| 1 |
commit: 13afa3ec8591b0522048fab442bb7f66bbeb5787 |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Tue Mar 28 22:51:35 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Mar 30 11:46:48 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13afa3ec |
| 7 |
|
| 8 |
systemd-resolvd, sessions, and tmpfiles take2 |
| 9 |
|
| 10 |
I believe that I have addressed all the issues Chris raised, so here's a newer |
| 11 |
version of the patch which applies to today's git version. |
| 12 |
|
| 13 |
Description: systemd-resolved, sessions, and tmpfiles patches |
| 14 |
Author: Russell Coker <russell <AT> coker.com.au> |
| 15 |
Last-Update: 2017-03-26 |
| 16 |
|
| 17 |
policy/modules/kernel/files.if | 92 ++++++++++++++++++++++++++++ |
| 18 |
policy/modules/kernel/files.te | 2 +- |
| 19 |
policy/modules/services/xserver.if | 56 ++++++++++++++++- |
| 20 |
policy/modules/services/xserver.te | 2 +- |
| 21 |
policy/modules/system/init.if | 36 +++++++++++ |
| 22 |
policy/modules/system/init.te | 2 +- |
| 23 |
policy/modules/system/logging.if | 116 ++++++++++++++++++++++++++++++++++++ |
| 24 |
policy/modules/system/logging.te | 2 +- |
| 25 |
policy/modules/system/miscfiles.if | 19 ++++++ |
| 26 |
policy/modules/system/miscfiles.te | 2 +- |
| 27 |
policy/modules/system/systemd.te | 84 +++++++++++++++++++++++++- |
| 28 |
policy/modules/system/userdomain.if | 18 ++++++ |
| 29 |
policy/modules/system/userdomain.te | 2 +- |
| 30 |
13 files changed, 423 insertions(+), 10 deletions(-) |
| 31 |
|
| 32 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
| 33 |
index 0d6fe3c5..9d7a929a 100644 |
| 34 |
--- a/policy/modules/kernel/files.if |
| 35 |
+++ b/policy/modules/kernel/files.if |
| 36 |
@@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',` |
| 37 |
|
| 38 |
######################################## |
| 39 |
## <summary> |
| 40 |
+## Relabel directories to etc_t. |
| 41 |
+## </summary> |
| 42 |
+## <param name="domain"> |
| 43 |
+## <summary> |
| 44 |
+## Domain allowed access. |
| 45 |
+## </summary> |
| 46 |
+## </param> |
| 47 |
+# |
| 48 |
+interface(`files_relabelto_etc_dirs',` |
| 49 |
+ gen_require(` |
| 50 |
+ type etc_t; |
| 51 |
+ ') |
| 52 |
+ |
| 53 |
+ allow $1 etc_t:dir relabelto; |
| 54 |
+') |
| 55 |
+ |
| 56 |
+######################################## |
| 57 |
+## <summary> |
| 58 |
## Read generic files in /etc. |
| 59 |
## </summary> |
| 60 |
## <desc> |
| 61 |
@@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',` |
| 62 |
|
| 63 |
######################################## |
| 64 |
## <summary> |
| 65 |
+## Relabel from user home root (/home). |
| 66 |
+## </summary> |
| 67 |
+## <param name="domain"> |
| 68 |
+## <summary> |
| 69 |
+## Domain allowed access. |
| 70 |
+## </summary> |
| 71 |
+## </param> |
| 72 |
+# |
| 73 |
+interface(`files_relabelfrom_home',` |
| 74 |
+ gen_require(` |
| 75 |
+ type home_root_t; |
| 76 |
+ ') |
| 77 |
+ |
| 78 |
+ allow $1 home_root_t:dir relabelfrom; |
| 79 |
+') |
| 80 |
+ |
| 81 |
+######################################## |
| 82 |
+## <summary> |
| 83 |
## Create objects in /home. |
| 84 |
## </summary> |
| 85 |
## <param name="domain"> |
| 86 |
@@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',` |
| 87 |
|
| 88 |
######################################## |
| 89 |
## <summary> |
| 90 |
+## relabelto/from var directories |
| 91 |
+## </summary> |
| 92 |
+## <param name="domain"> |
| 93 |
+## <summary> |
| 94 |
+## Domain allowed access. |
| 95 |
+## </summary> |
| 96 |
+## </param> |
