[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Sun, 29 Oct 2017 20:43:02
Message-Id:	`1509281948.ef14bcd0189098ada222dd638183eb44073de691.perfinion@gentoo`

1

commit:     ef14bcd0189098ada222dd638183eb44073de691

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Thu Oct 12 21:42:23 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Oct 29 12:59:08 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef14bcd0

7

8

init: Clean up line placement in init_systemd blocks.

9

10

No rule changes.

11

12

 policy/modules/system/init.te | 196 ++++++++++++++++++++++--------------------

13

 1 file changed, 102 insertions(+), 94 deletions(-)

14

15

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

16

index 90291d34..75da7a62 100644

17

--- a/policy/modules/system/init.te

18

+++ b/policy/modules/system/init.te

19

@@ -216,11 +216,23 @@ ifdef(`init_systemd',`

20

 	# handle instances where an old labeled init script is encountered.

21

 	typeattribute init_t init_run_all_scripts_domain;

22

23

+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };

24

+	allow init_t self:process { setsockcreate setfscreate setrlimit };

25

+	allow init_t self:process { getcap setcap getsched setsched };

26

+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };

27

+	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };

28

+	allow init_t self:netlink_selinux_socket create_socket_perms;

29

+	allow init_t self:system { status reboot halt reload };

30

+	# Until systemd is fixed

31

+	allow init_t self:udp_socket create_socket_perms;

32

+	allow init_t self:netlink_route_socket create_netlink_socket_perms;

33

+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;

34

+	allow init_t self:capability2 audit_read;

35

+

36

 	# for /run/systemd/inaccessible/{chr,blk}

37

 	allow init_t init_var_run_t:blk_file { create getattr };

38

 	allow init_t init_var_run_t:chr_file { create getattr };

39

40

-

41

 	allow init_t systemprocess:process { dyntransition siginh };

42

 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;

43

 	allow init_t systemprocess:unix_dgram_socket create_socket_perms;

44

@@ -257,18 +269,47 @@ ifdef(`init_systemd',`

45

46

 	kernel_dyntrans_to(init_t)

47

 	kernel_read_network_state(init_t)

48

-	kernel_read_kernel_sysctls(init_t)

49

-	kernel_read_vm_sysctls(init_t)

50

 	kernel_dgram_send(init_t)

51

 	kernel_stream_connect(init_t)

52

 	kernel_getattr_proc(init_t)

53

 	kernel_read_fs_sysctls(init_t)

54

+	kernel_list_unlabeled(init_t)

55

+	kernel_load_module(init_t)

56

+	kernel_rw_kernel_sysctl(init_t)

57

+	kernel_rw_net_sysctls(init_t)

58

+	kernel_read_all_sysctls(init_t)

59

+	kernel_read_software_raid_state(init_t)

60

+	kernel_unmount_debugfs(init_t)

61

+	kernel_setsched(init_t)

62

+	kernel_rw_unix_sysctls(init_t)

63

+

64

+	# run systemd misc initializations

65

+	# in the initrc_t domain, as would be

66

+	# done in traditional sysvinit/upstart.

67

+	corecmd_bin_domtrans(init_t, initrc_t)

68

+	corecmd_shell_domtrans(init_t, initrc_t)

69

70

-	dev_create_generic_dirs(init_t)

71

 	dev_manage_input_dev(init_t)

72

 	dev_relabel_all_sysfs(init_t)

73

 	dev_relabel_generic_symlinks(init_t)

74

 	dev_read_urand(init_t)

75

+	dev_write_kmsg(init_t)

76

+	dev_write_urand(init_t)

77

+	dev_rw_lvm_control(init_t)

78

+	dev_rw_autofs(init_t)

79

+	dev_manage_generic_symlinks(init_t)

80

+	dev_manage_generic_dirs(init_t)

81

+	dev_manage_generic_files(init_t)

82

+	dev_manage_null_service(initrc_t)

