[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Tue, 12 Dec 2017 07:59:15
Message-Id:	`1513062386.cea191481ead6fd006f9dc695f491a7651b24f56.perfinion@gentoo`

1

commit:     cea191481ead6fd006f9dc695f491a7651b24f56

2

Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>

3

AuthorDate: Wed Dec  6 17:06:04 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec 12 07:06:26 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cea19148

7

8

Add private type for systemd logind inhibit files and pipes

9

10

 policy/modules/system/systemd.fc |  2 +-

11

 policy/modules/system/systemd.if | 20 ++++++++++++++++++++

12

 policy/modules/system/systemd.te |  9 ++++++++-

13

 3 files changed, 29 insertions(+), 2 deletions(-)

14

15

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc

16

index 392b00b9..73da3de4 100644

17

--- a/policy/modules/system/systemd.fc

18

+++ b/policy/modules/system/systemd.fc

19

@@ -49,7 +49,7 @@

20

 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

21

 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)

22

 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

23

-/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

24

+/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)

25

 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)

26

 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)

27

 /run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)

28

29

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

30

index 8f914837..d875098a 100644

31

--- a/policy/modules/system/systemd.if

32

+++ b/policy/modules/system/systemd.if

33

@@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`

34

 	allow systemd_logind_t $1:process signal;

35

')

36

37

+######################################

38

+## <summary>

39

+##      Write inherited logind inhibit pipes.

40

+## </summary>

41

+## <param name="domain">

42

+##      <summary>

43

+##      Domain allowed access.

44

+##      </summary>

45

+## </param>

46

+#

47

+interface(`systemd_write_inherited_logind_inhibit_pipes',`

48

+	gen_require(`

49

+		type systemd_logind_inhibit_var_run_t;

50

+		type systemd_logind_t;

51

+	')

52

+

53

+	allow $1 systemd_logind_t:fd use;

54

+	allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;

55

+')

56

+

57

 ########################################

58

 ## <summary>

59

 ##   Send and receive messages from

60

61

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

62

index 5051b87c..9a65b8f6 100644

63

--- a/policy/modules/system/systemd.te

64

+++ b/policy/modules/system/systemd.te

65

@@ -101,6 +101,9 @@ type systemd_logind_var_run_t;

66

 files_pid_file(systemd_logind_var_run_t)

67

 init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")

68

69

+type systemd_logind_inhibit_var_run_t;

70

+files_pid_file(systemd_logind_inhibit_var_run_t)

71

+

72

 type systemd_machined_t;

73

 type systemd_machined_exec_t;

74

 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)

75

@@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)

76

 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)

77

 manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)

78

 allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;

79

-init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")

80

+

81

+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)

82

+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)

83

+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)

84

+init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")

85

86

 allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;

87

 allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;

1	commit: cea191481ead6fd006f9dc695f491a7651b24f56
2	Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
3	AuthorDate: Wed Dec 6 17:06:04 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 12 07:06:26 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cea19148
7
8	Add private type for systemd logind inhibit files and pipes
9
10	policy/modules/system/systemd.fc \| 2 +-
11	policy/modules/system/systemd.if \| 20 ++++++++++++++++++++
12	policy/modules/system/systemd.te \| 9 ++++++++-
13	3 files changed, 29 insertions(+), 2 deletions(-)
14
15	diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
16	index 392b00b9..73da3de4 100644
17	--- a/policy/modules/system/systemd.fc
18	+++ b/policy/modules/system/systemd.fc
19	@@ -49,7 +49,7 @@
20	/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
21	/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
22	/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
23	-/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
24	+/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
25	/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
26	/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
27	/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
28
29	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
30	index 8f914837..d875098a 100644
31	--- a/policy/modules/system/systemd.if
32	+++ b/policy/modules/system/systemd.if
33	@@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
34	allow systemd_logind_t $1:process signal;
35	')
36
37	+######################################
38	+## <summary>
39	+## Write inherited logind inhibit pipes.
40	+## </summary>
41	+## <param name="domain">
42	+## <summary>
43	+## Domain allowed access.
44	+## </summary>
45	+## </param>
46	+#
47	+interface(`systemd_write_inherited_logind_inhibit_pipes',`
48	+ gen_require(`
49	+ type systemd_logind_inhibit_var_run_t;
50	+ type systemd_logind_t;
51	+ ')
52	+
53	+ allow $1 systemd_logind_t:fd use;
54	+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
55	+')
56	+
57	########################################
58	## <summary>
59	## Send and receive messages from
60
61	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
62	index 5051b87c..9a65b8f6 100644
63	--- a/policy/modules/system/systemd.te
64	+++ b/policy/modules/system/systemd.te
65	@@ -101,6 +101,9 @@ type systemd_logind_var_run_t;
66	files_pid_file(systemd_logind_var_run_t)
67	init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
68
69	+type systemd_logind_inhibit_var_run_t;
70	+files_pid_file(systemd_logind_inhibit_var_run_t)
71	+
72	type systemd_machined_t;
73	type systemd_machined_exec_t;
74	init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
75	@@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
76	manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
77	manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
78	allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
79	-init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
80	+
81	+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
82	+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
83	+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
84	+init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
85
86	allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
87	allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;

Gentoo Archives: gentoo-commits