Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date: Sat, 03 Sep 2022 19:54:09
Message-Id: 1662232069.9f360ceda6290fc51e9f537d59574810e5a876b6.perfinion@gentoo
1 commit: 9f360ceda6290fc51e9f537d59574810e5a876b6
2 Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
3 AuthorDate: Wed Aug 17 17:53:26 2022 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sat Sep 3 19:07:49 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f360ced
7
8 systemd: Add interface for systemctl exec.
9
10 Adds necessary baseline permissions for the command.
11
12 Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
13 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15 policy/modules/system/systemd.if | 31 +++++++++++++++++++++++++++++++
16 1 file changed, 31 insertions(+)
17
18 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
19 index 62545021..f48cc541 100644
20 --- a/policy/modules/system/systemd.if
21 +++ b/policy/modules/system/systemd.if
22 @@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',`
23 read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
24 ')
25
26 +########################################
27 +## <summary>
28 +## Execute the systemctl program.
29 +## </summary>
30 +## <param name="domain">
31 +## <summary>
32 +## Domain allowed access.
33 +## </summary>
34 +## </param>
35 +#
36 +interface(`systemd_exec_systemctl',`
37 + gen_require(`
38 + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
39 + ')
40 +
41 + dontaudit $1 self:capability { net_admin sys_resource };
42 + allow $1 self:process signal;
43 + allow $1 self:unix_stream_socket create_socket_perms;
44 +
45 + # the command is a regular bin
46 + corecmd_exec_bin($1)
47 +
48 + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
49 + allow $1 systemd_passwd_agent_t:process signal;
50 +
51 + init_read_state($1)
52 + init_stream_connect($1)
53 + init_telinit($1)
54 + init_dbus_chat($1)
55 +')
56 +
57 #######################################
58 ## <summary>
59 ## Allow domain to getattr on .updated file (generated by systemd-update-done
Report Message
Find on MARC Find on Google Groups