Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
Date: Sat, 25 Feb 2017 14:51:57
Message-Id: 1488032543.5b8acde37136f75ce5a52f1b6a0604d3f35dacc7.perfinion@gentoo
1 commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
2 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3 AuthorDate: Fri Feb 24 01:03:23 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sat Feb 25 14:22:23 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3
7
8 Systemd fixes from Russell Coker.
9
10 policy/modules/kernel/devices.if | 37 +++++
11 policy/modules/kernel/devices.te | 6 +-
12 policy/modules/kernel/files.if | 127 +++++++++++++++
13 policy/modules/kernel/files.te | 6 +-
14 policy/modules/system/authlogin.if | 9 +
15 policy/modules/system/authlogin.te | 6 +-
16 policy/modules/system/init.fc | 2 +
17 policy/modules/system/init.if | 183 ++++++++++++++++++---
18 policy/modules/system/init.te | 317 +++++++++++++++++++++++++++++++++---
19 policy/modules/system/logging.fc | 5 +-
20 policy/modules/system/logging.if | 18 ++
21 policy/modules/system/logging.te | 36 +++-
22 policy/modules/system/lvm.if | 18 ++
23 policy/modules/system/lvm.te | 2 +-
24 policy/modules/system/miscfiles.te | 6 +-
25 policy/modules/system/systemd.fc | 11 +-
26 policy/modules/system/systemd.if | 122 +++++++++++++-
27 policy/modules/system/systemd.te | 49 +++++-
28 policy/modules/system/udev.if | 20 +++
29 policy/modules/system/udev.te | 2 +-
30 policy/modules/system/unconfined.if | 19 +++
31 policy/modules/system/unconfined.te | 2 +-
32 policy/modules/system/userdomain.if | 71 ++++++++
33 policy/modules/system/userdomain.te | 2 +-
34 24 files changed, 1011 insertions(+), 65 deletions(-)
35
36 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
37 index 08e2e8af..b51a25ac 100644
38 --- a/policy/modules/kernel/devices.if
39 +++ b/policy/modules/kernel/devices.if
40 @@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
41
42 ########################################
43 ## <summary>
44 +## Allow full relabeling (to and from) of all device files.
45 +## </summary>
46 +## <param name="domain">
47 +## <summary>
48 +## Domain allowed access.
49 +## </summary>
50 +## </param>
51 +## <rolecap/>
52 +#
53 +interface(`dev_relabel_all_dev_files',`
54 + gen_require(`
55 + type device_t;
56 + ')
57 +
58 + relabel_files_pattern($1, device_t, device_t)
59 +')
60 +
61 +########################################
62 +## <summary>
63 ## List all of the device nodes in a device directory.
64 ## </summary>
65 ## <param name="domain">
66 @@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
67
68 ########################################
69 ## <summary>
70 +## Relabel hardware state directories.
71 +## </summary>
72 +## <param name="domain">
73 +## <summary>
74 +## Domain allowed access.
75 +## </summary>
76 +## </param>
77 +#
78 +interface(`dev_relabel_sysfs_dirs',`
79 + gen_require(`
80 + type sysfs_t;
81 + ')
82 +
83 + relabel_dirs_pattern($1, sysfs_t, sysfs_t)
84 +')
85 +
86 +########################################
87 +## <summary>
88 ## Relabel from/to all sysfs types.
89 ## </summary>
90 ## <param name="domain">
91
92 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
93 index 66bc754e..470f0f00 100644
94 --- a/policy/modules/kernel/devices.te
95 +++ b/policy/modules/kernel/devices.te
96 @@ -1,4 +1,4 @@
97 -policy_module(devices, 1.20.2)
98 +policy_module(devices, 1.20.3)
99
100 ########################################
101 #
102 @@ -22,6 +22,10 @@ files_associate_tmp(device_t)
103 fs_xattr_type(device_t)
104 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
105
106 +optional_policy(`
107 + systemd_tmpfilesd_managed(device_t, fifo_file)
108 +')
109 +
110 #
111 # Type for /dev/agpgart
112 #
113
114 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
115 index 6babfb90..0d6fe3c5 100644
116 --- a/policy/modules/kernel/files.if
117 +++ b/policy/modules/kernel/files.if
118 @@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
119
120 ########################################
121 ## <summary>
122 +## manage all pidfile directories
123 +## in the /var/run directory.
124 +## </summary>
125 +## <param name="domain">
126 +## <summary>
127 +## Domain allowed access.
128 +## </summary>
129 +## </param>
130 +#
131 +interface(`files_manage_all_pid_dirs',`
132 + gen_require(`
133 + attribute pidfile;
134 + ')
135 +
136 + manage_dirs_pattern($1, pidfile, pidfile)
137 +')
138 +
139 +########################################
140 +## <summary>
141 ## Read all process ID files.
142 ## </summary>
143 ## <param name="domain">
144 @@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
145
146 ########################################
147 ## <summary>
148 +## Execute generic programs in /var/run in the caller domain.
149 +## </summary>
150 +## <param name="domain">
151 +## <summary>
152 +## Domain allowed access.
153 +## </summary>
154 +## </param>
155 +#
156 +interface(`files_exec_generic_pid_files',`
157 + gen_require(`
158 + type var_run_t;
159 + ')
160 +
161 + exec_files_pattern($1, var_run_t, var_run_t)
162 +')
163 +
164 +########################################
165 +## <summary>
166 +## Relable all pid files
167 +## </summary>
168 +## <param name="domain">
169 +## <summary>
170 +## Domain allowed access.
171 +## </summary>
172 +## </param>
173 +#
174 +interface(`files_relabel_all_pid_files',`
175 + gen_require(`
176 + attribute pidfile;
177 + ')
178 +
179 + relabel_files_pattern($1, pidfile, pidfile)
180 +')
181 +
182 +########################################
183 +## <summary>
184 ## Delete all process IDs.
185 ## </summary>
186 ## <param name="domain">
187 @@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
188
189 ########################################
190 ## <summary>
191 +## Create all pid sockets
192 +## </summary>
193 +## <param name="domain">
194 +## <summary>
195 +## Domain allowed access.
196 +## </summary>
197 +## </param>
198 +#
199 +interface(`files_create_all_pid_sockets',`
200 + gen_require(`
201 + attribute pidfile;
202 + ')
203 +
204 + allow $1 pidfile:sock_file create_sock_file_perms;
205 +')
206 +
207 +########################################
208 +## <summary>
209 +## Create all pid named pipes
210 +## </summary>
211 +## <param name="domain">
212 +## <summary>
213 +## Domain allowed access.
214 +## </summary>
215 +## </param>
216 +#
217 +interface(`files_create_all_pid_pipes',`
218 + gen_require(`
219 + attribute pidfile;
220 + ')
221 +
222 + allow $1 pidfile:fifo_file create_fifo_file_perms;
223 +')
224 +
225 +########################################
226 +## <summary>
227 +## Create all spool sockets
228 +## </summary>
229 +## <param name="domain">
230 +## <summary>
231 +## Domain allowed access.
232 +## </summary>
233 +## </param>
234 +#
235 +interface(`files_create_all_spool_sockets',`
236 + gen_require(`
237 + attribute spoolfile;
238 + ')
239 +
240 + allow $1 spoolfile:sock_file create_sock_file_perms;
241 +')
242 +
243 +########################################
244 +## <summary>
245 +## Delete all spool sockets
246 +## </summary>
247 +## <param name="domain">
248 +## <summary>
249 +## Domain allowed access.
250 +## </summary>
251 +## </param>
252 +#
253 +interface(`files_delete_all_spool_sockets',`
254 + gen_require(`
255 + attribute spoolfile;
256 + ')
257 +
258 + allow $1 spoolfile:sock_file delete_sock_file_perms;
259 +')
260 +
261 +########################################
262 +## <summary>
263 ## Delete all process ID directories.
