1 |
commit: bce66e80249abbc0998755be34847b5b846d1e16 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Thu Apr 6 21:37:50 2017 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Apr 10 16:58:44 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bce66e80 |
7 |
|
8 |
Systemd-related changes from Russell Coker. |
9 |
|
10 |
policy/modules/kernel/files.if | 36 ++++++++++++++ |
11 |
policy/modules/kernel/files.te | 2 +- |
12 |
policy/modules/roles/sysadm.te | 12 +---- |
13 |
policy/modules/services/ssh.if | 4 ++ |
14 |
policy/modules/services/ssh.te | 7 ++- |
15 |
policy/modules/services/xserver.te | 6 ++- |
16 |
policy/modules/system/fstools.te | 3 +- |
17 |
policy/modules/system/init.if | 94 +++++++++++++++++++++++++++++++++++++ |
18 |
policy/modules/system/init.te | 6 +-- |
19 |
policy/modules/system/locallogin.te | 7 ++- |
20 |
policy/modules/system/lvm.fc | 1 + |
21 |
policy/modules/system/lvm.te | 7 ++- |
22 |
policy/modules/system/sysnetwork.if | 20 ++++++++ |
23 |
policy/modules/system/sysnetwork.te | 2 +- |
24 |
policy/modules/system/systemd.if | 84 +++++++++++++++++++++++++++++++++ |
25 |
policy/modules/system/systemd.te | 5 +- |
26 |
policy/modules/system/udev.te | 12 ++++- |
27 |
policy/modules/system/unconfined.if | 4 ++ |
28 |
policy/modules/system/unconfined.te | 6 ++- |
29 |
19 files changed, 292 insertions(+), 26 deletions(-) |
30 |
|
31 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
32 |
index 9f9fdded..0462c1a7 100644 |
33 |
--- a/policy/modules/kernel/files.if |
34 |
+++ b/policy/modules/kernel/files.if |
35 |
@@ -3021,6 +3021,42 @@ interface(`files_get_etc_unit_status',` |
36 |
allow $1 etc_t:service status; |
37 |
') |
38 |
|
39 |
+######################################## |
40 |
+## <summary> |
41 |
+## start etc_t service |
42 |
+## </summary> |
43 |
+## <param name="domain"> |
44 |
+## <summary> |
45 |
+## Domain allowed access. |
46 |
+## </summary> |
47 |
+## </param> |
48 |
+# |
49 |
+interface(`files_start_etc_service',` |
50 |
+ gen_require(` |
51 |
+ type etc_t; |
52 |
+ ') |
53 |
+ |
54 |
+ allow $1 etc_t:service start; |
55 |
+') |
56 |
+ |
57 |
+######################################## |
58 |
+## <summary> |
59 |
+## stop etc_t service |
60 |
+## </summary> |
61 |
+## <param name="domain"> |
62 |
+## <summary> |
63 |
+## Domain allowed access. |
64 |
+## </summary> |
65 |
+## </param> |
66 |
+# |
67 |
+interface(`files_stop_etc_service',` |
68 |
+ gen_require(` |
69 |
+ type etc_t; |
70 |
+ ') |
71 |
+ |
72 |
+ allow $1 etc_t:service stop; |
73 |
+') |
74 |
+ |
75 |
####################################### |
76 |
## <summary> |
77 |
## Relabel from and to generic files in /etc. |
78 |
|
79 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
80 |
index 67be5c71..c979bcc1 100644 |
81 |
--- a/policy/modules/kernel/files.te |
82 |
+++ b/policy/modules/kernel/files.te |
83 |
@@ -1,4 +1,4 @@ |
84 |
-policy_module(files, 1.23.10) |
85 |
+policy_module(files, 1.23.11) |
86 |
|
87 |
######################################## |
88 |
# |
89 |
|
90 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
91 |
index 7b4bf4d9..d917e008 100644 |
92 |
--- a/policy/modules/roles/sysadm.te |
93 |
+++ b/policy/modules/roles/sysadm.te |
94 |
@@ -1,4 +1,4 @@ |
95 |
-policy_module(sysadm, 2.11.3) |
96 |
+policy_module(sysadm, 2.11.4) |
97 |
|
98 |
######################################## |
99 |
# |
100 |
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t) |
101 |
ubac_fd_exempt(sysadm_t) |
102 |
|
103 |
init_exec(sysadm_t) |