83

+	dev_read_generic_chr_files(init_t)

84

+	dev_relabel_generic_dev_dirs(init_t)

85

+	dev_relabel_all_dev_nodes(init_t)

86

+	dev_relabel_all_dev_files(init_t)

87

+	dev_manage_sysfs_dirs(init_t)

88

+	dev_relabel_sysfs_dirs(init_t)

89

+	dev_read_usbfs(initrc_t)

90

+	# systemd writes to /dev/watchdog on shutdown

91

+	dev_write_watchdog(init_t)

92

93

 	domain_read_all_domains_state(init_t)

94

95

@@ -283,21 +324,47 @@ ifdef(`init_systemd',`

96

 	files_relabelto_etc_runtime_files(init_t)

97

 	files_read_all_locks(init_t)

98

 	files_search_kernel_modules(init_t)

99

+	files_create_all_pid_pipes(init_t)

100

+	files_create_all_pid_sockets(init_t)

101

+	files_create_all_spool_sockets(init_t)

102

+	files_create_lock_dirs(init_t)

103

+	files_delete_all_pids(init_t)

104

+	files_delete_all_spool_sockets(init_t)

105

+	files_exec_generic_pid_files(init_t)

106

+	files_list_locks(init_t)

107

+	files_list_spool(init_t)

108

+	files_manage_all_pid_dirs(init_t)

109

+	files_manage_generic_tmp_dirs(init_t)

110

+	files_manage_urandom_seed(init_t)

111

+	files_mounton_all_mountpoints(init_t)

112

+	files_read_boot_files(initrc_t)

113

+	files_relabel_all_lock_dirs(init_t)

114

+	files_relabel_all_pid_dirs(init_t)

115

+	files_relabel_all_pid_files(init_t)

116

+	files_search_all(init_t)

117

+	files_unmount_all_file_type_fs(init_t)

118

 	# for privatetmp functions

119

 	files_mounton_tmp(init_t)

120

 	# for ProtectSystem

121

 	files_mounton_etc_dirs(init_t)

122

123

 	fs_relabel_cgroup_dirs(init_t)

124

-	fs_rw_cgroup_files(init_t)

125

 	fs_list_auto_mountpoints(init_t)

126

 	fs_mount_autofs(init_t)

127

 	fs_manage_hugetlbfs_dirs(init_t)

128

 	fs_getattr_tmpfs(init_t)

129

 	fs_read_tmpfs_files(init_t)

130

-	fs_read_cgroup_files(init_t)

131

 	fs_relabel_pstore_dirs(init_t)

132

 	fs_dontaudit_getattr_xattr_fs(init_t)

133

+	fs_create_cgroup_links(init_t)

134

+	fs_getattr_all_fs(init_t)

135

+	fs_manage_cgroup_dirs(init_t)

136

+	fs_manage_cgroup_files(init_t)

137

+	fs_manage_tmpfs_dirs(init_t)

138

+	fs_mount_all_fs(init_t)

139

+	fs_remount_all_fs(init_t)

140

+	fs_relabelfrom_tmpfs_symlinks(init_t)

141

+	fs_unmount_all_fs(init_t)

142

 	# for privatetmp functions

143

 	fs_relabel_tmpfs_dirs(init_t)

144

 	fs_relabel_tmpfs_files(init_t)

145

@@ -308,20 +375,32 @@ ifdef(`init_systemd',`

146

 	# for network namespaces

147

 	fs_read_nsfs_files(init_t)

148

149

-	# need write to /var/run/systemd/notify

150

-	init_write_pid_socket(daemon)

151

+	init_read_script_state(init_t)

152

153

 	# systemd_socket_activated policy

154

 	mls_socket_write_all_levels(init_t)

155

156

+	selinux_unmount_fs(init_t)

157

+	selinux_validate_context(init_t)

158

 	selinux_compute_create_context(init_t)

159

 	selinux_compute_access_vector(init_t)