264 ## </summary>
265 ## <param name="domain">
266
267 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
268 index 7c861cc1..63ec6591 100644
269 --- a/policy/modules/kernel/files.te
270 +++ b/policy/modules/kernel/files.te
271 @@ -1,4 +1,4 @@
272 -policy_module(files, 1.23.4)
273 +policy_module(files, 1.23.5)
274
275 ########################################
276 #
277 @@ -174,6 +174,10 @@ type var_run_t;
278 files_pid_file(var_run_t)
279 files_mountpoint(var_run_t)
280
281 +optional_policy(`
282 + systemd_tmpfilesd_managed(var_run_t, lnk_file)
283 +')
284 +
285 #
286 # var_spool_t is the type of /var/spool
287 #
288
289 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
290 index 55ce2bd2..5bac5fb3 100644
291 --- a/policy/modules/system/authlogin.if
292 +++ b/policy/modules/system/authlogin.if
293 @@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',`
294 seutil_read_config($1)
295 seutil_read_default_contexts($1)
296
297 + userdom_search_user_runtime($1)
298 + userdom_read_user_tmpfs_files($1)
299 +
300 tunable_policy(`allow_polyinstantiation',`
301 files_polyinstantiate_all($1)
302 ')
303 +
304 + optional_policy(`
305 + systemd_read_logind_state($1)
306 + systemd_write_inherited_logind_sessions_pipes($1)
307 + systemd_use_passwd_agent_fds($1)
308 + ')
309 ')
310
311 ########################################
312
313 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
314 index b4273689..43c83620 100644
315 --- a/policy/modules/system/authlogin.te
316 +++ b/policy/modules/system/authlogin.te
317 @@ -1,4 +1,4 @@
318 -policy_module(authlogin, 2.10.1)
319 +policy_module(authlogin, 2.10.2)
320
321 ########################################
322 #
323 @@ -85,6 +85,10 @@ files_type(var_auth_t)
324 type wtmp_t;
325 logging_log_file(wtmp_t)
326
327 +optional_policy(`
328 + systemd_tmpfilesd_managed(faillog_t, file)
329 +') systemd_tmpfilesd_managed(var_auth_t, dir)
330 +
331 ########################################
332 #
333 # Check password local policy
334
335 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
336 index fe085d15..b08e7a2a 100644
337 --- a/policy/modules/system/init.fc
338 +++ b/policy/modules/system/init.fc
339 @@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
340 /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
341 /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
342 /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
343 +/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
344 /run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
345 +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
346
347 ifdef(`distro_debian',`
348 /run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
349
350 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
351 index 4a36e12a..162ce266 100644
352 --- a/policy/modules/system/init.if
353 +++ b/policy/modules/system/init.if
354 @@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
355 #
356 interface(`init_daemon_domain',`
357 gen_require(`
358 - type initrc_t;
359 + type init_t, initrc_t;
360 role system_r;
361 attribute daemon;
362 ')
363 @@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
364 init_domain($1, $2)
365 # this may be because of late labelling
366 kernel_dgram_send($1)
367 +
368 + allow $1 init_t:unix_dgram_socket sendto;
369 ')
370
371 optional_policy(`
372 @@ -400,8 +402,10 @@ interface(`init_system_domain',`
373 gen_require(`
374 type initrc_t;
375 role system_r;
376 + attribute systemprocess;
377 ')
378
379 + typeattribute $1 systemprocess;
380 application_domain($1, $2)
381
382 role system_r types $1;
383 @@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
384 ')
385 ')
386
387 +######################################
388 +## <summary>
389 +## Allow domain dyntransition to init_t domain.
390 +## </summary>
391 +## <param name="domain">
392 +## <summary>
393 +## Domain allowed to transition.
394 +## </summary>
395 +## </param>
396 +#
397 +interface(`init_dyntrans',`
398 + gen_require(`
399 + type init_t;
400 + ')
401 +
402 + dyntrans_pattern($1, init_t)
403 +')
404 +
405 ########################################
406 ## <summary>
407 ## Mark the file type as a daemon pid file, allowing initrc_t
408 @@ -708,6 +730,7 @@ interface(`init_stream_connect',`
409
410 stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
411 files_search_pids($1)
412 + allow $1 init_t:unix_stream_socket getattr;
413 ')
414
415 ########################################
416 @@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
417 #
418 interface(`init_telinit',`
419 gen_require(`
420 - type initctl_t;
421 + type initctl_t, init_t;
422 ')
423
424 - dev_list_all_dev_nodes($1)
425 + ps_process_pattern($1, init_t)
426 + allow $1 init_t:process signal;
427 + # upstart uses a datagram socket instead of initctl pipe
428 + allow $1 self:unix_dgram_socket create_socket_perms;
429 + allow $1 init_t:unix_dgram_socket sendto;
430 + #576913
431 + allow $1 init_t:unix_stream_socket connectto;
432 +
433 allow $1 initctl_t:fifo_file rw_fifo_file_perms;
434
435 - init_exec($1)
436 + corecmd_exec_bin($1)
437
438 - tunable_policy(`init_upstart',`
439 - gen_require(`
440 - type init_t;
441 - ')
442 + dev_list_all_dev_nodes($1)
443
444 - # upstart uses a datagram socket instead of initctl pipe
445 - allow $1 self:unix_dgram_socket create_socket_perms;
446 - allow $1 init_t:unix_dgram_socket sendto;
447 - ')
448 + init_exec($1)
449 ')
450
451 ########################################
452 @@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',`
453
454 ########################################
455 ## <summary>
456 +## Execute labelled init scripts with an automatic domain transition.
457 +## </summary>
458 +## <param name="domain">
459 +## <summary>
460 +## Domain allowed to transition.
461 +## </summary>
462 +## </param>
463 +#
464 +interface(`init_domtrans_labeled_script',`
465 + gen_require(`
466 + type initrc_t;
467 + attribute init_script_file_type;
468 + attribute initrc_transition_domain;
469 + ')
470 +
471 + typeattribute $1 initrc_transition_domain;
472 +
473 + files_list_etc($1)
474 + domtrans_pattern($1, init_script_file_type, initrc_t)
475 +
476 + ifdef(`enable_mcs',`
477 + range_transition $1 init_script_file_type:process s0;
478 + ')
479 +
480 + ifdef(`enable_mls',`
481 + range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
482 + ')
483 +')
484 +
485 +########################################
486 +## <summary>
487 ## Execute a init script in a specified domain.
488 ## </summary>
489 ## <desc>
490 @@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',`
491 interface(`init_labeled_script_domtrans',`
492 gen_require(`
493 type initrc_t;
494 + attribute initrc_transition_domain;
495 ')
496
497 + typeattribute $1 initrc_transition_domain;
498 domtrans_pattern($1, $2, initrc_t)
499 files_search_etc($1)
500 ')
501 @@ -1574,6 +1631,7 @@ interface(`init_run_daemon',`
502 interface(`init_startstop_all_script_services',`
503 gen_require(`
504 attribute init_script_file_type;
505 + class service { start status stop };
506 ')
507
508 allow $1 init_script_file_type:service { start status stop };
509 @@ -1789,12 +1847,7 @@ interface(`init_read_script_state',`
510 ')
511
512 kernel_search_proc($1)
513 - read_files_pattern($1, initrc_t, initrc_t)
514 - read_lnk_files_pattern($1, initrc_t, initrc_t)
515 - list_dirs_pattern($1, initrc_t, initrc_t)
516 -
517 - # should move this to separate interface
518 - allow $1 initrc_t:process getattr;
519 + ps_process_pattern($1, initrc_t)
520 ')
521
522 ########################################
523 @@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',`
524 type initrc_var_run_t;
525 ')
526
527 - dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
528 + dontaudit $1 initrc_var_run_t:file rw_file_perms;
529 ')
530
531 ########################################
532 @@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',`
533 files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
534 ')
535
536 +#######################################
537 +## <summary>
538 +## Create a directory in the /run/systemd directory.
539 +## </summary>
540 +## <param name="domain">
541 +## <summary>
542 +## Domain allowed access.
