1 |
commit: 13afa3ec8591b0522048fab442bb7f66bbeb5787 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Tue Mar 28 22:51:35 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Mar 30 11:46:48 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13afa3ec |
7 |
|
8 |
systemd-resolvd, sessions, and tmpfiles take2 |
9 |
|
10 |
I believe that I have addressed all the issues Chris raised, so here's a newer |
11 |
version of the patch which applies to today's git version. |
12 |
|
13 |
Description: systemd-resolved, sessions, and tmpfiles patches |
14 |
Author: Russell Coker <russell <AT> coker.com.au> |
15 |
Last-Update: 2017-03-26 |
16 |
|
17 |
policy/modules/kernel/files.if | 92 ++++++++++++++++++++++++++++ |
18 |
policy/modules/kernel/files.te | 2 +- |
19 |
policy/modules/services/xserver.if | 56 ++++++++++++++++- |
20 |
policy/modules/services/xserver.te | 2 +- |
21 |
policy/modules/system/init.if | 36 +++++++++++ |
22 |
policy/modules/system/init.te | 2 +- |
23 |
policy/modules/system/logging.if | 116 ++++++++++++++++++++++++++++++++++++ |
24 |
policy/modules/system/logging.te | 2 +- |
25 |
policy/modules/system/miscfiles.if | 19 ++++++ |
26 |
policy/modules/system/miscfiles.te | 2 +- |
27 |
policy/modules/system/systemd.te | 84 +++++++++++++++++++++++++- |
28 |
policy/modules/system/userdomain.if | 18 ++++++ |
29 |
policy/modules/system/userdomain.te | 2 +- |
30 |
13 files changed, 423 insertions(+), 10 deletions(-) |
31 |
|
32 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
33 |
index 0d6fe3c5..9d7a929a 100644 |
34 |
--- a/policy/modules/kernel/files.if |
35 |
+++ b/policy/modules/kernel/files.if |
36 |
@@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',` |
37 |
|
38 |
######################################## |
39 |
## <summary> |
40 |
+## Relabel directories to etc_t. |
41 |
+## </summary> |
42 |
+## <param name="domain"> |
43 |
+## <summary> |
44 |
+## Domain allowed access. |
45 |
+## </summary> |
46 |
+## </param> |
47 |
+# |
48 |
+interface(`files_relabelto_etc_dirs',` |
49 |
+ gen_require(` |
50 |
+ type etc_t; |
51 |
+ ') |
52 |
+ |
53 |
+ allow $1 etc_t:dir relabelto; |
54 |
+') |
55 |
+ |
56 |
+######################################## |
57 |
+## <summary> |
58 |
## Read generic files in /etc. |
59 |
## </summary> |
60 |
## <desc> |
61 |
@@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',` |
62 |
|
63 |
######################################## |
64 |
## <summary> |
65 |
+## Relabel from user home root (/home). |
66 |
+## </summary> |
67 |
+## <param name="domain"> |
68 |
+## <summary> |
69 |
+## Domain allowed access. |
70 |
+## </summary> |
71 |
+## </param> |
72 |
+# |
73 |
+interface(`files_relabelfrom_home',` |
74 |
+ gen_require(` |
75 |
+ type home_root_t; |
76 |
+ ') |
77 |
+ |
78 |
+ allow $1 home_root_t:dir relabelfrom; |
79 |
+') |
80 |
+ |
81 |
+######################################## |
82 |
+## <summary> |
83 |
## Create objects in /home. |
84 |
## </summary> |
85 |
## <param name="domain"> |
86 |
@@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',` |
87 |
|
88 |
######################################## |
89 |
## <summary> |
90 |
+## relabelto/from var directories |
91 |
+## </summary> |
92 |
+## <param name="domain"> |
93 |
+## <summary> |
94 |
+## Domain allowed access. |
95 |
+## </summary> |
96 |
+## </param> |
97 |
+# |
98 |
+interface(`files_relabel_var_dirs',` |
99 |
+ gen_require(` |
100 |
+ type var_t; |
101 |
+ ') |
102 |
+ |
103 |
+ allow $1 var_t:dir { relabelfrom relabelto }; |
104 |
+') |
105 |
+ |
106 |
+######################################## |
107 |
+## <summary> |
108 |
## Read files in the /var directory. |
109 |
## </summary> |
110 |
## <param name="domain"> |
111 |
@@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',` |
112 |
|
113 |
######################################## |
114 |
## <summary> |
115 |
