1 |
commit: e3ac68ac44916a79cd8c09711c4e689533834275 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Tue Feb 2 18:50:45 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:15:09 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac |
7 |
|
8 |
systemd: Move lines. |
9 |
|
10 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
policy/modules/system/systemd.if | 1 + |
14 |
policy/modules/system/systemd.te | 17 +++++++++-------- |
15 |
2 files changed, 10 insertions(+), 8 deletions(-) |
16 |
|
17 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
18 |
index 642d58e2..d7d0eb3d 100644 |
19 |
--- a/policy/modules/system/systemd.if |
20 |
+++ b/policy/modules/system/systemd.if |
21 |
@@ -78,6 +78,7 @@ template(`systemd_role_template',` |
22 |
dbus_system_bus_client($1_systemd_t) |
23 |
|
24 |
selinux_use_status_page($1_systemd_t) |
25 |
+ |
26 |
seutil_read_file_contexts($1_systemd_t) |
27 |
seutil_search_default_contexts($1_systemd_t) |
28 |
') |
29 |
|
30 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
31 |
index 39c37ac1..9ef509dc 100644 |
32 |
--- a/policy/modules/system/systemd.te |
33 |
+++ b/policy/modules/system/systemd.te |
34 |
@@ -151,13 +151,13 @@ type systemd_machined_t; |
35 |
type systemd_machined_exec_t; |
36 |
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) |
37 |
|
38 |
+type systemd_machined_devpts_t; |
39 |
+term_login_pty(systemd_machined_devpts_t) |
40 |
+ |
41 |
type systemd_machined_runtime_t alias systemd_machined_var_run_t; |
42 |
files_runtime_file(systemd_machined_runtime_t) |
43 |
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") |
44 |
|
45 |
-type systemd_machined_devpts_t; |
46 |
-term_login_pty(systemd_machined_devpts_t) |
47 |
- |
48 |
type systemd_modules_load_t; |
49 |
type systemd_modules_load_exec_t; |
50 |
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) |
51 |
@@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms; |
52 |
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; |
53 |
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) |
54 |
|
55 |
-# for /run/systemd/userdb/io.systemd.Machine |
56 |
-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; |
57 |
- |
58 |
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) |
59 |
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) |
60 |
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; |
61 |
@@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd |
62 |
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t) |
63 |
init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit") |
64 |
|
65 |
+# for /run/systemd/userdb/io.systemd.Machine |
66 |
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; |
67 |
+ |
68 |
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms; |
69 |
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms; |
70 |
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms; |
71 |
@@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace }; |
72 |
allow systemd_machined_t self:process setfscreate; |
73 |
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; |
74 |
|
75 |
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t) |
76 |
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; |
77 |
+ |
78 |
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) |
79 |
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms; |
80 |
|
81 |
@@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t) |
82 |
|
83 |
seutil_search_default_contexts(systemd_machined_t) |
84 |
|
85 |
-term_create_pty(systemd_machined_t, systemd_machined_devpts_t) |
86 |
-allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; |
87 |
term_getattr_pty_fs(systemd_machined_t) |
88 |
|
89 |
optional_policy(` |