543 +## </summary>
544 +## </param>
545 +#
546 +interface(`init_create_pid_dirs',`
547 + gen_require(`
548 + type init_var_run_t;
549 + ')
550 +
551 + allow $1 init_var_run_t:dir list_dir_perms;
552 + create_dirs_pattern($1, init_var_run_t, init_var_run_t)
553 +')
554 +
555 +########################################
556 +## <summary>
557 +## Rename init_var_run_t files
558 +## </summary>
559 +## <param name="domain">
560 +## <summary>
561 +## domain
562 +## </summary>
563 +## </param>
564 +#
565 +interface(`init_rename_pid_files',`
566 + gen_require(`
567 + type init_var_run_t;
568 + ')
569 +
570 + rename_files_pattern($1, init_var_run_t, init_var_run_t)
571 +')
572 +
573 +########################################
574 +## <summary>
575 +## Rename and de init_var_run_t files
576 +## </summary>
577 +## <param name="domain">
578 +## <summary>
579 +## domain
580 +## </summary>
581 +## </param>
582 +#
583 +interface(`init_delete_pid_files',`
584 + gen_require(`
585 + type init_var_run_t;
586 + ')
587 +
588 + delete_files_pattern($1, init_var_run_t, init_var_run_t)
589 +')
590 +
591 +#######################################
592 +## <summary>
593 +## Allow the specified domain to write to
594 +## init sock file.
595 +## </summary>
596 +## <param name="domain">
597 +## <summary>
598 +## Domain allowed access.
599 +## </summary>
600 +## </param>
601 +#
602 +interface(`init_write_pid_socket',`
603 + gen_require(`
604 + type init_var_run_t;
605 + ')
606 +
607 + allow $1 init_var_run_t:sock_file write;
608 +')
609 +
610 +########################################
611 +## <summary>
612 +## Read init unnamed pipes.
613 +## </summary>
614 +## <param name="domain">
615 +## <summary>
616 +## Domain allowed access.
617 +## </summary>
618 +## </param>
619 +#
620 +interface(`init_read_pid_pipes',`
621 + gen_require(`
622 + type init_var_run_t;
623 + ')
624 +
625 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
626 +')
627 +
628 ########################################
629 ## <summary>
630 ## Allow the specified domain to connect to daemon with a tcp socket
631
632 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
633 index a43bf19b..54ca2ceb 100644
634 --- a/policy/modules/system/init.te
635 +++ b/policy/modules/system/init.te
636 @@ -1,4 +1,4 @@
637 -policy_module(init, 2.2.5)
638 +policy_module(init, 2.2.6)
639
640 gen_require(`
641 class passwd rootok;
642 @@ -16,13 +16,22 @@ gen_require(`
643 ## </desc>
644 gen_tunable(init_upstart, false)
645
646 +## <desc>
647 +## <p>
648 +## Allow all daemons the ability to read/write terminals
649 +## </p>
650 +## </desc>
651 +gen_tunable(init_daemons_use_tty, false)
652 +
653 attribute init_script_domain_type;
654 attribute init_script_file_type;
655 attribute init_run_all_scripts_domain;
656 attribute systemdunit;
657 +attribute initrc_transition_domain;
658
659 # Mark process types as daemons
660 attribute daemon;
661 +attribute systemprocess;
662
663 # Mark file type as a daemon pid file
664 attribute daemonpidfile;
665 @@ -33,7 +42,7 @@ attribute daemonrundir;
666 #
667 # init_t is the domain of the init process.
668 #
669 -type init_t;
670 +type init_t, initrc_transition_domain;
671 type init_exec_t;
672 domain_type(init_t)
673 domain_entry_file(init_t, init_exec_t)
674 @@ -110,6 +119,7 @@ ifdef(`enable_mls',`
675
676 # Use capabilities. old rule:
677 allow init_t self:capability ~sys_module;
678 +allow init_t self:capability2 { wake_alarm block_suspend };
679 # is ~sys_module really needed? observed:
680 # sys_boot
681 # sys_tty_config
682 @@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
683 allow init_t init_var_run_t:file manage_file_perms;
684 files_pid_filetrans(init_t, init_var_run_t, file)
685
686 +# for systemd to manage service file symlinks
687 +allow init_t init_var_run_t:file manage_lnk_file_perms;
688 +
689 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
690 dev_filetrans(init_t, initctl_t, fifo_file)
691
692 @@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
693
694 domain_getpgid_all_domains(init_t)
695 domain_kill_all_domains(init_t)
696 +domain_getattr_all_domains(init_t)
697 domain_signal_all_domains(init_t)
698 domain_signull_all_domains(init_t)
699 domain_sigstop_all_domains(init_t)
700 @@ -199,6 +213,10 @@ ifdef(`init_systemd',`
701 # handle instances where an old labeled init script is encountered.
702 typeattribute init_t init_run_all_scripts_domain;
703
704 + allow init_t systemprocess:process { dyntransition siginh };
705 + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
706 + allow init_t systemprocess:unix_dgram_socket create_socket_perms;
707 +
708 allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
709 allow init_t self:capability2 { audit_read block_suspend };
710 allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
711 @@ -206,6 +224,18 @@ ifdef(`init_systemd',`
712 allow init_t self:netlink_selinux_socket create_socket_perms;
713 allow init_t self:unix_dgram_socket lock;
714
715 + allow init_t daemon:unix_stream_socket create_stream_socket_perms;
716 + allow init_t daemon:unix_dgram_socket create_socket_perms;
717 + allow init_t daemon:tcp_socket create_stream_socket_perms;
718 + allow init_t daemon:udp_socket create_socket_perms;
719 + allow daemon init_t:unix_dgram_socket sendto;
720 +
721 + allow init_run_all_scripts_domain systemdunit:service { status start stop };
722 +
723 + allow systemprocess init_t:unix_dgram_socket sendto;
724 + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
725 +
726 + allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
727 manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
728 manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
729 manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
730 @@ -269,6 +299,9 @@ ifdef(`init_systemd',`
731 # for network namespaces
732 fs_read_nsfs_files(init_t)
733
734 + # need write to /var/run/systemd/notify
735 + init_write_pid_socket(daemon)
736 +
737 # systemd_socket_activated policy
738 mls_socket_write_all_levels(init_t)
739
740 @@ -355,6 +388,11 @@ optional_policy(`
741 ')
742
743 optional_policy(`
744 + udev_read_db(init_t)
745 + udev_relabelto_db(init_t)
746 +')
747 +
748 +optional_policy(`
749 unconfined_domain(init_t)
750 ')
751
752 @@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
753 allow initrc_t initrc_var_run_t:file manage_file_perms;
754 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
755
756 +allow initrc_t daemon:process siginh;
757 +
758 can_exec(initrc_t, initrc_tmp_t)
759 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
760 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
761 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
762 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
763 +allow initrc_t initrc_tmp_t:dir relabelfrom;
764
765 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
766 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
767 @@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
768
769 dev_read_rand(initrc_t)
770 dev_read_urand(initrc_t)
771 +dev_dontaudit_read_kmsg(initrc_t)
772 dev_write_kmsg(initrc_t)
773 dev_write_rand(initrc_t)
774 dev_write_urand(initrc_t)
775 @@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
776 dev_read_realtime_clock(initrc_t)
777 dev_read_sound_mixer(initrc_t)
778 dev_write_sound_mixer(initrc_t)
779 +dev_setattr_generic_dirs(initrc_t)
780 dev_setattr_all_chr_files(initrc_t)
781 dev_rw_lvm_control(initrc_t)
782 +dev_rw_generic_chr_files(initrc_t)
783 dev_delete_lvm_control_dev(initrc_t)
784 dev_manage_generic_symlinks(initrc_t)
785 dev_manage_generic_files(initrc_t)
786 @@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
787 dev_delete_generic_symlinks(initrc_t)
788 dev_getattr_all_blk_files(initrc_t)
789 dev_getattr_all_chr_files(initrc_t)
790 -# Early devtmpfs
791 -dev_rw_generic_chr_files(initrc_t)
792 +dev_rw_xserver_misc(initrc_t)
793
794 domain_kill_all_domains(initrc_t)
795 domain_signal_all_domains(initrc_t)
796 domain_signull_all_domains(initrc_t)
797 domain_sigstop_all_domains(initrc_t)
798 +domain_sigstop_all_domains(initrc_t)
799 domain_sigchld_all_domains(initrc_t)