160

161

+	storage_getattr_removable_dev(init_t)

162

+

163

+	term_relabel_pty_dirs(init_t)

164

+

165

+	auth_manage_var_auth(init_t)

166

+	auth_relabel_login_records(init_t)

167

+	auth_relabel_pam_console_data_dirs(init_t)

168

+

169

 	logging_manage_pid_sockets(init_t)

170

 	logging_send_audit_msgs(init_t)

171

 	logging_relabelto_devlog_sock_files(init_t)

172

 	logging_relabel_generic_log_dirs(init_t)

173

174

+	# lvm2-activation-generator checks file labels

175

+	seutil_read_file_contexts(init_t)

176

+

177

 	systemd_manage_passwd_runtime_symlinks(init_t)

178

 	systemd_use_passwd_agent(init_t)

179

 	systemd_list_tmpfiles_conf(init_t)

180

@@ -329,6 +408,7 @@ ifdef(`init_systemd',`

181

 	systemd_relabelto_tmpfiles_conf_files(init_t)

182

 	systemd_relabelto_journal_dirs(init_t)

183

 	systemd_relabelto_journal_files(init_t)

184

+	systemd_manage_all_units(init_t)

185

186

 	term_create_devpts_dirs(init_t)

187

188

@@ -853,21 +933,8 @@ ifdef(`enabled_mls',`

189

')

190

191

 ifdef(`init_systemd',`

192

-	allow init_t self:system { status reboot halt reload };

193

-

194

-	allow init_t self:unix_dgram_socket { create_socket_perms sendto };

195

-	allow init_t self:process { setsockcreate setfscreate setrlimit };

196

-	allow init_t self:process { getcap setcap getsched setsched };

197

-	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };

198

-	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };

199

-	allow init_t self:netlink_selinux_socket create_socket_perms;

200

-	# Until systemd is fixed

201

-	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };

202

-	allow init_t self:udp_socket create_socket_perms;

203

-	allow init_t self:netlink_route_socket create_netlink_socket_perms;

204

-	allow init_t initrc_t:unix_dgram_socket create_socket_perms;

205

 	allow initrc_t init_t:system { start status reboot halt reload };

206

-	allow init_t self:capability2 audit_read;

207

+

208

 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)

209

 	files_lock_filetrans(initrc_t, initrc_lock_t, file)

210

211

@@ -890,106 +957,37 @@ ifdef(`init_systemd',`

212

 	allow initrc_t init_script_file_type:service { stop start status reload };

213

214

 	kernel_dgram_send(initrc_t)

215

-	kernel_list_unlabeled(init_t)

216

-	kernel_load_module(init_t)

217

-	kernel_rw_kernel_sysctl(init_t)

218

-	kernel_rw_net_sysctls(init_t)

219

-	kernel_read_all_sysctls(init_t)

220

-	kernel_read_software_raid_state(init_t)

221

-	kernel_unmount_debugfs(init_t)

222

-	kernel_setsched(init_t)

223

-	kernel_rw_unix_sysctls(init_t)

224

-

225

-	auth_manage_var_auth(init_t)

226

-	auth_relabel_login_records(init_t)

227

-	auth_relabel_pam_console_data_dirs(init_t)

228

229

 	# run systemd misc initializations

230

 	# in the initrc_t domain, as would be

231

 	# done in traditional sysvinit/upstart.

232

 	corecmd_bin_entry_type(initrc_t)

233

-	corecmd_bin_domtrans(init_t, initrc_t)

234

-	corecmd_shell_domtrans(init_t, initrc_t)

235

236

 	dev_create_generic_dirs(initrc_t)

237

-	dev_write_kmsg(init_t)

238

-	dev_write_urand(init_t)

239

-	dev_rw_lvm_control(init_t)

240

-	dev_rw_autofs(init_t)

241

-	dev_manage_generic_symlinks(init_t)

242

-	dev_manage_generic_dirs(init_t)