| 97 |
+# |
| 98 |
+interface(`files_relabel_var_dirs',` |
| 99 |
+ gen_require(` |
| 100 |
+ type var_t; |
| 101 |
+ ') |
| 102 |
+ |
| 103 |
+ allow $1 var_t:dir { relabelfrom relabelto }; |
| 104 |
+') |
| 105 |
+ |
| 106 |
+######################################## |
| 107 |
+## <summary> |
| 108 |
## Read files in the /var directory. |
| 109 |
## </summary> |
| 110 |
## <param name="domain"> |
| 111 |
@@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',` |
| 112 |
|
| 113 |
######################################## |
| 114 |
## <summary> |
| 115 |
+## manage var_lib_t dirs |
| 116 |
+## </summary> |
| 117 |
+## <param name="domain"> |
| 118 |
+## <summary> |
| 119 |
+## Domain allowed access. |
| 120 |
+## </summary> |
| 121 |
+## </param> |
| 122 |
+# |
| 123 |
+interface(`files_manage_var_lib_dirs',` |
| 124 |
+ gen_require(` |
| 125 |
+ type var_t, var_lib_t; |
| 126 |
+ ') |
| 127 |
+ |
| 128 |
+ allow $1 var_t:dir search_dir_perms; |
| 129 |
+ allow $1 var_lib_t:dir manage_dir_perms; |
| 130 |
+') |
| 131 |
+ |
| 132 |
+######################################## |
| 133 |
+## <summary> |
| 134 |
+## relabel var_lib_t dirs |
| 135 |
+## </summary> |
| 136 |
+## <param name="domain"> |
| 137 |
+## <summary> |
| 138 |
+## Domain allowed access. |
| 139 |
+## </summary> |
| 140 |
+## </param> |
| 141 |
+# |
| 142 |
+interface(`files_relabel_var_lib_dirs',` |
| 143 |
+ gen_require(` |
| 144 |
+ type var_t, var_lib_t; |
| 145 |
+ ') |
| 146 |
+ |
| 147 |
+ allow $1 var_t:dir search_dir_perms; |
| 148 |
+ allow $1 var_lib_t:dir { relabelfrom relabelto }; |
| 149 |
+') |
| 150 |
+ |
| 151 |
+######################################## |
| 152 |
+## <summary> |
| 153 |
## Create objects in the /var/lib directory |
| 154 |
## </summary> |
| 155 |
## <param name="domain"> |
| 156 |
|
| 157 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
| 158 |
index 9f911efd..10001b15 100644 |
| 159 |
--- a/policy/modules/kernel/files.te |
| 160 |
+++ b/policy/modules/kernel/files.te |
| 161 |
@@ -1,4 +1,4 @@ |
| 162 |
-policy_module(files, 1.23.7) |
| 163 |
+policy_module(files, 1.23.8) |
| 164 |
|
| 165 |
######################################## |
| 166 |
# |
| 167 |
|
| 168 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
| 169 |
index 060adbfa..eae74b67 100644 |
| 170 |
--- a/policy/modules/services/xserver.if |
| 171 |
+++ b/policy/modules/services/xserver.if |
| 172 |
@@ -700,6 +700,42 @@ interface(`xserver_rw_console',` |
| 173 |
|
| 174 |
######################################## |
| 175 |
## <summary> |
| 176 |
+## Create the X windows console named pipes. |
| 177 |
+## </summary> |
| 178 |
+## <param name="domain"> |
| 179 |
+## <summary> |
| 180 |
+## Domain allowed access. |
| 181 |
+## </summary> |
| 182 |
+## </param> |
| 183 |
+# |
| 184 |
+interface(`xserver_create_console_pipes',` |
| 185 |
+ gen_require(` |
| 186 |
+ type xconsole_device_t; |
| 187 |
+ ') |
| 188 |
+ |
| 189 |
+ allow $1 xconsole_device_t:fifo_file create; |
| 190 |
+') |
| 191 |
+ |
| 192 |
+######################################## |
| 193 |
+## <summary> |
| 194 |
+## relabel the X windows console named pipes. |
| 195 |
+## </summary> |
| 196 |
+## <param name="domain"> |
| 197 |
+## <summary> |
| 198 |
+## Domain allowed access. |
| 199 |
+## </summary> |
| 200 |
+## </param> |
| 201 |
+# |
| 202 |
+interface(`xserver_relabel_console_pipes',` |
| 203 |
+ gen_require(` |
| 204 |
+ type xconsole_device_t; |
| 205 |
+ ') |
| 206 |
+ |
| 207 |
+ allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; |
| 208 |
+') |
| 209 |
+ |
| 210 |
+######################################## |
| 211 |
+## <summary> |
| 212 |
## Use file descriptors for xdm. |
| 213 |
## </summary> |
| 214 |
## <param name="domain"> |
| 215 |
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',` |
| 216 |
gen_require(` |
| 217 |
type xdm_t; |
| 218 |
class dbus send_msg; |
| 219 |
- ') |
| 220 |
+ ') |
| 221 |
|
| 222 |
allow $1 xdm_t:dbus send_msg; |
| 223 |
allow xdm_t $1:dbus send_msg; |
| 224 |
@@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',` |
| 225 |
|
| 226 |
######################################## |
| 227 |
## <summary> |
| 228 |
+## Create xdm temporary directories. |
| 229 |
+## </summary> |
| 230 |
+## <param name="domain"> |
| 231 |
+## <summary> |
| 232 |
+## Domain to allow access. |
| 233 |
+## </summary> |
| 234 |
+## </param> |
| 235 |
+# |
| 236 |
+interface(`xserver_create_xdm_tmp_dirs',` |
| 237 |
+ gen_require(` |
| 238 |
+ type xdm_tmp_t; |
| 239 |
+ ') |
| 240 |
+ |
| 241 |
+ allow $1 xdm_tmp_t:dir create; |
| 242 |
+') |
| 243 |
+ |
| 244 |
+######################################## |
| 245 |
+## <summary> |
| 246 |
## Read xdm temporary files. |
| 247 |
## </summary> |
| 248 |
## <param name="domain"> |
| 249 |
|
| 250 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
| 251 |
index 9bfbafcb..5750e14e 100644 |
| 252 |
--- a/policy/modules/services/xserver.te |
| 253 |
+++ b/policy/modules/services/xserver.te |
| 254 |
@@ -1,4 +1,4 @@ |
| 255 |
-policy_module(xserver, 3.13.4) |
| 256 |
+policy_module(xserver, 3.13.5) |
| 257 |
|
| 258 |
gen_require(` |
| 259 |
class x_drawable all_x_drawable_perms; |
| 260 |
|
| 261 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
| 262 |
index 195c5fa3..9b07a6e7 100644 |
| 263 |
--- a/policy/modules/system/init.if |
| 264 |
+++ b/policy/modules/system/init.if |
| 265 |
@@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',` |
| 266 |
|
| 267 |
######################################## |
| 268 |
## <summary> |
| 269 |
+## Relabel dirs in /var/lib/systemd/. |
| 270 |
+## </summary> |
| 271 |
+## <param name="domain"> |
| 272 |
+## <summary> |
| 273 |
+## Domain allowed access. |
| 274 |
+## </summary> |
| 275 |
+## </param> |
| 276 |
+# |
| 277 |
+interface(`init_relabel_var_lib_dirs',` |
| 278 |
+ gen_require(` |
| 279 |
+ type init_var_lib_t; |
| 280 |
+ ') |
| 281 |
+ |
| 282 |
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto }; |
| 283 |
+') |
| 284 |
+ |
| 285 |
+######################################## |
| 286 |
+## <summary> |
| 287 |
## Manage files in /var/lib/systemd/. |
| 288 |
## </summary> |
| 289 |
## <param name="domain"> |
| 290 |
@@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',` |
| 291 |
|
| 292 |
######################################## |
| 293 |
## <summary> |
| 294 |
+## Relabel utmp. |
| 295 |
+## </summary> |
| 296 |
+## <param name="domain"> |
| 297 |
+## <summary> |
| 298 |
+## Domain allowed access. |
| 299 |
+## </summary> |
| 300 |
+## </param> |
| 301 |
+# |
| 302 |
+interface(`init_relabel_utmp',` |
| 303 |
+ gen_require(` |
| 304 |
+ type initrc_var_run_t; |
| 305 |
+ ') |
| 306 |
+ |
| 307 |
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto }; |
| 308 |
+') |
| 309 |
+ |
| 310 |
+######################################## |
| 311 |
+## <summary> |
| 312 |
## Create files in /var/run with the |
| 313 |
## utmp file type. |
| 314 |
## </summary> |
| 315 |
|
| 316 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 317 |