800 domain_read_all_domains_state(initrc_t)
801 domain_getattr_all_domains(initrc_t)
802 -domain_dontaudit_ptrace_all_domains(initrc_t)
803 domain_getsession_all_domains(initrc_t)
804 domain_use_interactive_fds(initrc_t)
805 # for lsof which is used by alsa shutdown:
806 @@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
807 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
808 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
809 domain_dontaudit_getattr_all_pipes(initrc_t)
810 +domain_obj_id_change_exemption(initrc_t)
811
812 files_getattr_all_dirs(initrc_t)
813 files_getattr_all_files(initrc_t)
814 @@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
815 files_getattr_all_pipes(initrc_t)
816 files_getattr_all_sockets(initrc_t)
817 files_purge_tmp(initrc_t)
818 -files_delete_all_locks(initrc_t)
819 +files_manage_all_locks(initrc_t)
820 +files_manage_boot_files(initrc_t)
821 files_read_all_pids(initrc_t)
822 +files_delete_root_files(initrc_t)
823 files_delete_all_pids(initrc_t)
824 files_delete_all_pid_dirs(initrc_t)
825 files_read_etc_files(initrc_t)
826 @@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
827 # cjp: not sure why these are here; should use mount policy
828 files_list_default(initrc_t)
829 files_mounton_default(initrc_t)
830 +files_manage_mnt_dirs(initrc_t)
831 +files_manage_mnt_files(initrc_t)
832
833 -fs_write_cgroup_files(initrc_t)
834 +fs_delete_cgroup_dirs(initrc_t)
835 +fs_list_cgroup_dirs(initrc_t)
836 +fs_rw_cgroup_files(initrc_t)
837 fs_list_inotifyfs(initrc_t)
838 fs_register_binary_executable_type(initrc_t)
839 # rhgb-console writes to ramfs
840 @@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
841 fs_unmount_all_fs(initrc_t)
842 fs_remount_all_fs(initrc_t)
843 fs_getattr_all_fs(initrc_t)
844 +fs_search_all(initrc_t)
845 +fs_getattr_nfsd_files(initrc_t)
846
847 # initrc_t needs to do a pidof which requires ptrace
848 mcs_ptrace_all(initrc_t)
849 +mcs_file_read_all(initrc_t)
850 +mcs_file_write_all(initrc_t)
851 mcs_killall(initrc_t)
852 mcs_process_set_categories(initrc_t)
853
854 @@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
855 mls_process_write_all_levels(initrc_t)
856 mls_rangetrans_source(initrc_t)
857 mls_fd_share_all_levels(initrc_t)
858 +mls_socket_write_to_clearance(initrc_t)
859
860 selinux_get_enforce_mode(initrc_t)
861
862 @@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
863 auth_delete_pam_console_data(initrc_t)
864 auth_use_nsswitch(initrc_t)
865
866 +init_get_system_status(initrc_t)
867 +init_stream_connect(initrc_t)
868 +init_start_all_units(initrc_t)
869 +init_stop_all_units(initrc_t)
870 +
871 libs_rw_ld_so_cache(initrc_t)
872 libs_exec_lib_files(initrc_t)
873 libs_exec_ld_so(initrc_t)
874 @@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
875
876 miscfiles_read_localization(initrc_t)
877 # slapd needs to read cert files from its initscript
878 -miscfiles_read_generic_certs(initrc_t)
879 +miscfiles_manage_generic_cert_files(initrc_t)
880
881 seutil_read_config(initrc_t)
882
883 @@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
884 # Allow access to the sysadm TTYs. Note that this will give access to the
885 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
886 # started from init should be placed in their own domain.
887 -userdom_use_user_terminals(initrc_t)
888 +userdom_use_inherited_user_terminals(initrc_t)
889
890 ifdef(`distro_debian',`
891 kernel_getattr_core_if(initrc_t)
892 @@ -643,6 +703,10 @@ ifdef(`distro_gentoo',`
893 sysnet_setattr_config(initrc_t)
894
895 optional_policy(`
896 + abrt_manage_pid_files(initrc_t)
897 + ')
898 +
899 + optional_policy(`
900 alsa_read_lib(initrc_t)
901 ')
902
903 @@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
904
905 # Red Hat systems seem to have a stray
906 # fd open from the initrd
907 - kernel_dontaudit_use_fds(initrc_t)
908 + kernel_use_fds(initrc_t)
909 files_dontaudit_read_root_files(initrc_t)
910
911 # These seem to be from the initrd
912 @@ -707,8 +771,25 @@ ifdef(`distro_redhat',`
913 ')
914
915 optional_policy(`
916 + abrt_manage_pid_files(initrc_t)
917 + ')
918 +
919 + optional_policy(`
920 bind_manage_config_dirs(initrc_t)
921 bind_write_config(initrc_t)
922 + bind_setattr_zone_dirs(initrc_t)
923 + ')
924 +
925 + optional_policy(`
926 + devicekit_append_inherited_log_files(initrc_t)
927 + ')
928 +
929 + optional_policy(`
930 + gnome_manage_gconf_config(initrc_t)
931 + ')
932 +
933 + optional_policy(`
934 + pulseaudio_stream_connect(initrc_t)
935 ')
936
937 optional_policy(`
938 @@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
939 rpc_write_exports(initrc_t)
940 rpc_manage_nfs_state_data(initrc_t)
941 ')
942 + optional_policy(`
943 + rpcbind_stream_connect(initrc_t)
944 + ')
945
946 optional_policy(`
947 sysnet_rw_dhcp_config(initrc_t)
948 @@ -734,7 +818,32 @@ ifdef(`distro_suse',`
949 ')
950 ')
951
952 +ifdef(`enabled_mls',`
953 + optional_policy(`
954 + # allow init scripts to su
955 + su_restricted_domain_template(initrc, initrc_t, system_r)
956 + # Allow initrc_su_t, now defined, to transition to postgresql_t
957 + postgresql_domtrans(initrc_su_t)
958 + # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
959 + allow initrc_su_t initrc_devpts_t:chr_file { read write };
960 + ')
961 +')
962 +
963 ifdef(`init_systemd',`
964 + allow init_t self:system { status reboot halt reload };
965 +
966 + allow init_t self:unix_dgram_socket { create_socket_perms sendto };
967 + allow init_t self:process { setsockcreate setfscreate setrlimit };
968 + allow init_t self:process { getcap setcap };
969 + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
970 + allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
971 + # Until systemd is fixed
972 + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
973 + allow init_t self:udp_socket create_socket_perms;
974 + allow init_t self:netlink_route_socket create_netlink_socket_perms;
975 + allow init_t initrc_t:unix_dgram_socket create_socket_perms;
976 + allow initrc_t init_t:system { status reboot halt reload };
977 + allow init_t self:capability2 audit_read;
978 manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
979 files_lock_filetrans(initrc_t, initrc_lock_t, file)
980
981 @@ -746,11 +855,25 @@ ifdef(`init_systemd',`
982 files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
983
984 create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
985 + allow initrc_t systemd_unit_t:service reload;
986
987 manage_files_pattern(initrc_t, systemdunit, systemdunit)
988 manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
989 + allow initrc_t systemdunit:service reload;
990 + allow initrc_t init_script_file_type:service { stop start status reload };
991
992 kernel_dgram_send(initrc_t)
993 + kernel_list_unlabeled(init_t)
994 + kernel_read_network_state(init_t)
995 + kernel_rw_kernel_sysctl(init_t)
996 + kernel_rw_net_sysctls(init_t)
997 + kernel_read_all_sysctls(init_t)
998 + kernel_read_software_raid_state(init_t)
999 + kernel_unmount_debugfs(init_t)
1000 + kernel_setsched(init_t)
1001 +
1002 + auth_relabel_login_records(init_t)
1003 + auth_relabel_pam_console_data_dirs(init_t)
1004
1005 # run systemd misc initializations
1006 # in the initrc_t domain, as would be
1007 @@ -760,28 +883,83 @@ ifdef(`init_systemd',`
1008 corecmd_bin_domtrans(init_t, initrc_t)
1009 corecmd_shell_domtrans(init_t, initrc_t)
1010
1011 - files_read_boot_files(initrc_t)
1012 + dev_write_kmsg(init_t)
1013 + dev_write_urand(init_t)
1014 + dev_rw_lvm_control(init_t)
1015 + dev_rw_autofs(init_t)
1016 + dev_manage_generic_symlinks(init_t)
1017 + dev_manage_generic_dirs(init_t)
1018 + dev_manage_generic_files(init_t)
1019 + dev_manage_null_service(initrc_t)
1020 + dev_read_generic_chr_files(init_t)
1021 + dev_relabel_generic_dev_dirs(init_t)
1022 + dev_relabel_all_dev_nodes(init_t)
1023 + dev_relabel_all_dev_files(init_t)
1024 + dev_manage_sysfs_dirs(init_t)
1025 + dev_relabel_sysfs_dirs(init_t)
1026 + # systemd writes to /dev/watchdog on shutdown
1027 + dev_write_watchdog(init_t)
1028 +
1029 # Allow initrc_t to check /etc/fstab "service." It appears that
1030 # systemd is conflating files and services.
