
commit: 3225e34cc39a06b44cc0871b984791eeaf9bb970 |
2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
3 |
AuthorDate: Tue Dec 27 13:45:21 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 1 16:26:28 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3225e34c |
7 |
|
8 |
systemd: add systemd-binfmt policy |
9 |
|
10 |
This systemd service registers in /proc/sys/fs/binfmt_misc binary formats |
11 |
for executables. |
12 |
|
13 |
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org> |
14 |
|
15 |
policy/modules/system/systemd.fc | 1 + |
16 |
policy/modules/system/systemd.te | 15 +++++++++++++++ |
17 |
2 files changed, 16 insertions(+) |
18 |
|
19 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
20 |
index 673bb68..d66feda 100644 |
21 |
--- a/policy/modules/system/systemd.fc |
22 |
+++ b/policy/modules/system/systemd.fc |
23 |
@@ -29,6 +29,7 @@ |
24 |
/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0) |
25 |
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
26 |
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) |
27 |
+/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) |
28 |
|
29 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
30 |
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
33 |
index c50e93a..cf22ba8 100644 |
34 |
--- a/policy/modules/system/systemd.te |
35 |
+++ b/policy/modules/system/systemd.te |
36 |
@@ -36,6 +36,9 @@ type systemd_binfmt_t; |
37 |
type systemd_binfmt_exec_t; |
38 |
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) |
39 |
|
40 |
+type systemd_binfmt_unit_t; |
41 |
+init_unit_file(systemd_binfmt_unit_t) |
42 |
+ |
43 |
type systemd_cgroups_t; |
44 |
type systemd_cgroups_exec_t; |
45 |
domain_type(systemd_cgroups_t) |
46 |
@@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t) |
47 |
|
48 |
udev_read_pid_files(systemd_backlight_t) |
49 |
|
50 |
+####################################### |
51 |
+# |
52 |
+# Binfmt local policy |
53 |
+# |
54 |
+ |
55 |
+systemd_log_parse_environment(systemd_binfmt_t) |
56 |
+ |
57 |
+# Allow to read /etc/binfmt.d/ files |
58 |
+files_read_etc_files(systemd_binfmt_t) |
59 |
+ |
60 |
+fs_register_binary_executable_type(systemd_binfmt_t) |
61 |
+ |
62 |
###################################### |
63 |
# |
64 |
# Cgroups local policy |