index 9a5ed6f8..dfde3f39 100644 |
| 318 |
--- a/policy/modules/system/init.te |
| 319 |
+++ b/policy/modules/system/init.te |
| 320 |
@@ -1,4 +1,4 @@ |
| 321 |
-policy_module(init, 2.2.12) |
| 322 |
+policy_module(init, 2.2.13) |
| 323 |
|
| 324 |
gen_require(` |
| 325 |
class passwd rootok; |
| 326 |
|
| 327 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
| 328 |
index 66da3da3..b2053a0b 100644 |
| 329 |
--- a/policy/modules/system/logging.if |
| 330 |
+++ b/policy/modules/system/logging.if |
| 331 |
@@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',` |
| 332 |
|
| 333 |
######################################## |
| 334 |
## <summary> |
| 335 |
+## Set the attributes of syslog temporary files. |
| 336 |
+## </summary> |
| 337 |
+## <param name="domain"> |
| 338 |
+## <summary> |
| 339 |
+## Domain allowed access. |
| 340 |
+## </summary> |
| 341 |
+## </param> |
| 342 |
+## <rolecap/> |
| 343 |
+# |
| 344 |
+interface(`logging_setattr_syslogd_tmp_files',` |
| 345 |
+ gen_require(` |
| 346 |
+ type syslogd_tmp_t; |
| 347 |
+ ') |
| 348 |
+ |
| 349 |
+ allow $1 syslogd_tmp_t:file setattr; |
| 350 |
+') |
| 351 |
+ |
| 352 |
+######################################## |
| 353 |
+## <summary> |
| 354 |
+## Relabel to and from syslog temporary file type. |
| 355 |
+## </summary> |
| 356 |
+## <param name="domain"> |
| 357 |
+## <summary> |
| 358 |
+## Domain allowed access. |
| 359 |
+## </summary> |
| 360 |
+## </param> |
| 361 |
+## <rolecap/> |
| 362 |
+# |
| 363 |
+interface(`logging_relabel_syslogd_tmp_files',` |
| 364 |
+ gen_require(` |
| 365 |
+ type syslogd_tmp_t; |
| 366 |
+ ') |
| 367 |
+ |
| 368 |
+ allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; |
| 369 |
+') |
| 370 |
+ |
| 371 |
+######################################## |
| 372 |
+## <summary> |
| 373 |
+## Set the attributes of syslog temporary directories. |
| 374 |
+## </summary> |
| 375 |
+## <param name="domain"> |
| 376 |
+## <summary> |
| 377 |
+## Domain allowed access. |
| 378 |
+## </summary> |
| 379 |
+## </param> |
| 380 |
+## <rolecap/> |
| 381 |
+# |
| 382 |
+interface(`logging_setattr_syslogd_tmp_dirs',` |
| 383 |
+ gen_require(` |
| 384 |
+ type syslogd_tmp_t; |
| 385 |
+ ') |
| 386 |
+ |
| 387 |
+ allow $1 syslogd_tmp_t:dir setattr; |
| 388 |
+') |
| 389 |
+ |
| 390 |
+######################################## |
| 391 |
+## <summary> |
| 392 |
+## Relabel to and from syslog temporary directory type. |
| 393 |
+## </summary> |
| 394 |
+## <param name="domain"> |
| 395 |
+## <summary> |
| 396 |
+## Domain allowed access. |
| 397 |
+## </summary> |
| 398 |
+## </param> |
| 399 |
+## <rolecap/> |
| 400 |
+# |
| 401 |
+interface(`logging_relabel_syslogd_tmp_dirs',` |
| 402 |
+ gen_require(` |
| 403 |
+ type syslogd_tmp_t; |
| 404 |
+ ') |
| 405 |
+ |
| 406 |
+ allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; |
| 407 |
+') |
| 408 |
+ |
| 409 |
+######################################## |
| 410 |
+## <summary> |
| 411 |
## Create an object in the log directory, with a private type. |
| 412 |
## </summary> |
| 413 |
## <desc> |
| 414 |
@@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',` |
| 415 |
|
| 416 |
######################################## |
| 417 |
## <summary> |
| 418 |
+## Create, read, write, and delete generic log directories. |
| 419 |
+## </summary> |
| 420 |
+## <param name="domain"> |
| 421 |
+## <summary> |
| 422 |
+## Domain allowed access. |
| 423 |
+## </summary> |
| 424 |
+## </param> |
| 425 |