1031 + files_create_all_pid_pipes(init_t)
1032 + files_create_all_pid_sockets(init_t)
1033 + files_create_all_spool_sockets(init_t)
1034 + files_create_lock_dirs(init_t)
1035 + files_delete_all_pids(init_t)
1036 + files_delete_all_spool_sockets(init_t)
1037 + files_exec_generic_pid_files(init_t)
1038 files_get_etc_unit_status(initrc_t)
1039 + files_list_locks(init_t)
1040 + files_list_spool(init_t)
1041 + files_list_var(init_t)
1042 + files_manage_all_pid_dirs(init_t)
1043 + files_manage_generic_tmp_dirs(init_t)
1044 + files_manage_urandom_seed(init_t)
1045 + files_mounton_all_mountpoints(init_t)
1046 + files_read_boot_files(initrc_t)
1047 + files_relabel_all_lock_dirs(init_t)
1048 + files_relabel_all_pid_dirs(init_t)
1049 + files_relabel_all_pid_files(init_t)
1050 + files_search_all(init_t)
1051 files_setattr_pid_dirs(initrc_t)
1052 + files_unmount_all_file_type_fs(init_t)
1053
1054 - selinux_set_enforce_mode(initrc_t)
1055 + fs_getattr_all_fs(init_t)
1056 + fs_list_auto_mountpoints(init_t)
1057 + fs_manage_cgroup_dirs(init_t)
1058 + fs_manage_cgroup_files(init_t)
1059 + fs_manage_hugetlbfs_dirs(init_t)
1060 + fs_manage_tmpfs_dirs(init_t)
1061 + fs_mount_all_fs(init_t)
1062 + fs_remount_all_fs(init_t)
1063 + fs_unmount_all_fs(init_t)
1064 + fs_search_cgroup_dirs(daemon)
1065
1066 - init_stream_connect(initrc_t)
1067 + init_get_all_units_status(initrc_t)
1068 init_manage_var_lib_files(initrc_t)
1069 + init_read_script_state(init_t)
1070 init_rw_stream_sockets(initrc_t)
1071 - init_get_all_units_status(initrc_t)
1072 init_stop_all_units(initrc_t)
1073 + init_stream_connect(initrc_t)
1074
1075 # Create /etc/audit.rules.prev after firstboot remediation
1076 logging_manage_audit_config(initrc_t)
1077
1078 + selinux_compute_create_context(init_t)
1079 + selinux_set_enforce_mode(initrc_t)
1080 + selinux_unmount_fs(init_t)
1081 + selinux_validate_context(init_t)
1082 # lvm2-activation-generator checks file labels
1083 seutil_read_file_contexts(initrc_t)
1084 + seutil_read_file_contexts(init_t)
1085
1086 + storage_getattr_removable_dev(init_t)
1087 + systemd_manage_all_units(init_t)
1088 systemd_start_power_units(initrc_t)
1089
1090 + term_relabel_pty_dirs(init_t)
1091 +
1092 optional_policy(`
1093 # create /var/lock/lvm/
1094 lvm_create_lock_dirs(initrc_t)
1095 @@ -800,6 +978,8 @@ optional_policy(`
1096 optional_policy(`
1097 apache_read_config(initrc_t)
1098 apache_list_modules(initrc_t)
1099 + # webmin seems to cause this.
1100 + apache_search_sys_content(daemon)
1101 ')
1102
1103 optional_policy(`
1104 @@ -821,6 +1001,7 @@ optional_policy(`
1105
1106 optional_policy(`
1107 cgroup_stream_connect_cgred(initrc_t)
1108 + domain_setpriority_all_domains(initrc_t)
1109 ')
1110
1111 optional_policy(`
1112 @@ -837,6 +1018,12 @@ optional_policy(`
1113 ')
1114
1115 optional_policy(`
1116 + cron_read_pipes(initrc_t)
1117 + # managing /etc/cron.d/mailman content
1118 + cron_manage_system_spool(initrc_t)
1119 +')
1120 +
1121 +optional_policy(`
1122 dev_getattr_printer_dev(initrc_t)
1123
1124 cups_read_log(initrc_t)
1125 @@ -853,9 +1040,13 @@ optional_policy(`
1126 dbus_connect_system_bus(initrc_t)
1127 dbus_system_bus_client(initrc_t)
1128 dbus_read_config(initrc_t)
1129 + dbus_manage_lib_files(initrc_t)
1130 +
1131 + init_dbus_chat(initrc_t)
1132
1133 optional_policy(`
1134 consolekit_dbus_chat(initrc_t)
1135 + consolekit_manage_log(initrc_t)
1136 ')
1137
1138 optional_policy(`
1139 @@ -897,6 +1088,11 @@ optional_policy(`
1140 ')
1141
1142 optional_policy(`
1143 + modutils_read_module_config(initrc_t)
1144 + modutils_domtrans_insmod(initrc_t)
1145 +')
1146 +
1147 +optional_policy(`
1148 inn_exec_config(initrc_t)
1149 ')
1150
1151 @@ -937,6 +1133,7 @@ optional_policy(`
1152 lpd_list_spool(initrc_t)
1153
1154 lpd_read_config(initrc_t)
1155 + lpd_manage_spool(init_t)
1156 ')
1157
1158 optional_policy(`
1159 @@ -960,6 +1157,7 @@ optional_policy(`
1160
1161 optional_policy(`
1162 mta_read_config(initrc_t)
1163 + mta_write_config(initrc_t)
1164 mta_dontaudit_read_spool_symlinks(initrc_t)
1165 ')
1166
1167 @@ -982,6 +1180,10 @@ optional_policy(`
1168 ')
1169
1170 optional_policy(`
1171 + plymouthd_stream_connect(initrc_t)
1172 +')
1173 +
1174 +optional_policy(`
1175 postgresql_manage_db(initrc_t)
1176 postgresql_read_config(initrc_t)
1177 ')
1178 @@ -1024,8 +1226,6 @@ optional_policy(`
1179 # bash tries ioctl for some reason
1180 files_dontaudit_ioctl_all_pids(initrc_t)
1181
1182 - # why is this needed:
1183 - rpm_manage_db(initrc_t)
1184 ')
1185
1186 optional_policy(`
1187 @@ -1044,15 +1244,6 @@ optional_policy(`
1188 ')
1189
1190 optional_policy(`
1191 - # allow init scripts to su
1192 - su_restricted_domain_template(initrc, initrc_t, system_r)
1193 - # Allow initrc_su_t, now defined, to transition to postgresql_t
1194 - postgresql_domtrans(initrc_su_t)
1195 - # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
1196 - allow initrc_su_t initrc_devpts_t:chr_file { read write };
1197 -')
1198 -
1199 -optional_policy(`
1200 ssh_dontaudit_read_server_keys(initrc_t)
1201 ssh_setattr_key_files(initrc_t)
1202 ')
1203 @@ -1066,7 +1257,6 @@ optional_policy(`
1204 ')
1205
1206 optional_policy(`
1207 - udev_rw_db(initrc_t)
1208 udev_manage_pid_files(initrc_t)
1209 udev_manage_pid_dirs(initrc_t)
1210 udev_manage_rules_files(initrc_t)
1211 @@ -1082,6 +1272,12 @@ optional_policy(`
1212 ')
1213
1214 optional_policy(`
1215 + domain_role_change_exemption(initrc_t)
1216 +
1217 + mcs_file_read_all(initrc_t)
1218 + mcs_file_write_all(initrc_t)
1219 + mcs_killall(initrc_t)
1220 +
1221 unconfined_domain(initrc_t)
1222
1223 ifdef(`distro_redhat',`
1224 @@ -1092,6 +1288,15 @@ optional_policy(`
1225 optional_policy(`
1226 mono_domtrans(initrc_t)
1227 ')
1228 +
1229 + optional_policy(`
1230 + rtkit_scheduled(initrc_t)
1231 + ')
1232 +')
1233 +
1234 +optional_policy(`
1235 + rpm_read_db(initrc_t)
1236 + rpm_delete_db(initrc_t)
1237 ')
1238
1239 optional_policy(`
1240 @@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',`
1241 udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
1242 ')
1243 ')
1244 +
1245 +########################################
1246 +#
1247 +# Rules applied to all daemons
1248 +#
1249 +
1250 +domain_dontaudit_use_interactive_fds(daemon)
1251 +
1252 +# daemons started from init will
1253 +# inherit fds from init for the console
1254 +term_dontaudit_use_console(daemon)
1255 +
1256 +init_dontaudit_use_fds(daemon)
1257 +# init script ptys are the stdin/out/err
1258 +# when using run_init
1259 +init_use_script_ptys(daemon)
1260 +
1261 +tunable_policy(`init_daemons_use_tty',`
1262 + term_use_unallocated_ttys(daemon)
1263 + term_use_generic_ptys(daemon)
1264 + term_use_all_ttys(daemon)
1265 + term_use_all_ptys(daemon)
1266 +',`
1267 + term_dontaudit_use_unallocated_ttys(daemon)
1268 + term_dontaudit_use_generic_ptys(daemon)
1269 + term_dontaudit_use_all_ttys(daemon)
1270 + term_dontaudit_use_all_ptys(daemon)