243

-	dev_manage_generic_files(init_t)

244

-	dev_manage_null_service(initrc_t)

245

-	dev_read_generic_chr_files(init_t)

246

-	dev_relabel_generic_dev_dirs(init_t)

247

-	dev_relabel_all_dev_nodes(init_t)

248

-	dev_relabel_all_dev_files(init_t)

249

-	dev_manage_sysfs_dirs(init_t)

250

-	dev_relabel_sysfs_dirs(init_t)

251

-	dev_read_usbfs(initrc_t)

252

-	# systemd writes to /dev/watchdog on shutdown

253

-	dev_write_watchdog(init_t)

254

255

 	# Allow initrc_t to check /etc/fstab "service." It appears that

256

 	# systemd is conflating files and services.

257

-	files_create_all_pid_pipes(init_t)

258

-	files_create_all_pid_sockets(init_t)

259

-	files_create_all_spool_sockets(init_t)

260

-	files_create_lock_dirs(init_t)

261

-	files_create_pid_dirs(initrc_t)

262

-	files_delete_all_pids(init_t)

263

-	files_delete_all_spool_sockets(init_t)

264

-	files_exec_generic_pid_files(init_t)

265

 	files_get_etc_unit_status(initrc_t)

266

-	files_list_locks(init_t)

267

-	files_list_spool(init_t)

268

-	files_manage_all_pid_dirs(init_t)

269

-	files_manage_generic_tmp_dirs(init_t)

270

-	files_manage_urandom_seed(init_t)

271

-	files_mounton_all_mountpoints(init_t)

272

-	files_read_boot_files(initrc_t)

273

-	files_relabel_all_lock_dirs(init_t)

274

-	files_relabel_all_pid_dirs(init_t)

275

-	files_relabel_all_pid_files(init_t)

276

-	files_search_all(init_t)

277

+	files_create_pid_dirs(initrc_t)

278

 	files_setattr_pid_dirs(initrc_t)

279

-	files_unmount_all_file_type_fs(init_t)

280

-

281

-	fs_create_cgroup_links(init_t)

282

-	fs_getattr_all_fs(init_t)

283

-	fs_manage_cgroup_dirs(init_t)

284

-	fs_manage_cgroup_files(init_t)

285

-	fs_manage_tmpfs_dirs(init_t)

286

-	fs_mount_all_fs(init_t)

287

-	fs_remount_all_fs(init_t)

288

-	fs_relabelfrom_tmpfs_symlinks(init_t)

289

-	fs_unmount_all_fs(init_t)

290

-	fs_search_cgroup_dirs(daemon)

291

292

 	# for logsave in strict configuration

293

 	fstools_write_log(initrc_t)

294

295

+	selinux_set_enforce_mode(initrc_t)

296

+

297

 	init_get_all_units_status(initrc_t)

298

 	init_manage_var_lib_files(initrc_t)

299

-	init_read_script_state(init_t)

300

 	init_rw_stream_sockets(initrc_t)

301

302

 	# Create /etc/audit.rules.prev after firstboot remediation

303

 	logging_manage_audit_config(initrc_t)

304

305

-	selinux_set_enforce_mode(initrc_t)

306

-	selinux_unmount_fs(init_t)

307

-	selinux_validate_context(init_t)

308

 	# lvm2-activation-generator checks file labels

309

 	seutil_read_file_contexts(initrc_t)

310

-	seutil_read_file_contexts(init_t)

311

312

-	storage_getattr_removable_dev(init_t)

313

-	systemd_manage_all_units(init_t)

314

 	systemd_start_power_units(initrc_t)

315

316

-	term_relabel_pty_dirs(init_t)

317

-

318

 	optional_policy(`

319

 		# create /var/lock/lvm/

320

 		lvm_create_lock_dirs(initrc_t)

321

@@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon)

322

 # when using run_init

323

 init_use_script_ptys(daemon)