+## <rolecap/> |
| 426 |
+# |
| 427 |
+interface(`logging_manage_generic_log_dirs',` |
| 428 |
+ gen_require(` |
| 429 |
+ type var_log_t; |
| 430 |
+ ') |
| 431 |
+ |
| 432 |
+ files_search_var($1) |
| 433 |
+ allow $1 var_log_t:dir manage_dir_perms; |
| 434 |
+') |
| 435 |
+ |
| 436 |
+######################################## |
| 437 |
+## <summary> |
| 438 |
+## Relabel from and to generic log directory type. |
| 439 |
+## </summary> |
| 440 |
+## <param name="domain"> |
| 441 |
+## <summary> |
| 442 |
+## Domain allowed access. |
| 443 |
+## </summary> |
| 444 |
+## </param> |
| 445 |
+## <rolecap/> |
| 446 |
+# |
| 447 |
+interface(`logging_relabel_generic_log_dirs',` |
| 448 |
+ gen_require(` |
| 449 |
+ type var_log_t; |
| 450 |
+ ') |
| 451 |
+ |
| 452 |
+ files_search_var($1) |
| 453 |
+ allow $1 var_log_t:dir { relabelfrom relabelto }; |
| 454 |
+') |
| 455 |
+ |
| 456 |
+######################################## |
| 457 |
+## <summary> |
| 458 |
## Read generic log files. |
| 459 |
## </summary> |
| 460 |
## <param name="domain"> |
| 461 |
|
| 462 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
| 463 |
index 63e7092d..e5864342 100644 |
| 464 |
--- a/policy/modules/system/logging.te |
| 465 |
+++ b/policy/modules/system/logging.te |
| 466 |
@@ -1,4 +1,4 @@ |
| 467 |
-policy_module(logging, 1.25.8) |
| 468 |
+policy_module(logging, 1.25.9) |
| 469 |
|
| 470 |
######################################## |
| 471 |
# |
| 472 |
|
| 473 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
| 474 |
index 5b9a8103..204390d1 100644 |
| 475 |
--- a/policy/modules/system/miscfiles.if |
| 476 |
+++ b/policy/modules/system/miscfiles.if |
| 477 |
@@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',` |
| 478 |
|
| 479 |
######################################## |
| 480 |
## <summary> |
| 481 |
+## Relabel from and to man cache. |
| 482 |
+## </summary> |
| 483 |
+## <param name="domain"> |
| 484 |
+## <summary> |
| 485 |
+## Domain allowed access. |
| 486 |
+## </summary> |
| 487 |
+## </param> |
| 488 |
+# |
| 489 |
+interface(`miscfiles_relabel_man_cache',` |
| 490 |
+ gen_require(` |
| 491 |
+ type man_cache_t; |
| 492 |
+ ') |
| 493 |
+ |
| 494 |
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t) |
| 495 |
+ relabel_files_pattern($1, man_cache_t, man_cache_t) |
| 496 |
+') |
| 497 |
+ |
| 498 |
+######################################## |
| 499 |
+## <summary> |
| 500 |
## Read public files used for file |
| 501 |
## transfer services. |
| 502 |
## </summary> |
| 503 |
|
| 504 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
| 505 |
index ec4d8dc0..3b180a36 100644 |
| 506 |
--- a/policy/modules/system/miscfiles.te |
| 507 |
+++ b/policy/modules/system/miscfiles.te |
| 508 |
@@ -1,4 +1,4 @@ |
| 509 |
-policy_module(miscfiles, 1.12.1) |
| 510 |
+policy_module(miscfiles, 1.12.2) |
| 511 |
|
| 512 |
######################################## |
| 513 |
# |
| 514 |
|
| 515 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 516 |
index f5af4ce4..e1f4c3a7 100644 |
| 517 |
--- a/policy/modules/system/systemd.te |
| 518 |
+++ b/policy/modules/system/systemd.te |
| 519 |
@@ -1,4 +1,4 @@ |
| 520 |
-policy_module(systemd, 1.3.13) |
| 521 |
+policy_module(systemd, 1.3.14) |
| 522 |
|
| 523 |
######################################### |
| 524 |
# |
| 525 |
@@ -613,9 +613,18 @@ optional_policy(` |
| 526 |
# Sessions local policy |
| 527 |
# |
| 528 |
|
| 529 |
+allow systemd_sessions_t self:process setfscreate; |
| 530 |
+ |
| 531 |