1271 + ')
1272 +
1273 +tunable_policy(`use_nfs_home_dirs',`
1274 + fs_dontaudit_rw_nfs_files(daemon)
1275 +')
1276 +
1277 +tunable_policy(`use_samba_home_dirs',`
1278 + fs_dontaudit_rw_cifs_files(daemon)
1279 +')
1280 +
1281 +optional_policy(`
1282 + unconfined_dontaudit_rw_pipes(daemon)
1283 + unconfined_dontaudit_rw_stream_sockets(daemon)
1284 +')
1285 +
1286 +optional_policy(`
1287 + userdom_dontaudit_rw_all_users_stream_sockets(daemon)
1288 + userdom_dontaudit_read_user_tmp_files(daemon)
1289 + userdom_dontaudit_write_user_tmp_files(daemon)
1290 +')
1291 +
1292 +########################################
1293 +#
1294 +# Rules applied to all system processes
1295 +#
1296 +
1297 +dontaudit systemprocess init_t:unix_stream_socket getattr;
1298 +
1299 +optional_policy(`
1300 + userdom_dontaudit_search_user_home_dirs(systemprocess)
1301 + userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
1302 + userdom_dontaudit_write_user_tmp_files(systemprocess)
1303 +')
1304
1305 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
1306 index 6258954a..b7098cd5 100644
1307 --- a/policy/modules/system/logging.fc
1308 +++ b/policy/modules/system/logging.fc
1309 @@ -8,8 +8,9 @@
1310
1311 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
1312 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
1313 -/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
1314 /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
1315 +/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
1316 +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
1317
1318 /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
1319 /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
1320 @@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
1321 /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
1322 ')
1323
1324 +/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
1325 +
1326 /run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
1327 /run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
1328 /run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
1329
1330 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
1331 index ba463497..102c4319 100644
1332 --- a/policy/modules/system/logging.if
1333 +++ b/policy/modules/system/logging.if
1334 @@ -841,6 +841,24 @@ interface(`logging_append_all_logs',`
1335
1336 ########################################
1337 ## <summary>
1338 +## Append to all log files.
1339 +## </summary>
1340 +## <param name="domain">
1341 +## <summary>
1342 +## Domain allowed access.
1343 +## </summary>
1344 +## </param>
1345 +#
1346 +interface(`logging_append_all_inherited_logs',`
1347 + gen_require(`
1348 + attribute logfile;
1349 + ')
1350 +
1351 + allow $1 logfile:file { getattr append ioctl lock };
1352 +')
1353 +
1354 +########################################
1355 +## <summary>
1356 ## Read all log files.
1357 ## </summary>
1358 ## <param name="domain">
1359
1360 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
1361 index 10d2fc9f..9a6c714a 100644
1362 --- a/policy/modules/system/logging.te
1363 +++ b/policy/modules/system/logging.te
1364 @@ -1,4 +1,4 @@
1365 -policy_module(logging, 1.25.2)
1366 +policy_module(logging, 1.25.3)
1367
1368 ########################################
1369 #
1370 @@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
1371 # Create and bind to /dev/log or /var/run/log.
1372 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
1373 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
1374 +init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
1375
1376 # create/append log files.
1377 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
1378 @@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
1379 # Allow access for syslog-ng
1380 allow syslogd_t var_log_t:dir { create setattr };
1381
1382 +# for systemd but can not be conditional
1383 +files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
1384 +
1385 # manage temporary files
1386 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
1387 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
1388 @@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
1389 # manage pid file
1390 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
1391 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
1392 +allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
1393
1394 kernel_read_system_state(syslogd_t)
1395 kernel_read_network_state(syslogd_t)
1396 @@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
1397
1398 miscfiles_read_localization(syslogd_t)
1399
1400 +seutil_read_config(syslogd_t)
1401 +
1402 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
1403 userdom_dontaudit_search_user_home_dirs(syslogd_t)
1404
1405 ifdef(`init_systemd',`
1406 - # systemd-journald permissions
1407 -
1408 - allow syslogd_t self:capability { chown setgid setuid };
1409 + # for systemd-journal
1410 + allow syslogd_t self:netlink_audit_socket connected_socket_perms;
1411 + allow syslogd_t self:capability2 audit_read;
1412 + allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
1413 allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
1414 + allow syslogd_t init_var_run_t:file { read write create open };
1415 + allow syslogd_t var_run_t:dir create;
1416
1417 - kernel_use_fds(syslogd_t)
1418 kernel_getattr_dgram_sockets(syslogd_t)
1419 - kernel_rw_unix_dgram_sockets(syslogd_t)
1420 + kernel_read_ring_buffer(syslogd_t)
1421 kernel_rw_stream_sockets(syslogd_t)
1422 + kernel_rw_unix_dgram_sockets(syslogd_t)
1423 + kernel_use_fds(syslogd_t)
1424 +
1425 + dev_read_kmsg(syslogd_t)
1426 + dev_read_urand(syslogd_t)
1427 + dev_write_kmsg(syslogd_t)
1428
1429 + domain_read_all_domains_state(syslogd_t)
1430 +
1431 + init_create_pid_dirs(syslogd_t)
1432 init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
1433 + init_rename_pid_files(syslogd_t)
1434 + init_delete_pid_files(syslogd_t)
1435 init_dgram_send(syslogd_t)
1436 + init_read_pid_pipes(syslogd_t)
1437 + init_read_state(syslogd_t)
1438 +
1439 + systemd_manage_journal_files(syslogd_t)
1440
1441 udev_read_pid_files(syslogd_t)
1442 ')
1443
1444 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
1445 index 5774034f..88fa9442 100644
1446 --- a/policy/modules/system/lvm.if
1447 +++ b/policy/modules/system/lvm.if
1448 @@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
1449 files_add_entry_lock_dirs($1)
1450 ')
1451
1452 +########################################
1453 +## <summary>
1454 +## Read and write a lvm unnamed pipe.
1455 +## </summary>
1456 +## <param name="domain">
1457 +## <summary>
1458 +## Domain allowed access.
1459 +## </summary>
1460 +## </param>
1461 +#
1462 +interface(`lvm_rw_inherited_pid_pipes',`
1463 + gen_require(`
1464 + type lvm_var_run_t;
1465 + ')
1466 +
1467 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
1468 +')
1469 +
1470 ######################################
1471 ## <summary>
1472 ## Execute a domain transition to run clvmd.