324

325

+ifdef(`init_systemd',`

326

+	# Until systemd is fixed

327

+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };

328

+

329

+	fs_search_cgroup_dirs(daemon)

330

+

331

+	# need write to /var/run/systemd/notify

332

+	init_write_pid_socket(daemon)

333

+')

334

+

335

 tunable_policy(`init_daemons_use_tty',`

336

 	term_use_unallocated_ttys(daemon)

337

 	term_use_generic_ptys(daemon)

1	commit: ef14bcd0189098ada222dd638183eb44073de691
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Thu Oct 12 21:42:23 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Oct 29 12:59:08 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef14bcd0
7
8	init: Clean up line placement in init_systemd blocks.
9
10	No rule changes.
11
12	policy/modules/system/init.te \| 196 ++++++++++++++++++++++--------------------
13	1 file changed, 102 insertions(+), 94 deletions(-)
14
15	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
16	index 90291d34..75da7a62 100644
17	--- a/policy/modules/system/init.te
18	+++ b/policy/modules/system/init.te
19	@@ -216,11 +216,23 @@ ifdef(`init_systemd',`
20	# handle instances where an old labeled init script is encountered.
21	typeattribute init_t init_run_all_scripts_domain;
22
23	+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
24	+ allow init_t self:process { setsockcreate setfscreate setrlimit };
25	+ allow init_t self:process { getcap setcap getsched setsched };
26	+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
27	+ allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
28	+ allow init_t self:netlink_selinux_socket create_socket_perms;
29	+ allow init_t self:system { status reboot halt reload };
30	+ # Until systemd is fixed
31	+ allow init_t self:udp_socket create_socket_perms;
32	+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
33	+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
34	+ allow init_t self:capability2 audit_read;
35	+
36	# for /run/systemd/inaccessible/{chr,blk}
37	allow init_t init_var_run_t:blk_file { create getattr };
38	allow init_t init_var_run_t:chr_file { create getattr };
39
40	-
41	allow init_t systemprocess:process { dyntransition siginh };
42	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
43	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
44	@@ -257,18 +269,47 @@ ifdef(`init_systemd',`
45
46	kernel_dyntrans_to(init_t)
47	kernel_read_network_state(init_t)
48	- kernel_read_kernel_sysctls(init_t)
49	- kernel_read_vm_sysctls(init_t)
50	kernel_dgram_send(init_t)
51	kernel_stream_connect(init_t)
52	kernel_getattr_proc(init_t)
53	kernel_read_fs_sysctls(init_t)
54	+ kernel_list_unlabeled(init_t)
55	+ kernel_load_module(init_t)
56	+ kernel_rw_kernel_sysctl(init_t)
57	+ kernel_rw_net_sysctls(init_t)
58	+ kernel_read_all_sysctls(init_t)
59	+ kernel_read_software_raid_state(init_t)
60	+ kernel_unmount_debugfs(init_t)
61	+ kernel_setsched(init_t)
62	+ kernel_rw_unix_sysctls(init_t)
63	+
64	+ # run systemd misc initializations
65	+ # in the initrc_t domain, as would be
66	+ # done in traditional sysvinit/upstart.
67	+ corecmd_bin_domtrans(init_t, initrc_t)
68	+ corecmd_shell_domtrans(init_t, initrc_t)
69