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; |
| 532 |
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) |
| 533 |
|
| 534 |
+selinux_get_enforce_mode(systemd_sessions_t) |
| 535 |
+selinux_get_fs_mount(systemd_sessions_t) |
| 536 |
+ |
| 537 |
+seutil_read_config(systemd_sessions_t) |
| 538 |
+seutil_read_default_contexts(systemd_sessions_t) |
| 539 |
+seutil_read_file_contexts(systemd_sessions_t) |
| 540 |
+ |
| 541 |
systemd_log_parse_environment(systemd_sessions_t) |
| 542 |
|
| 543 |
######################################### |
| 544 |
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t) |
| 545 |
# Tmpfiles local policy |
| 546 |
# |
| 547 |
|
| 548 |
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; |
| 549 |
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; |
| 550 |
allow systemd_tmpfiles_t self:process { setfscreate getcap }; |
| 551 |
|
| 552 |
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; |
| 553 |
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; |
| 554 |
+ |
| 555 |
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; |
| 556 |
+ |
| 557 |
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
| 558 |
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
| 559 |
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; |
| 560 |
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; |
| 561 |
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; |
| 562 |
|
| 563 |
kernel_read_kernel_sysctls(systemd_tmpfiles_t) |
| 564 |
+kernel_read_network_state(systemd_tmpfiles_t) |
| 565 |
|
| 566 |
+dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
| 567 |
+dev_read_urand(systemd_tmpfiles_t) |
| 568 |
dev_relabel_all_sysfs(systemd_tmpfiles_t) |
| 569 |
dev_read_urand(systemd_tmpfiles_t) |
| 570 |
dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
| 571 |
|
| 572 |
+files_create_lock_dirs(systemd_tmpfiles_t) |
| 573 |
+files_manage_all_pid_dirs(systemd_tmpfiles_t) |
| 574 |
+files_delete_usr_files(systemd_tmpfiles_t) |
| 575 |
+files_list_home(systemd_tmpfiles_t) |
| 576 |
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t) |
| 577 |
+files_manage_var_dirs(systemd_tmpfiles_t) |
| 578 |
+files_manage_var_lib_dirs(systemd_tmpfiles_t) |
| 579 |
+files_purge_tmp(systemd_tmpfiles_t) |
| 580 |
files_read_etc_files(systemd_tmpfiles_t) |
| 581 |
files_relabel_all_lock_dirs(systemd_tmpfiles_t) |
| 582 |
files_relabel_all_pid_dirs(systemd_tmpfiles_t) |
| 583 |
files_relabel_all_tmp_dirs(systemd_tmpfiles_t) |
| 584 |
+files_relabel_var_dirs(systemd_tmpfiles_t) |
| 585 |
+files_relabel_var_lib_dirs(systemd_tmpfiles_t) |
| 586 |
+files_relabelfrom_home(systemd_tmpfiles_t) |
| 587 |
+files_relabelto_home(systemd_tmpfiles_t) |
| 588 |
+files_relabelto_etc_dirs(systemd_tmpfiles_t) |
| 589 |
+# for /etc/mtab |
| 590 |
+files_manage_etc_symlinks(systemd_tmpfiles_t) |
| 591 |
|
| 592 |
-auth_manage_var_auth(systemd_tmpfiles_t) |
| 593 |
+fs_getattr_xattr_fs(systemd_tmpfiles_t) |
| 594 |
+ |
| 595 |
+selinux_get_fs_mount(systemd_tmpfiles_t) |
| 596 |
+selinux_search_fs(systemd_tmpfiles_t) |
| 597 |
+ |
| 598 |
+auth_manage_faillog(systemd_tmpfiles_t) |
| 599 |
auth_manage_login_records(systemd_tmpfiles_t) |
| 600 |
+auth_manage_var_auth(systemd_tmpfiles_t) |
| 601 |
auth_relabel_login_records(systemd_tmpfiles_t) |
| 602 |
auth_setattr_login_records(systemd_tmpfiles_t) |
| 603 |
|
| 604 |
+init_manage_utmp(systemd_tmpfiles_t) |
| 605 |
+init_manage_var_lib_files(systemd_tmpfiles_t) |
| 606 |
+# for /proc/1/environ |
| 607 |