1473
1474 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
1475 index 58e03ff2..f8fed91d 100644
1476 --- a/policy/modules/system/lvm.te
1477 +++ b/policy/modules/system/lvm.te
1478 @@ -1,4 +1,4 @@
1479 -policy_module(lvm, 1.19.2)
1480 +policy_module(lvm, 1.19.3)
1481
1482 ########################################
1483 #
1484
1485 diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
1486 index 85a29e3d..ec4d8dc0 100644
1487 --- a/policy/modules/system/miscfiles.te
1488 +++ b/policy/modules/system/miscfiles.te
1489 @@ -1,4 +1,4 @@
1490 -policy_module(miscfiles, 1.12.0)
1491 +policy_module(miscfiles, 1.12.1)
1492
1493 ########################################
1494 #
1495 @@ -41,6 +41,10 @@ files_type(locale_t)
1496 type man_t alias catman_t;
1497 files_type(man_t)
1498
1499 +optional_policy(`
1500 + systemd_tmpfilesd_managed(man_t, dir)
1501 +')
1502 +
1503 type man_cache_t;
1504 files_type(man_cache_t)
1505
1506
1507 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
1508 index 6eb0a5a3..2264336d 100644
1509 --- a/policy/modules/system/systemd.fc
1510 +++ b/policy/modules/system/systemd.fc
1511 @@ -7,6 +7,7 @@
1512 /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
1513 /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
1514 /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
1515 +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
1516
1517 /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
1518 /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
1519 @@ -32,15 +33,21 @@
1520 /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
1521
1522 /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
1523 +/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
1524 /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
1525
1526 /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1527 /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1528
1529 /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
1530 -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1531 -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1532 +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1533 +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1534 /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
1535 /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1536 /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1537 +/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
1538 +/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
1539 /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
1540 +
1541 +/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
1542 +/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
1543
1544 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
1545 index b07d2c5b..69ee084f 100644
1546 --- a/policy/modules/system/systemd.if
1547 +++ b/policy/modules/system/systemd.if
1548 @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
1549 ')
1550
1551 files_search_pids($1)
1552 - read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
1553 + allow $1 systemd_logind_var_run_t:dir list_dir_perms;
1554 + allow $1 systemd_logind_var_run_t:file read_file_perms;
1555 ')
1556
1557 ######################################
1558 @@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
1559 allow $1 systemd_logind_t:fd use;
1560 ')
1561
1562 +######################################
1563 +## <summary>
1564 +## Write inherited logind sessions pipes.
1565 +## </summary>
1566 +## <param name="domain">
1567 +## <summary>
1568 +## Domain allowed access.
1569 +## </summary>
1570 +## </param>
1571 +#
1572 +interface(`systemd_write_inherited_logind_sessions_pipes',`
1573 + gen_require(`
1574 + type systemd_logind_t, systemd_sessions_var_run_t;
1575 + ')
1576 +
1577 + allow $1 systemd_logind_t:fd use;
1578 + allow $1 systemd_sessions_var_run_t:fifo_file write;
1579 + allow systemd_logind_t $1:process signal;
1580 +')
1581 +
1582 ########################################
1583 ## <summary>
1584 ## Send and receive messages from
1585 @@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
1586 write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
1587 ')
1588
1589 +#######################################
1590 +## <summary>
1591 +## Allow systemd_tmpfiles_t to manage filesystem objects
1592 +## </summary>
1593 +## <param name="type">
1594 +## <summary>
1595 +## type of object to manage
1596 +## </summary>
1597 +## </param>
1598 +## <param name="class">
1599 +## <summary>
1600 +## object class to manage
1601 +## </summary>
1602 +## </param>
1603 +#
1604 +interface(`systemd_tmpfilesd_managed',`
1605 + gen_require(`
1606 + type systemd_tmpfiles_t;
1607 + ')
1608 +
1609 + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
1610 +')
1611 +
1612 ########################################
1613 ## <summary>
1614 ## Allow process to relabel to systemd_kmod_conf_t.
1615 @@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',`
1616
1617 ########################################
1618 ## <summary>
1619 +## allow systemd_passwd_agent to inherit fds
1620 +## </summary>
1621 +## <param name="domain">
1622 +## <summary>
1623 +## Domain that owns the fds
1624 +## </summary>
1625 +## </param>
1626 +#
1627 +interface(`systemd_use_passwd_agent_fds',`
1628 + gen_require(`
1629 + type systemd_passwd_agent_t;
1630 + ')
1631 +
1632 + allow systemd_passwd_agent_t $1:fd use;
1633 +')
1634 +
1635 +########################################
1636 +## <summary>
1637 +## Transition to systemd_passwd_var_run_t when creating dirs
1638 +## </summary>
1639 +## <param name="domain">
1640 +## <summary>
1641 +## Domain allowed access.
1642 +## </summary>
1643 +## </param>
1644 +#
1645 +interface(`systemd_filetrans_passwd_runtime_dirs',`
1646 + gen_require(`
1647 + type systemd_passwd_var_run_t;
1648 + ')
1649 +
1650 + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
1651 + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
1652 +')
1653 +
1654 +########################################
1655 +## <summary>
1656 +## manage systemd unit dirs and the files in them
1657 +## </summary>
1658 +## <param name="domain">
1659 +## <summary>
1660 +## Domain allowed access.
1661 +## </summary>
1662 +## </param>
1663 +#
1664 +interface(`systemd_manage_all_units',`
1665 + gen_require(`
1666 + attribute systemdunit;
1667 + ')
1668 +
1669 + manage_dirs_pattern($1, systemdunit, systemdunit)
1670 + manage_files_pattern($1, systemdunit, systemdunit)
1671 + manage_lnk_files_pattern($1, systemdunit, systemdunit)
1672 +')
1673 +
1674 +########################################
1675 +## <summary>
1676 +## Allow domain to create/manage systemd_journal_t files
1677 +## </summary>
1678 +## <param name="domain">
1679 +## <summary>
1680 +## Domain allowed access.