70	- dev_create_generic_dirs(init_t)
71	dev_manage_input_dev(init_t)
72	dev_relabel_all_sysfs(init_t)
73	dev_relabel_generic_symlinks(init_t)
74	dev_read_urand(init_t)
75	+ dev_write_kmsg(init_t)
76	+ dev_write_urand(init_t)
77	+ dev_rw_lvm_control(init_t)
78	+ dev_rw_autofs(init_t)
79	+ dev_manage_generic_symlinks(init_t)
80	+ dev_manage_generic_dirs(init_t)
81	+ dev_manage_generic_files(init_t)
82	+ dev_manage_null_service(initrc_t)
83	+ dev_read_generic_chr_files(init_t)
84	+ dev_relabel_generic_dev_dirs(init_t)
85	+ dev_relabel_all_dev_nodes(init_t)
86	+ dev_relabel_all_dev_files(init_t)
87	+ dev_manage_sysfs_dirs(init_t)
88	+ dev_relabel_sysfs_dirs(init_t)
89	+ dev_read_usbfs(initrc_t)
90	+ # systemd writes to /dev/watchdog on shutdown
91	+ dev_write_watchdog(init_t)
92
93	domain_read_all_domains_state(init_t)
94
95	@@ -283,21 +324,47 @@ ifdef(`init_systemd',`
96	files_relabelto_etc_runtime_files(init_t)
97	files_read_all_locks(init_t)
98	files_search_kernel_modules(init_t)
99	+ files_create_all_pid_pipes(init_t)
100	+ files_create_all_pid_sockets(init_t)
101	+ files_create_all_spool_sockets(init_t)
102	+ files_create_lock_dirs(init_t)
103	+ files_delete_all_pids(init_t)
104	+ files_delete_all_spool_sockets(init_t)
105	+ files_exec_generic_pid_files(init_t)
106	+ files_list_locks(init_t)
107	+ files_list_spool(init_t)
108	+ files_manage_all_pid_dirs(init_t)
109	+ files_manage_generic_tmp_dirs(init_t)
110	+ files_manage_urandom_seed(init_t)
111	+ files_mounton_all_mountpoints(init_t)
112	+ files_read_boot_files(initrc_t)
113	+ files_relabel_all_lock_dirs(init_t)
114	+ files_relabel_all_pid_dirs(init_t)
115	+ files_relabel_all_pid_files(init_t)
116	+ files_search_all(init_t)
117	+ files_unmount_all_file_type_fs(init_t)
118	# for privatetmp functions
119	files_mounton_tmp(init_t)
120	# for ProtectSystem
121	files_mounton_etc_dirs(init_t)
122
123	fs_relabel_cgroup_dirs(init_t)
124	- fs_rw_cgroup_files(init_t)
125	fs_list_auto_mountpoints(init_t)
126	fs_mount_autofs(init_t)
127	fs_manage_hugetlbfs_dirs(init_t)
128	fs_getattr_tmpfs(init_t)
129	fs_read_tmpfs_files(init_t)
130	- fs_read_cgroup_files(init_t)
131	fs_relabel_pstore_dirs(init_t)
132	fs_dontaudit_getattr_xattr_fs(init_t)
133	+ fs_create_cgroup_links(init_t)
134	+ fs_getattr_all_fs(init_t)
135	+ fs_manage_cgroup_dirs(init_t)
136	+ fs_manage_cgroup_files(init_t)
137	+ fs_manage_tmpfs_dirs(init_t)
138	+ fs_mount_all_fs(init_t)
139	+ fs_remount_all_fs(init_t)
140	+ fs_relabelfrom_tmpfs_symlinks(init_t)
141	+ fs_unmount_all_fs(init_t)
142	# for privatetmp functions
143	fs_relabel_tmpfs_dirs(init_t)
144	fs_relabel_tmpfs_files(init_t)
145	@@ -308,20 +375,32 @@ ifdef(`init_systemd',`
146	# for network namespaces
147	fs_read_nsfs_files(init_t)
148
149	- # need write to /var/run/systemd/notify
150	- init_write_pid_socket(daemon)
151	+ init_read_script_state(init_t)
152
153	# systemd_socket_activated policy
154	mls_socket_write_all_levels(init_t)
155
156	+ selinux_unmount_fs(init_t)
157	+ selinux_validate_context(init_t)
158	selinux_compute_create_context(init_t)
159	selinux_compute_access_vector(init_t)
160
161	+ storage_getattr_removable_dev(init_t)
162	+
