[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Sun, 07 Feb 2021 03:20:51
Message-Id:	`1612646109.e3ac68ac44916a79cd8c09711c4e689533834275.perfinion@gentoo`

1

commit:     e3ac68ac44916a79cd8c09711c4e689533834275

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Tue Feb  2 18:50:45 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 21:15:09 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac

7

8

systemd: Move lines.

9

10

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 policy/modules/system/systemd.if |  1 +

14

 policy/modules/system/systemd.te | 17 +++++++++--------

15

 2 files changed, 10 insertions(+), 8 deletions(-)

16

17

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

18

index 642d58e2..d7d0eb3d 100644

19

--- a/policy/modules/system/systemd.if

20

+++ b/policy/modules/system/systemd.if

21

@@ -78,6 +78,7 @@ template(`systemd_role_template',`

22

 	dbus_system_bus_client($1_systemd_t)

23

24

 	selinux_use_status_page($1_systemd_t)

25

+

26

 	seutil_read_file_contexts($1_systemd_t)

27

 	seutil_search_default_contexts($1_systemd_t)

28

')

29

30

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

31

index 39c37ac1..9ef509dc 100644

32

--- a/policy/modules/system/systemd.te

33

+++ b/policy/modules/system/systemd.te

34

@@ -151,13 +151,13 @@ type systemd_machined_t;

35

 type systemd_machined_exec_t;

36

 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)

37

38

+type systemd_machined_devpts_t;

39

+term_login_pty(systemd_machined_devpts_t)

40

+

41

 type systemd_machined_runtime_t alias systemd_machined_var_run_t;

42

 files_runtime_file(systemd_machined_runtime_t)

43

 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")

44

45

-type systemd_machined_devpts_t;

46

-term_login_pty(systemd_machined_devpts_t)

47

-

48

 type systemd_modules_load_t;

49

 type systemd_modules_load_exec_t;

50

 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)

51

@@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;

52

 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;

53

 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)

54

55

-# for /run/systemd/userdb/io.systemd.Machine

56

-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;

57

-

58

 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)

59

 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)

60

 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;

61

@@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd

62

 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)

63

 init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")

64

65

+# for /run/systemd/userdb/io.systemd.Machine

66

+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;

67

+

68

 allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;

69

 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;

70

 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;

71

@@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };

72

 allow systemd_machined_t self:process setfscreate;

73

 allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };

74

75

+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)

76

+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;

77

+

78

 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)

79

 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;

80

81

@@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t)

82

83

 seutil_search_default_contexts(systemd_machined_t)

84

85

-term_create_pty(systemd_machined_t, systemd_machined_devpts_t)

86

-allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;

87

 term_getattr_pty_fs(systemd_machined_t)

88

89

 optional_policy(`

1	commit: e3ac68ac44916a79cd8c09711c4e689533834275
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Tue Feb 2 18:50:45 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 21:15:09 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac
7
8	systemd: Move lines.
9
10	Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	policy/modules/system/systemd.if \| 1 +
14	policy/modules/system/systemd.te \| 17 +++++++++--------
15	2 files changed, 10 insertions(+), 8 deletions(-)
16
17	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
18	index 642d58e2..d7d0eb3d 100644
19	--- a/policy/modules/system/systemd.if
20	+++ b/policy/modules/system/systemd.if
21	@@ -78,6 +78,7 @@ template(`systemd_role_template',`
22	dbus_system_bus_client($1_systemd_t)
23
24	selinux_use_status_page($1_systemd_t)
25	+
26	seutil_read_file_contexts($1_systemd_t)
27	seutil_search_default_contexts($1_systemd_t)
28	')
29
30	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
31	index 39c37ac1..9ef509dc 100644
32	--- a/policy/modules/system/systemd.te
33	+++ b/policy/modules/system/systemd.te
34	@@ -151,13 +151,13 @@ type systemd_machined_t;
35	type systemd_machined_exec_t;
36	init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
37
38	+type systemd_machined_devpts_t;
39	+term_login_pty(systemd_machined_devpts_t)
40	+
41	type systemd_machined_runtime_t alias systemd_machined_var_run_t;
42	files_runtime_file(systemd_machined_runtime_t)
43	init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
44
45	-type systemd_machined_devpts_t;
46	-term_login_pty(systemd_machined_devpts_t)
47	-
48	type systemd_modules_load_t;
49	type systemd_modules_load_exec_t;
50	init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
51	@@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
52	allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
53	init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
54
55	-# for /run/systemd/userdb/io.systemd.Machine
56	-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
57	-
58	manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
59	manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
60	allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
61	@@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd
62	manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
63	init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")
64
65	+# for /run/systemd/userdb/io.systemd.Machine
66	+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
67	+
68	allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
69	allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
70	allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
71	@@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
72	allow systemd_machined_t self:process setfscreate;
73	allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
74
75	+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
76	+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
77	+
78	manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
79	allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
80
81	@@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t)
82
83	seutil_search_default_contexts(systemd_machined_t)
84
85	-term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
86	-allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
87	term_getattr_pty_fs(systemd_machined_t)
88
89	optional_policy(`

Gentoo Archives: gentoo-commits