1681 +## </summary>
1682 +## </param>
1683 +#
1684 +interface(`systemd_manage_journal_files',`
1685 + gen_require(`
1686 + type systemd_logind_t;
1687 + ')
1688 +
1689 + manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
1690 + manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
1691 +')
1692 +
1693 +########################################
1694 +## <summary>
1695 ## Allow systemd_logind_t to read process state for cgroup file
1696 ## </summary>
1697 ## <param name="domain">
1698
1699 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
1700 index 904c777a..19e6947a 100644
1701 --- a/policy/modules/system/systemd.te
1702 +++ b/policy/modules/system/systemd.te
1703 @@ -1,4 +1,4 @@
1704 -policy_module(systemd, 1.3.5)
1705 +policy_module(systemd, 1.3.6)
1706
1707 #########################################
1708 #
1709 @@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
1710 ## </desc>
1711 gen_tunable(systemd_tmpfiles_manage_all, false)
1712
1713 +## <desc>
1714 +## <p>
1715 +## Allow systemd-nspawn to create a labelled namespace with the same types
1716 +## as parent environment
1717 +## </p>
1718 +## </desc>
1719 +gen_tunable(systemd_nspawn_labeled_namespace, false)
1720 +
1721 attribute systemd_log_parse_env_type;
1722
1723 type systemd_activate_t;
1724 @@ -57,6 +65,9 @@ type systemd_coredump_t;
1725 type systemd_coredump_exec_t;
1726 init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
1727
1728 +type systemd_coredump_var_lib_t;
1729 +files_type(systemd_coredump_var_lib_t)
1730 +
1731 type systemd_detect_virt_t;
1732 type systemd_detect_virt_exec_t;
1733 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
1734 @@ -65,6 +76,10 @@ type systemd_hostnamed_t;
1735 type systemd_hostnamed_exec_t;
1736 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
1737
1738 +type systemd_journal_t;
1739 +files_type(systemd_journal_t)
1740 +logging_log_file(systemd_journal_t)
1741 +
1742 type systemd_locale_t;
1743 type systemd_locale_exec_t;
1744 init_system_domain(systemd_locale_t, systemd_locale_exec_t)
1745 @@ -85,10 +100,21 @@ type systemd_machined_t;
1746 type systemd_machined_exec_t;
1747 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
1748
1749 +type systemd_machined_var_run_t;
1750 +files_pid_file(systemd_machined_var_run_t)
1751 +init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
1752 +
1753 +type systemd_notify_t;
1754 +type systemd_notify_exec_t;
1755 +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
1756 +
1757 type systemd_nspawn_t;
1758 type systemd_nspawn_exec_t;
1759 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
1760
1761 +type systemd_nspawn_var_run_t;
1762 +files_pid_file(systemd_nspawn_var_run_t)
1763 +
1764 type systemd_resolved_t;
1765 type systemd_resolved_exec_t;
1766 init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
1767 @@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
1768 type systemd_passwd_agent_exec_t;
1769 init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
1770
1771 +type systemd_passwd_var_run_t;
1772 +files_pid_file(systemd_passwd_var_run_t)
1773 +
1774 type systemd_sessions_t;
1775 type systemd_sessions_exec_t;
1776 init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
1777 @@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
1778 # Backlight local policy
1779 #
1780
1781 +allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
1782 +
1783 allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
1784 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
1785 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
1786 @@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
1787 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
1788 dev_rw_sysfs(systemd_backlight_t)
1789
1790 +# for udev.conf
1791 files_read_etc_files(systemd_backlight_t)
1792
1793 +# for /run/udev/data/+backlight*
1794 udev_read_pid_files(systemd_backlight_t)
1795
1796 #######################################
1797 @@ -292,6 +325,14 @@ optional_policy(`
1798 dbus_connect_system_bus(systemd_logind_t)
1799 ')
1800
1801 +########################################
1802 +#
1803 +# Nspawn local policy
1804 +#
1805 +
1806 +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
1807 +
1808 +
1809 #########################################
1810 #
1811 # Resolved local policy
1812 @@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
1813
1814 kernel_read_crypto_sysctls(systemd_resolved_t)
1815 kernel_read_kernel_sysctls(systemd_resolved_t)
1816 -kernel_read_system_state(systemd_resolved_t)
1817
1818 corenet_tcp_bind_generic_node(systemd_resolved_t)
1819 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
1820 @@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
1821 allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
1822 allow systemd_tmpfiles_t self:process { setfscreate getcap };
1823
1824 +manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
1825 +manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
1826 +allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
1827 +allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
1828 +
1829 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
1830
1831 dev_relabel_all_sysfs(systemd_tmpfiles_t)
1832
1833 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
1834 index d4c92ccb..847b65bf 100644
1835 --- a/policy/modules/system/udev.if
1836 +++ b/policy/modules/system/udev.if
1837 @@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',`
1838
1839 ########################################
1840 ## <summary>
1841 +## Allow process to relabelto udev database
1842 +## </summary>
1843 +## <param name="domain">
1844 +## <summary>
1845 +## Domain allowed access.
1846 +## </summary>
1847 +## </param>
1848 +#
1849 +interface(`udev_relabelto_db',`
1850 + gen_require(`
1851 + type udev_var_run_t;
1852 + ')
1853 +
1854 + files_search_pids($1)
1855 + allow $1 udev_var_run_t:file relabelto_file_perms;
1856 + allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
1857 +')
1858 +
1859 +########################################
1860 +## <summary>
1861 ## Search through udev pid content
1862 ## </summary>
1863 ## <param name="domain">
1864
1865 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
1866 index d6034f30..08057d3d 100644
1867 --- a/policy/modules/system/udev.te
1868 +++ b/policy/modules/system/udev.te
1869 @@ -1,4 +1,4 @@
1870 -policy_module(udev, 1.21.2)
1871 +policy_module(udev, 1.21.3)
1872
1873 ########################################
1874 #
1875
1876 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
1877 index 3bf66058..3f7f66a7 100644
1878 --- a/policy/modules/system/unconfined.if
1879 +++ b/policy/modules/system/unconfined.if
1880 @@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',`
1881
1882 ########################################
1883 ## <summary>
1884 +## Do not audit attempts to read and write
1885 +## unconfined domain stream.
1886 +## </summary>
1887 +## <param name="domain">
1888 +## <summary>
1889 +## Domain to not audit.
1890 +## </summary>
1891 +## </param>
1892 +#
1893 +interface(`unconfined_dontaudit_rw_stream_sockets',`
1894 + gen_require(`
1895 + type unconfined_t;
1896 + ')
1897 +
1898 + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
1899 +')
1900 +
1901 +########################################
1902 +## <summary>
1903 ## Do not audit attempts to read or write
1904 ## unconfined domain tcp sockets.
1905 ## </summary>
1906
1907 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
1908 index dc319d53..c1d4df8e 100644
1909 --- a/policy/modules/system/unconfined.te
1910 +++ b/policy/modules/system/unconfined.te
1911 @@ -1,4 +1,4 @@
1912 -policy_module(unconfined, 3.9.0)
1913 +policy_module(unconfined, 3.9.1)
1914
1915 ########################################
1916 #
1917
1918 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
1919 index 45c0339f..0799c18c 100644
1920 --- a/policy/modules/system/userdomain.if
1921 +++ b/policy/modules/system/userdomain.if
1922 @@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', `
1923 optional_policy(`
1924 setroubleshoot_stream_connect($1_t)
1925 ')
1926 +
1927 + optional_policy(`
1928 + systemd_dbus_chat_logind($1_t)
1929 + ')
1930 ')
1931
1932 #######################################
1933 @@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',`
1934
1935 ########################################
1936 ## <summary>
1937 +## Read and write a inherited user TTYs and PTYs.
1938 +## </summary>
1939 +## <desc>
1940 +## <p>
1941 +## Allow the specified domain to read and write inherited user
1942 +## TTYs and PTYs. This will allow the domain to
1943 +## interact with the user via the terminal. Typically
1944 +## all interactive applications will require this
1945 +## access.
1946 +## </p>
1947 +## </desc>
1948 +## <param name="domain">
1949 +## <summary>
1950 +## Domain allowed access.
1951 +## </summary>
1952 +## </param>
1953 +## <infoflow type="both" weight="10"/>
1954 +#
1955 +interface(`userdom_use_inherited_user_terminals',`
1956 + gen_require(`
1957 + type user_tty_device_t, user_devpts_t;
1958 + ')
1959 +
1960 + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
1961 + allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
1962 +')
1963 +
1964 +########################################
1965 +## <summary>
1966 ## Read and write a user TTYs and PTYs.
1967 ## </summary>
1968 ## <desc>
1969 @@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',`
1970
1971 ########################################
1972 ## <summary>
1973 +## Do not audit attempts to write users
1974 +## temporary files.
1975 +## </summary>
1976 +## <param name="domain">
1977 +## <summary>
1978 +## Domain to not audit.
1979 +## </summary>
1980 +## </param>
1981 +#
1982 +interface(`userdom_dontaudit_write_user_tmp_files',`
1983 + gen_require(`
1984 + type user_tmp_t;
1985 + ')
1986 +
1987 + dontaudit $1 user_tmp_t:file write;
1988 +')
1989 +
1990 +########################################
1991 +## <summary>
1992 ## Do not audit attempts to use user ttys.
1993 ## </summary>
1994 ## <param name="domain">
1995 @@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',`
1996 relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
1997 relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
1998 ')
1999 +
2000 +########################################
2001 +## <summary>
2002 +## Do not audit attempts to read and write
2003 +## unserdomain stream.
2004 +## </summary>
2005 +## <param name="domain">
2006 +## <summary>
2007 +## Domain to not audit.
2008 +## </summary>
2009 +## </param>
2010 +#
2011 +interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
2012 + gen_require(`
2013 + attribute userdomain;
2014 + ')
2015 +
2016 + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
2017 +')
2018
2019 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
2020 index df3b9572..3d60070c 100644
2021 --- a/policy/modules/system/userdomain.te
2022 +++ b/policy/modules/system/userdomain.te
2023 @@ -1,4 +1,4 @@
2024 -policy_module(userdomain, 4.13.1)
2025 +policy_module(userdomain, 4.13.2)
2026
2027 ########################################
2028 #
Report Message
Find on MARC Find on Google Groups