+## manage var_lib_t dirs |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`files_manage_var_lib_dirs',` |
124 |
+ gen_require(` |
125 |
+ type var_t, var_lib_t; |
126 |
+ ') |
127 |
+ |
128 |
+ allow $1 var_t:dir search_dir_perms; |
129 |
+ allow $1 var_lib_t:dir manage_dir_perms; |
130 |
+') |
131 |
+ |
132 |
+######################################## |
133 |
+## <summary> |
134 |
+## relabel var_lib_t dirs |
135 |
+## </summary> |
136 |
+## <param name="domain"> |
137 |
+## <summary> |
138 |
+## Domain allowed access. |
139 |
+## </summary> |
140 |
+## </param> |
141 |
+# |
142 |
+interface(`files_relabel_var_lib_dirs',` |
143 |
+ gen_require(` |
144 |
+ type var_t, var_lib_t; |
145 |
+ ') |
146 |
+ |
147 |
+ allow $1 var_t:dir search_dir_perms; |
148 |
+ allow $1 var_lib_t:dir { relabelfrom relabelto }; |
149 |
+') |
150 |
+ |
151 |
+######################################## |
152 |
+## <summary> |
153 |
## Create objects in the /var/lib directory |
154 |
## </summary> |
155 |
## <param name="domain"> |
156 |
|
157 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
158 |
index 9f911efd..10001b15 100644 |
159 |
--- a/policy/modules/kernel/files.te |
160 |
+++ b/policy/modules/kernel/files.te |
161 |
@@ -1,4 +1,4 @@ |
162 |
-policy_module(files, 1.23.7) |
163 |
+policy_module(files, 1.23.8) |
164 |
|
165 |
######################################## |
166 |
# |
167 |
|
168 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
169 |
index 060adbfa..eae74b67 100644 |
170 |
--- a/policy/modules/services/xserver.if |
171 |
+++ b/policy/modules/services/xserver.if |
172 |
@@ -700,6 +700,42 @@ interface(`xserver_rw_console',` |
173 |
|
174 |
######################################## |
175 |
## <summary> |
176 |
+## Create the X windows console named pipes. |
177 |
+## </summary> |
178 |
+## <param name="domain"> |
179 |
+## <summary> |
180 |
+## Domain allowed access. |
181 |
+## </summary> |
182 |
+## </param> |
183 |
+# |
184 |
+interface(`xserver_create_console_pipes',` |
185 |
+ gen_require(` |
186 |
+ type xconsole_device_t; |
187 |
+ ') |
188 |
+ |
189 |
+ allow $1 xconsole_device_t:fifo_file create; |
190 |
+') |
191 |
+ |
192 |
+######################################## |
193 |
+## <summary> |
194 |
+## relabel the X windows console named pipes. |
195 |
+## </summary> |
196 |
+## <param name="domain"> |
197 |
+## <summary> |
198 |
+## Domain allowed access. |
199 |
+## </summary> |
200 |
+## </param> |
201 |
+# |
202 |
+interface(`xserver_relabel_console_pipes',` |
203 |
+ gen_require(` |
204 |
+ type xconsole_device_t; |
205 |
+ ') |
206 |
+ |
207 |
+ allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; |
208 |
+') |
209 |
+ |
210 |
+######################################## |
211 |
+## <summary> |
212 |
## Use file descriptors for xdm. |
213 |
## </summary> |
214 |
## <param name="domain"> |
215 |
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',` |
216 |
gen_require(` |
217 |
type xdm_t; |
218 |
class dbus send_msg; |
219 |
- ') |
220 |
+ ') |
221 |
|
222 |
allow $1 xdm_t:dbus send_msg; |
223 |
allow xdm_t $1:dbus send_msg; |
224 |
@@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',` |
225 |
|
226 |
######################################## |
227 |
## <summary> |
228 |
+## Create xdm temporary directories. |
229 |
+## </summary> |
230 |
+## <param name="domain"> |
231 |
+## <summary> |
232 |
+## Domain to allow access. |
233 |
+## </summary> |
234 |
+## </param> |
235 |
+# |
236 |
+interface(`xserver_create_xdm_tmp_dirs',` |
237 |
+ gen_require(` |
238 |
+ type xdm_tmp_t; |
239 |
+ ') |
240 |
+ |
241 |
+ allow $1 xdm_tmp_t:dir create; |
242 |
+') |
243 |
+ |
244 |
+######################################## |
245 |
+## <summary> |
246 |
## Read xdm temporary files. |
247 |
## </summary> |
248 |
## <param name="domain"> |
249 |
|
