1 |
commit: 9f360ceda6290fc51e9f537d59574810e5a876b6 |
2 |
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com> |
3 |
AuthorDate: Wed Aug 17 17:53:26 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 19:07:49 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f360ced |
7 |
|
8 |
systemd: Add interface for systemctl exec. |
9 |
|
10 |
Adds necessary baseline permissions for the command. |
11 |
|
12 |
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/system/systemd.if | 31 +++++++++++++++++++++++++++++++ |
16 |
1 file changed, 31 insertions(+) |
17 |
|
18 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
19 |
index 62545021..f48cc541 100644 |
20 |
--- a/policy/modules/system/systemd.if |
21 |
+++ b/policy/modules/system/systemd.if |
22 |
@@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',` |
23 |
read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) |
24 |
') |
25 |
|
26 |
+######################################## |
27 |
+## <summary> |
28 |
+## Execute the systemctl program. |
29 |
+## </summary> |
30 |
+## <param name="domain"> |
31 |
+## <summary> |
32 |
+## Domain allowed access. |
33 |
+## </summary> |
34 |
+## </param> |
35 |
+# |
36 |
+interface(`systemd_exec_systemctl',` |
37 |
+ gen_require(` |
38 |
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; |
39 |
+ ') |
40 |
+ |
41 |
+ dontaudit $1 self:capability { net_admin sys_resource }; |
42 |
+ allow $1 self:process signal; |
43 |
+ allow $1 self:unix_stream_socket create_socket_perms; |
44 |
+ |
45 |
+ # the command is a regular bin |
46 |
+ corecmd_exec_bin($1) |
47 |
+ |
48 |
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) |
49 |
+ allow $1 systemd_passwd_agent_t:process signal; |
50 |
+ |
51 |
+ init_read_state($1) |
52 |
+ init_stream_connect($1) |
53 |
+ init_telinit($1) |
54 |
+ init_dbus_chat($1) |
55 |
+') |
56 |
+ |
57 |
####################################### |
58 |
## <summary> |
59 |
## Allow domain to getattr on .updated file (generated by systemd-update-done |