| 1 |
commit: 3225e34cc39a06b44cc0871b984791eeaf9bb970 |
| 2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
| 3 |
AuthorDate: Tue Dec 27 13:45:21 2016 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Jan 1 16:26:28 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3225e34c |
| 7 |
|
| 8 |
systemd: add systemd-binfmt policy |
| 9 |
|
| 10 |
This systemd service registers in /proc/sys/fs/binfmt_misc binary formats |
| 11 |
for executables. |
| 12 |
|
| 13 |
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org> |
| 14 |
|
| 15 |
policy/modules/system/systemd.fc | 1 + |
| 16 |
policy/modules/system/systemd.te | 15 +++++++++++++++ |
| 17 |
2 files changed, 16 insertions(+) |
| 18 |
|
| 19 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
| 20 |
index 673bb68..d66feda 100644 |
| 21 |
--- a/policy/modules/system/systemd.fc |
| 22 |
+++ b/policy/modules/system/systemd.fc |
| 23 |
@@ -29,6 +29,7 @@ |
| 24 |
/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 25 |
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 26 |
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) |
| 27 |
+/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) |
| 28 |
|
| 29 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
| 30 |
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
| 31 |
|
| 32 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 33 |
index c50e93a..cf22ba8 100644 |
| 34 |
--- a/policy/modules/system/systemd.te |
| 35 |
+++ b/policy/modules/system/systemd.te |
| 36 |
@@ -36,6 +36,9 @@ type systemd_binfmt_t; |
| 37 |
type systemd_binfmt_exec_t; |
| 38 |
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) |
| 39 |
|
| 40 |
+type systemd_binfmt_unit_t; |
| 41 |
+init_unit_file(systemd_binfmt_unit_t) |
| 42 |
+ |
| 43 |
type systemd_cgroups_t; |
| 44 |
type systemd_cgroups_exec_t; |
| 45 |
domain_type(systemd_cgroups_t) |
| 46 |
@@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t) |
| 47 |
|
| 48 |
udev_read_pid_files(systemd_backlight_t) |
| 49 |
|
| 50 |
+####################################### |
| 51 |
+# |
| 52 |
+# Binfmt local policy |
| 53 |
+# |
| 54 |
+ |
| 55 |
+systemd_log_parse_environment(systemd_binfmt_t) |
| 56 |
+ |
| 57 |
+# Allow to read /etc/binfmt.d/ files |
| 58 |
+files_read_etc_files(systemd_binfmt_t) |
| 59 |
+ |
| 60 |
+fs_register_binary_executable_type(systemd_binfmt_t) |
| 61 |
+ |
| 62 |
###################################### |
| 63 |
# |
| 64 |
# Cgroups local policy |
Archives