250 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
251 |
index 9bfbafcb..5750e14e 100644 |
252 |
--- a/policy/modules/services/xserver.te |
253 |
+++ b/policy/modules/services/xserver.te |
254 |
@@ -1,4 +1,4 @@ |
255 |
-policy_module(xserver, 3.13.4) |
256 |
+policy_module(xserver, 3.13.5) |
257 |
|
258 |
gen_require(` |
259 |
class x_drawable all_x_drawable_perms; |
260 |
|
261 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
262 |
index 195c5fa3..9b07a6e7 100644 |
263 |
--- a/policy/modules/system/init.if |
264 |
+++ b/policy/modules/system/init.if |
265 |
@@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',` |
266 |
|
267 |
######################################## |
268 |
## <summary> |
269 |
+## Relabel dirs in /var/lib/systemd/. |
270 |
+## </summary> |
271 |
+## <param name="domain"> |
272 |
+## <summary> |
273 |
+## Domain allowed access. |
274 |
+## </summary> |
275 |
+## </param> |
276 |
+# |
277 |
+interface(`init_relabel_var_lib_dirs',` |
278 |
+ gen_require(` |
279 |
+ type init_var_lib_t; |
280 |
+ ') |
281 |
+ |
282 |
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto }; |
283 |
+') |
284 |
+ |
285 |
+######################################## |
286 |
+## <summary> |
287 |
## Manage files in /var/lib/systemd/. |
288 |
## </summary> |
289 |
## <param name="domain"> |
290 |
@@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',` |
291 |
|
292 |
######################################## |
293 |
## <summary> |
294 |
+## Relabel utmp. |
295 |
+## </summary> |
296 |
+## <param name="domain"> |
297 |
+## <summary> |
298 |
+## Domain allowed access. |
299 |
+## </summary> |
300 |
+## </param> |
301 |
+# |
302 |
+interface(`init_relabel_utmp',` |
303 |
+ gen_require(` |
304 |
+ type initrc_var_run_t; |
305 |
+ ') |
306 |
+ |
307 |
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto }; |
308 |
+') |
309 |
+ |
310 |
+######################################## |
311 |
+## <summary> |
312 |
## Create files in /var/run with the |
313 |
## utmp file type. |
314 |
## </summary> |
315 |
|
316 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
317 |
index 9a5ed6f8..dfde3f39 100644 |
318 |
--- a/policy/modules/system/init.te |
319 |
+++ b/policy/modules/system/init.te |
320 |
@@ -1,4 +1,4 @@ |
321 |
-policy_module(init, 2.2.12) |
322 |
+policy_module(init, 2.2.13) |
323 |
|
324 |
gen_require(` |
325 |
class passwd rootok; |
326 |
|
327 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
328 |
index 66da3da3..b2053a0b 100644 |
329 |
--- a/policy/modules/system/logging.if |
330 |
+++ b/policy/modules/system/logging.if |
331 |
@@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',` |
332 |
|
333 |
######################################## |
334 |
## <summary> |
335 |
+## Set the attributes of syslog temporary files. |
336 |
+## </summary> |
337 |
+## <param name="domain"> |
338 |
+## <summary> |
339 |
+## Domain allowed access. |
340 |
+## </summary> |
341 |
+## </param> |
342 |
+## <rolecap/> |
343 |
+# |
344 |
+interface(`logging_setattr_syslogd_tmp_files',` |
345 |
+ gen_require(` |
346 |
+ type syslogd_tmp_t; |
347 |
+ ') |
348 |
+ |
349 |
+ allow $1 syslogd_tmp_t:file setattr; |
350 |
+') |
351 |
+ |
352 |
+######################################## |
353 |
+## <summary> |
354 |
+## Relabel to and from syslog temporary file type. |
355 |
+## </summary> |
356 |
+## <param name="domain"> |
357 |
+## <summary> |
358 |
+## Domain allowed access. |
359 |
+## </summary> |
360 |
+## </param> |
361 |
+## <rolecap/> |
362 |
+# |
363 |
+interface(`logging_relabel_syslogd_tmp_files',` |
364 |
+ gen_require(` |
365 |
+ type syslogd_tmp_t; |
366 |
+ ') |
367 |
+ |
368 |
+ allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; |
369 |
+') |
370 |
+ |
371 |
+######################################## |
372 |
+## <summary> |
373 |
+## Set the attributes of syslog temporary directories. |
