| 1 |
commit: be5ad6588778385c9353e1b6ca9fcc5f4b149148 |
| 2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
| 3 |
AuthorDate: Fri Feb 24 06:22:42 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Feb 25 16:43:11 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=be5ad658 |
| 7 |
|
| 8 |
new init interfaces for systemd |
| 9 |
|
| 10 |
These are needed by several patches I'm about to send. |
| 11 |
|
| 12 |
Description: some new interfaces for init/systemd |
| 13 |
Author: Russell Coker <russell <AT> coker.com.au> |
| 14 |
Last-Update: 2017-02-24 |
| 15 |
|
| 16 |
policy/modules/system/init.if | 36 ++++++++++++++++++++++++++++++++++++ |
| 17 |
1 file changed, 36 insertions(+) |
| 18 |
|
| 19 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
| 20 |
index 162ce266..2230df01 100644 |
| 21 |
--- a/policy/modules/system/init.if |
| 22 |
+++ b/policy/modules/system/init.if |
| 23 |
@@ -1135,6 +1135,24 @@ interface(`init_var_lib_filetrans',` |
| 24 |
filetrans_pattern($1, init_var_lib_t, $2, $3, $4) |
| 25 |
') |
| 26 |
|
| 27 |
+###################################### |
| 28 |
+## <summary> |
| 29 |
+## Allow search directory in the /run/systemd directory. |
| 30 |
+## </summary> |
| 31 |
+## <param name="domain"> |
| 32 |
+## <summary> |
| 33 |
+## Domain allowed access. |
| 34 |
+## </summary> |
| 35 |
+## </param> |
| 36 |
+# |
| 37 |
+interface(`init_search_pid_dirs',` |
| 38 |
+ gen_require(` |
| 39 |
+ type init_var_run_t; |
| 40 |
+ ') |
| 41 |
+ |
| 42 |
+ allow $1 init_var_run_t:dir search_dir_perms; |
| 43 |
+') |
| 44 |
+ |
| 45 |
######################################## |
| 46 |
## <summary> |
| 47 |
## Create files in an init PID directory. |
| 48 |
@@ -2271,6 +2289,24 @@ interface(`init_rw_script_tmp_files',` |
| 49 |
|
| 50 |
######################################## |
| 51 |
## <summary> |
| 52 |
+## Read and write init script inherited temporary data. |
| 53 |
+## </summary> |
| 54 |
+## <param name="domain"> |
| 55 |
+## <summary> |
| 56 |
+## Domain allowed access. |
| 57 |
+## </summary> |
| 58 |
+## </param> |
| 59 |
+# |
| 60 |
+interface(`init_rw_inherited_script_tmp_files',` |
| 61 |
+ gen_require(` |
| 62 |
+ type initrc_tmp_t; |
| 63 |
+ ') |
| 64 |
+ |
| 65 |
+ allow $1 initrc_tmp_t:file rw_inherited_file_perms; |
| 66 |
+') |
| 67 |
+ |
| 68 |
+######################################## |
| 69 |
+## <summary> |
| 70 |
## Create files in a init script |
| 71 |
## temporary data directory. |
| 72 |
## </summary> |
Archives