163	+ term_relabel_pty_dirs(init_t)
164	+
165	+ auth_manage_var_auth(init_t)
166	+ auth_relabel_login_records(init_t)
167	+ auth_relabel_pam_console_data_dirs(init_t)
168	+
169	logging_manage_pid_sockets(init_t)
170	logging_send_audit_msgs(init_t)
171	logging_relabelto_devlog_sock_files(init_t)
172	logging_relabel_generic_log_dirs(init_t)
173
174	+ # lvm2-activation-generator checks file labels
175	+ seutil_read_file_contexts(init_t)
176	+
177	systemd_manage_passwd_runtime_symlinks(init_t)
178	systemd_use_passwd_agent(init_t)
179	systemd_list_tmpfiles_conf(init_t)
180	@@ -329,6 +408,7 @@ ifdef(`init_systemd',`
181	systemd_relabelto_tmpfiles_conf_files(init_t)
182	systemd_relabelto_journal_dirs(init_t)
183	systemd_relabelto_journal_files(init_t)
184	+ systemd_manage_all_units(init_t)
185
186	term_create_devpts_dirs(init_t)
187
188	@@ -853,21 +933,8 @@ ifdef(`enabled_mls',`
189	')
190
191	ifdef(`init_systemd',`
192	- allow init_t self:system { status reboot halt reload };
193	-
194	- allow init_t self:unix_dgram_socket { create_socket_perms sendto };
195	- allow init_t self:process { setsockcreate setfscreate setrlimit };
196	- allow init_t self:process { getcap setcap getsched setsched };
197	- allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
198	- allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
199	- allow init_t self:netlink_selinux_socket create_socket_perms;
200	- # Until systemd is fixed
201	- allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
202	- allow init_t self:udp_socket create_socket_perms;
203	- allow init_t self:netlink_route_socket create_netlink_socket_perms;
204	- allow init_t initrc_t:unix_dgram_socket create_socket_perms;
205	allow initrc_t init_t:system { start status reboot halt reload };
206	- allow init_t self:capability2 audit_read;
207	+
208	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
209	files_lock_filetrans(initrc_t, initrc_lock_t, file)
210
211	@@ -890,106 +957,37 @@ ifdef(`init_systemd',`
212	allow initrc_t init_script_file_type:service { stop start status reload };
213
214	kernel_dgram_send(initrc_t)
215	- kernel_list_unlabeled(init_t)
216	- kernel_load_module(init_t)
217	- kernel_rw_kernel_sysctl(init_t)
218	- kernel_rw_net_sysctls(init_t)
219	- kernel_read_all_sysctls(init_t)
220	- kernel_read_software_raid_state(init_t)
221	- kernel_unmount_debugfs(init_t)
222	- kernel_setsched(init_t)
223	- kernel_rw_unix_sysctls(init_t)
224	-
225	- auth_manage_var_auth(init_t)
226	- auth_relabel_login_records(init_t)
227	- auth_relabel_pam_console_data_dirs(init_t)
228
229	# run systemd misc initializations
230	# in the initrc_t domain, as would be
231	# done in traditional sysvinit/upstart.
232	corecmd_bin_entry_type(initrc_t)
233	- corecmd_bin_domtrans(init_t, initrc_t)
234	- corecmd_shell_domtrans(init_t, initrc_t)
235
236	dev_create_generic_dirs(initrc_t)
237	- dev_write_kmsg(init_t)
238	- dev_write_urand(init_t)
239	- dev_rw_lvm_control(init_t)
240	- dev_rw_autofs(init_t)
241	- dev_manage_generic_symlinks(init_t)
242	- dev_manage_generic_dirs(init_t)
243	- dev_manage_generic_files(init_t)
244	- dev_manage_null_service(initrc_t)