374 |
+## </summary> |
375 |
+## <param name="domain"> |
376 |
+## <summary> |
377 |
+## Domain allowed access. |
378 |
+## </summary> |
379 |
+## </param> |
380 |
+## <rolecap/> |
381 |
+# |
382 |
+interface(`logging_setattr_syslogd_tmp_dirs',` |
383 |
+ gen_require(` |
384 |
+ type syslogd_tmp_t; |
385 |
+ ') |
386 |
+ |
387 |
+ allow $1 syslogd_tmp_t:dir setattr; |
388 |
+') |
389 |
+ |
390 |
+######################################## |
391 |
+## <summary> |
392 |
+## Relabel to and from syslog temporary directory type. |
393 |
+## </summary> |
394 |
+## <param name="domain"> |
395 |
+## <summary> |
396 |
+## Domain allowed access. |
397 |
+## </summary> |
398 |
+## </param> |
399 |
+## <rolecap/> |
400 |
+# |
401 |
+interface(`logging_relabel_syslogd_tmp_dirs',` |
402 |
+ gen_require(` |
403 |
+ type syslogd_tmp_t; |
404 |
+ ') |
405 |
+ |
406 |
+ allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; |
407 |
+') |
408 |
+ |
409 |
+######################################## |
410 |
+## <summary> |
411 |
## Create an object in the log directory, with a private type. |
412 |
## </summary> |
413 |
## <desc> |
414 |
@@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',` |
415 |
|
416 |
######################################## |
417 |
## <summary> |
418 |
+## Create, read, write, and delete generic log directories. |
419 |
+## </summary> |
420 |
+## <param name="domain"> |
421 |
+## <summary> |
422 |
+## Domain allowed access. |
423 |
+## </summary> |
424 |
+## </param> |
425 |
+## <rolecap/> |
426 |
+# |
427 |
+interface(`logging_manage_generic_log_dirs',` |
428 |
+ gen_require(` |
429 |
+ type var_log_t; |
430 |
+ ') |
431 |
+ |
432 |
+ files_search_var($1) |
433 |
+ allow $1 var_log_t:dir manage_dir_perms; |
434 |
+') |
435 |
+ |
436 |
+######################################## |
437 |
+## <summary> |
438 |
+## Relabel from and to generic log directory type. |
439 |
+## </summary> |
440 |
+## <param name="domain"> |
441 |
+## <summary> |
442 |
+## Domain allowed access. |
443 |
+## </summary> |
444 |
+## </param> |
445 |
+## <rolecap/> |
446 |
+# |
447 |
+interface(`logging_relabel_generic_log_dirs',` |
448 |
+ gen_require(` |
449 |
+ type var_log_t; |
450 |
+ ') |
451 |
+ |
452 |
+ files_search_var($1) |
453 |
+ allow $1 var_log_t:dir { relabelfrom relabelto }; |
454 |
+') |
455 |
+ |
456 |
+######################################## |
457 |
+## <summary> |
458 |
## Read generic log files. |
459 |
## </summary> |
460 |
## <param name="domain"> |
461 |
|
462 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
463 |
index 63e7092d..e5864342 100644 |
464 |
--- a/policy/modules/system/logging.te |
465 |
+++ b/policy/modules/system/logging.te |
466 |
@@ -1,4 +1,4 @@ |
467 |
-policy_module(logging, 1.25.8) |
468 |
+policy_module(logging, 1.25.9) |
469 |
|
470 |
######################################## |
471 |
# |
472 |
|
473 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
474 |
index 5b9a8103..204390d1 100644 |
475 |
--- a/policy/modules/system/miscfiles.if |
476 |
+++ b/policy/modules/system/miscfiles.if |
477 |
@@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',` |
478 |
|
479 |
######################################## |
480 |
## <summary> |
481 |
+## Relabel from and to man cache. |
482 |
+## </summary> |
483 |
+## <param name="domain"> |
484 |
+## <summary> |
485 |
+## Domain allowed access. |
486 |
+## </summary> |
487 |
+## </param> |
488 |
+# |
489 |
+interface(`miscfiles_relabel_man_cache',` |
490 |
+ gen_require(` |
491 |
+ type man_cache_t; |
492 |
+ ') |
493 |
+ |
494 |
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t) |
495 |
+ relabel_files_pattern($1, man_cache_t, man_cache_t) |
496 |
+') |
497 |
+ |
498 |
+######################################## |
499 |
+## <summary> |
500 |
## Read public files used for file |
501 |