+init_read_state(systemd_tmpfiles_t) |
| 608 |
+ |
| 609 |
+init_relabel_utmp(systemd_tmpfiles_t) |
| 610 |
+init_relabel_var_lib_dirs(systemd_tmpfiles_t) |
| 611 |
+ |
| 612 |
+logging_manage_generic_logs(systemd_tmpfiles_t) |
| 613 |
+logging_manage_generic_log_dirs(systemd_tmpfiles_t) |
| 614 |
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t) |
| 615 |
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t) |
| 616 |
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t) |
| 617 |
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t) |
| 618 |
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t) |
| 619 |
+ |
| 620 |
+miscfiles_manage_man_pages(systemd_tmpfiles_t) |
| 621 |
+miscfiles_relabel_man_cache(systemd_tmpfiles_t) |
| 622 |
+ |
| 623 |
+seutil_read_config(systemd_tmpfiles_t) |
| 624 |
seutil_read_file_contexts(systemd_tmpfiles_t) |
| 625 |
|
| 626 |
+sysnet_create_config(systemd_tmpfiles_t) |
| 627 |
+ |
| 628 |
systemd_log_parse_environment(systemd_tmpfiles_t) |
| 629 |
|
| 630 |
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) |
| 631 |
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) |
| 632 |
+ |
| 633 |
tunable_policy(`systemd_tmpfiles_manage_all',` |
| 634 |
# systemd-tmpfiles can be configured to manage anything. |
| 635 |
# have a last-resort option for users to do this. |
| 636 |
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',` |
| 637 |
files_relabel_non_security_dirs(systemd_tmpfiles_t) |
| 638 |
files_relabel_non_security_files(systemd_tmpfiles_t) |
| 639 |
') |
| 640 |
+ |
| 641 |
+optional_policy(` |
| 642 |
+ dbus_read_lib_files(systemd_tmpfiles_t) |
| 643 |
+') |
| 644 |
+ |
| 645 |
+optional_policy(` |
| 646 |
+ xfs_create_tmp_dirs(systemd_tmpfiles_t) |
| 647 |
+') |
| 648 |
+ |
| 649 |
+optional_policy(` |
| 650 |
+ xserver_create_console_pipes(systemd_tmpfiles_t) |
| 651 |
+ xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t) |
| 652 |
+ xserver_relabel_console_pipes(systemd_tmpfiles_t) |
| 653 |
+ xserver_setattr_console_pipes(systemd_tmpfiles_t) |
| 654 |
+') |
| 655 |
|
| 656 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 657 |
index 61065118..50100dd1 100644 |
| 658 |
--- a/policy/modules/system/userdomain.if |
| 659 |
+++ b/policy/modules/system/userdomain.if |
| 660 |
@@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',` |
| 661 |
|
| 662 |
######################################## |
| 663 |
## <summary> |
| 664 |
+## Relabel to and from user runtime root dirs. |
| 665 |
+## </summary> |
| 666 |
+## <param name="domain"> |
| 667 |
+## <summary> |
| 668 |
+## Domain allowed access. |
| 669 |
+## </summary> |
| 670 |
+## </param> |
| 671 |
+# |
| 672 |
+interface(`userdom_relabel_user_runtime_root_dirs',` |
| 673 |
+ gen_require(` |
| 674 |
+ type user_runtime_root_t; |
| 675 |
+ ') |
| 676 |
+ |
| 677 |
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; |
| 678 |
+') |
| 679 |
+ |
| 680 |
+######################################## |
| 681 |
+## <summary> |
| 682 |
## Create, read, write, and delete user |
| 683 |
## runtime dirs. |
| 684 |
## </summary> |
| 685 |
|
| 686 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
| 687 |
index cf58bd27..0cbf3cec 100644 |
| 688 |
--- a/policy/modules/system/userdomain.te |
| 689 |
+++ b/policy/modules/system/userdomain.te |
| 690 |
@@ -1,4 +1,4 @@ |
| 691 |
-policy_module(userdomain, 4.13.5) |
| 692 |
+policy_module(userdomain, 4.13.6) |
| 693 |
|
| 694 |
######################################## |
| 695 |
# |
Archives