245	- dev_read_generic_chr_files(init_t)
246	- dev_relabel_generic_dev_dirs(init_t)
247	- dev_relabel_all_dev_nodes(init_t)
248	- dev_relabel_all_dev_files(init_t)
249	- dev_manage_sysfs_dirs(init_t)
250	- dev_relabel_sysfs_dirs(init_t)
251	- dev_read_usbfs(initrc_t)
252	- # systemd writes to /dev/watchdog on shutdown
253	- dev_write_watchdog(init_t)
254
255	# Allow initrc_t to check /etc/fstab "service." It appears that
256	# systemd is conflating files and services.
257	- files_create_all_pid_pipes(init_t)
258	- files_create_all_pid_sockets(init_t)
259	- files_create_all_spool_sockets(init_t)
260	- files_create_lock_dirs(init_t)
261	- files_create_pid_dirs(initrc_t)
262	- files_delete_all_pids(init_t)
263	- files_delete_all_spool_sockets(init_t)
264	- files_exec_generic_pid_files(init_t)
265	files_get_etc_unit_status(initrc_t)
266	- files_list_locks(init_t)
267	- files_list_spool(init_t)
268	- files_manage_all_pid_dirs(init_t)
269	- files_manage_generic_tmp_dirs(init_t)
270	- files_manage_urandom_seed(init_t)
271	- files_mounton_all_mountpoints(init_t)
272	- files_read_boot_files(initrc_t)
273	- files_relabel_all_lock_dirs(init_t)
274	- files_relabel_all_pid_dirs(init_t)
275	- files_relabel_all_pid_files(init_t)
276	- files_search_all(init_t)
277	+ files_create_pid_dirs(initrc_t)
278	files_setattr_pid_dirs(initrc_t)
279	- files_unmount_all_file_type_fs(init_t)
280	-
281	- fs_create_cgroup_links(init_t)
282	- fs_getattr_all_fs(init_t)
283	- fs_manage_cgroup_dirs(init_t)
284	- fs_manage_cgroup_files(init_t)
285	- fs_manage_tmpfs_dirs(init_t)
286	- fs_mount_all_fs(init_t)
287	- fs_remount_all_fs(init_t)
288	- fs_relabelfrom_tmpfs_symlinks(init_t)
289	- fs_unmount_all_fs(init_t)
290	- fs_search_cgroup_dirs(daemon)
291
292	# for logsave in strict configuration
293	fstools_write_log(initrc_t)
294
295	+ selinux_set_enforce_mode(initrc_t)
296	+
297	init_get_all_units_status(initrc_t)
298	init_manage_var_lib_files(initrc_t)
299	- init_read_script_state(init_t)
300	init_rw_stream_sockets(initrc_t)
301
302	# Create /etc/audit.rules.prev after firstboot remediation
303	logging_manage_audit_config(initrc_t)
304
305	- selinux_set_enforce_mode(initrc_t)
306	- selinux_unmount_fs(init_t)
307	- selinux_validate_context(init_t)
308	# lvm2-activation-generator checks file labels
309	seutil_read_file_contexts(initrc_t)
310	- seutil_read_file_contexts(init_t)
311
312	- storage_getattr_removable_dev(init_t)
313	- systemd_manage_all_units(init_t)
314	systemd_start_power_units(initrc_t)
315
316	- term_relabel_pty_dirs(init_t)
317	-
318	optional_policy(`
319	# create /var/lock/lvm/
320	lvm_create_lock_dirs(initrc_t)
321	@@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon)
322	# when using run_init
323	init_use_script_ptys(daemon)
324
325	+ifdef(`init_systemd',`
326	+ # Until systemd is fixed
327	+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
328	+
329	+ fs_search_cgroup_dirs(daemon)
330	+
331	+ # need write to /var/run/systemd/notify
332	+ init_write_pid_socket(daemon)
333	+')
334	+
335	tunable_policy(`init_daemons_use_tty',`
336	term_use_unallocated_ttys(daemon)
337	term_use_generic_ptys(daemon)

Gentoo Archives: gentoo-commits