## transfer services. |
502 |
## </summary> |
503 |
|
504 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
505 |
index ec4d8dc0..3b180a36 100644 |
506 |
--- a/policy/modules/system/miscfiles.te |
507 |
+++ b/policy/modules/system/miscfiles.te |
508 |
@@ -1,4 +1,4 @@ |
509 |
-policy_module(miscfiles, 1.12.1) |
510 |
+policy_module(miscfiles, 1.12.2) |
511 |
|
512 |
######################################## |
513 |
# |
514 |
|
515 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
516 |
index f5af4ce4..e1f4c3a7 100644 |
517 |
--- a/policy/modules/system/systemd.te |
518 |
+++ b/policy/modules/system/systemd.te |
519 |
@@ -1,4 +1,4 @@ |
520 |
-policy_module(systemd, 1.3.13) |
521 |
+policy_module(systemd, 1.3.14) |
522 |
|
523 |
######################################### |
524 |
# |
525 |
@@ -613,9 +613,18 @@ optional_policy(` |
526 |
# Sessions local policy |
527 |
# |
528 |
|
529 |
+allow systemd_sessions_t self:process setfscreate; |
530 |
+ |
531 |
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; |
532 |
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) |
533 |
|
534 |
+selinux_get_enforce_mode(systemd_sessions_t) |
535 |
+selinux_get_fs_mount(systemd_sessions_t) |
536 |
+ |
537 |
+seutil_read_config(systemd_sessions_t) |
538 |
+seutil_read_default_contexts(systemd_sessions_t) |
539 |
+seutil_read_file_contexts(systemd_sessions_t) |
540 |
+ |
541 |
systemd_log_parse_environment(systemd_sessions_t) |
542 |
|
543 |
######################################### |
544 |
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t) |
545 |
# Tmpfiles local policy |
546 |
# |
547 |
|
548 |
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; |
549 |
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; |
550 |
allow systemd_tmpfiles_t self:process { setfscreate getcap }; |
551 |
|
552 |
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; |
553 |
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; |
554 |
+ |
555 |
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; |
556 |
+ |
557 |
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
558 |
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
559 |
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; |
560 |
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; |
561 |
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; |
562 |
|
563 |
kernel_read_kernel_sysctls(systemd_tmpfiles_t) |
564 |
+kernel_read_network_state(systemd_tmpfiles_t) |
565 |
|
566 |
+dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
567 |
+dev_read_urand(systemd_tmpfiles_t) |
568 |
dev_relabel_all_sysfs(systemd_tmpfiles_t) |
569 |
dev_read_urand(systemd_tmpfiles_t) |
570 |
dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
571 |
|
572 |
+files_create_lock_dirs(systemd_tmpfiles_t) |
573 |
+files_manage_all_pid_dirs(systemd_tmpfiles_t) |
574 |
+files_delete_usr_files(systemd_tmpfiles_t) |
575 |
+files_list_home(systemd_tmpfiles_t) |
576 |
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t) |
577 |
+files_manage_var_dirs(systemd_tmpfiles_t) |
578 |
+files_manage_var_lib_dirs(systemd_tmpfiles_t) |
579 |
+files_purge_tmp(systemd_tmpfiles_t) |
580 |
files_read_etc_files(systemd_tmpfiles_t) |
581 |
files_relabel_all_lock_dirs(systemd_tmpfiles_t) |
582 |
files_relabel_all_pid_dirs(systemd_tmpfiles_t) |
583 |
files_relabel_all_tmp_dirs(systemd_tmpfiles_t) |
584 |
+files_relabel_var_dirs(systemd_tmpfiles_t) |
585 |
+files_relabel_var_lib_dirs(systemd_tmpfiles_t) |
586 |
+files_relabelfrom_home(systemd_tmpfiles_t) |
587 |
+files_relabelto_home(systemd_tmpfiles_t) |
588 |
+files_relabelto_etc_dirs(systemd_tmpfiles_t) |
589 |
+# for /etc/mtab |
590 |
+files_manage_etc_symlinks(systemd_tmpfiles_t) |
591 |
|
592 |
-auth_manage_var_auth(systemd_tmpfiles_t) |
593 |
+fs_getattr_xattr_fs(systemd_tmpfiles_t) |
594 |
+ |
595 |
+selinux_get_fs_mount(systemd_tmpfiles_t) |
596 |
+selinux_search_fs(systemd_tmpfiles_t) |
597 |
+ |
598 |
+auth_manage_faillog(systemd_tmpfiles_t) |
599 |
auth_manage_login_records(systemd_tmpfiles_t) |
600 |
+auth_manage_var_auth(systemd_tmpfiles_t) |
601 |
auth_relabel_login_records(systemd_tmpfiles_t) |
602 |
auth_setattr_login_records(systemd_tmpfiles_t) |
603 |
|
604 |
+init_manage_utmp(systemd_tmpfiles_t) |
605 |
+init_manage_var_lib_files(systemd_tmpfiles_t) |
606 |
+# for /proc/1/environ |
607 |
+init_read_state(systemd_tmpfiles_t) |
608 |
+ |
609 |
+init_relabel_utmp(systemd_tmpfiles_t) |
610 |
+init_relabel_var_lib_dirs(systemd_tmpfiles_t) |
611 |
+ |
612 |
+logging_manage_generic_logs(systemd_tmpfiles_t) |
613 |
+logging_manage_generic_log_dirs(systemd_tmpfiles_t) |
614 |
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t) |
615 |
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t) |
616 |
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t) |
617 |
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t) |
618 |
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t) |
619 |
+ |
620 |
+miscfiles_manage_man_pages(systemd_tmpfiles_t) |
621 |
+miscfiles_relabel_man_cache(systemd_tmpfiles_t) |
622 |
+ |
623 |
+seutil_read_config(systemd_tmpfiles_t) |
624 |
seutil_read_file_contexts(systemd_tmpfiles_t) |
625 |
|
626 |
+sysnet_create_config(systemd_tmpfiles_t) |
627 |
+ |
628 |
systemd_log_parse_environment(systemd_tmpfiles_t) |
629 |
|
630 |
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) |
631 |
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) |
632 |
+ |
633 |
tunable_policy(`systemd_tmpfiles_manage_all',` |
634 |
# systemd-tmpfiles can be configured to manage anything. |
635 |
# have a last-resort option for users to do this. |
636 |
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',` |
637 |
files_relabel_non_security_dirs(systemd_tmpfiles_t) |
638 |
files_relabel_non_security_files(systemd_tmpfiles_t) |
639 |
') |
640 |
+ |
641 |
+optional_policy(` |
642 |
+ dbus_read_lib_files(systemd_tmpfiles_t) |
643 |
+') |
644 |
+ |
645 |
+optional_policy(` |
646 |
+ xfs_create_tmp_dirs(systemd_tmpfiles_t) |
647 |
+') |
648 |
+ |
649 |
+optional_policy(` |
650 |
+ xserver_create_console_pipes(systemd_tmpfiles_t) |
651 |
+ xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t) |
652 |
+ xserver_relabel_console_pipes(systemd_tmpfiles_t) |
653 |
+ xserver_setattr_console_pipes(systemd_tmpfiles_t) |
654 |
+') |
655 |
|
656 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
657 |
index 61065118..50100dd1 100644 |
658 |
--- a/policy/modules/system/userdomain.if |
659 |
+++ b/policy/modules/system/userdomain.if |
660 |
@@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',` |
661 |
|
662 |
######################################## |
663 |
## <summary> |
664 |
+## Relabel to and from user runtime root dirs. |
665 |
+## </summary> |
666 |
+## <param name="domain"> |
667 |
+## <summary> |
668 |
+## Domain allowed access. |
669 |
+## </summary> |
670 |
+## </param> |
671 |
+# |
672 |
+interface(`userdom_relabel_user_runtime_root_dirs',` |
673 |
+ gen_require(` |
674 |
+ type user_runtime_root_t; |
675 |
+ ') |
676 |
+ |
677 |
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; |
678 |
+') |
679 |
+ |
680 |
+######################################## |
681 |
+## <summary> |
682 |
## Create, read, write, and delete user |
683 |
## runtime dirs. |
684 |
## </summary> |
685 |
|
686 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
687 |
index cf58bd27..0cbf3cec 100644 |
688 |
--- a/policy/modules/system/userdomain.te |
689 |
+++ b/policy/modules/system/userdomain.te |
690 |
@@ -1,4 +1,4 @@ |
691 |
-policy_module(userdomain, 4.13.5) |
692 |
+policy_module(userdomain, 4.13.6) |
693 |
|
694 |
######################################## |
695 |
# |