104 |
-init_get_system_status(sysadm_t) |
105 |
-init_disable(sysadm_t) |
106 |
-init_enable(sysadm_t) |
107 |
-init_reload(sysadm_t) |
108 |
-init_reboot_system(sysadm_t) |
109 |
-init_shutdown_system(sysadm_t) |
110 |
-init_start_generic_units(sysadm_t) |
111 |
-init_stop_generic_units(sysadm_t) |
112 |
-init_reload_generic_units(sysadm_t) |
113 |
+init_admin(sysadm_t) |
114 |
|
115 |
# Add/remove user home directories |
116 |
userdom_manage_user_home_dirs(sysadm_t) |
117 |
|
118 |
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if |
119 |
index 21374c77..2ea91129 100644 |
120 |
--- a/policy/modules/services/ssh.if |
121 |
+++ b/policy/modules/services/ssh.if |
122 |
@@ -271,6 +271,10 @@ template(`ssh_server_template', ` |
123 |
files_read_var_lib_symlinks($1_t) |
124 |
nx_spec_domtrans_server($1_t) |
125 |
') |
126 |
+ |
127 |
+ optional_policy(` |
128 |
+ systemd_read_logind_sessions_files($1_t) |
129 |
+ ') |
130 |
') |
131 |
|
132 |
######################################## |
133 |
|
134 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
135 |
index 8d974f90..1b246453 100644 |
136 |
--- a/policy/modules/services/ssh.te |
137 |
+++ b/policy/modules/services/ssh.te |
138 |
@@ -1,4 +1,4 @@ |
139 |
-policy_module(ssh, 2.9.2) |
140 |
+policy_module(ssh, 2.9.3) |
141 |
|
142 |
######################################## |
143 |
# |
144 |
@@ -317,6 +317,11 @@ optional_policy(` |
145 |
') |
146 |
|
147 |
optional_policy(` |
148 |
+ systemd_write_inherited_logind_sessions_pipes(sshd_t) |
149 |
+ systemd_dbus_chat_logind(sshd_t) |
150 |
+') |
151 |
+ |
152 |
+optional_policy(` |
153 |
unconfined_shell_domtrans(sshd_t) |
154 |
') |
155 |
|
156 |
|
157 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
158 |
index a692f7a2..4703673a 100644 |
159 |
--- a/policy/modules/services/xserver.te |
160 |
+++ b/policy/modules/services/xserver.te |
161 |
@@ -1,4 +1,4 @@ |
162 |
-policy_module(xserver, 3.13.6) |
163 |
+policy_module(xserver, 3.13.7) |
164 |
|
165 |
gen_require(` |
166 |
class x_drawable all_x_drawable_perms; |
167 |
@@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) |
168 |
allow xdm_t xauth_home_t:file manage_file_perms; |
169 |
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) |
170 |
|
171 |
+allow xauth_t xdm_t:fd use; |
172 |
+allow xauth_t xdm_t:fifo_file { getattr read }; |
173 |
+allow xauth_t xdm_t:unix_stream_socket { read write }; |
174 |
+ |
175 |
kernel_request_load_module(xauth_t) |
176 |
|
177 |
domain_use_interactive_fds(xauth_t) |
178 |
|
179 |
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te |
180 |
index 9d729671..a56bfc05 100644 |
181 |
--- a/policy/modules/system/fstools.te |
182 |
+++ b/policy/modules/system/fstools.te |
183 |
@@ -1,4 +1,4 @@ |
184 |
-policy_module(fstools, 1.20.1) |
185 |
+policy_module(fstools, 1.20.2) |
186 |
|
187 |
######################################## |
188 |
# |
189 |
@@ -146,6 +146,7 @@ term_use_console(fsadm_t) |
190 |
init_use_fds(fsadm_t) |
191 |
init_use_script_ptys(fsadm_t) |
192 |
init_dontaudit_getattr_initctl(fsadm_t) |
193 |
+init_rw_script_stream_sockets(fsadm_t) |
194 |
|
195 |
logging_send_syslog_msg(fsadm_t) |
196 |
|
197 |
|
198 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
199 |
index e42a7db5..27794bbf 100644 |
200 |
--- a/policy/modules/system/init.if |
201 |
+++ b/policy/modules/system/init.if |
202 |
@@ -1175,6 +1175,25 @@ interface(`init_search_pids',` |
203 |
allow $1 init_var_run_t:dir search_dir_perms; |
204 |
') |
205 |
|
206 |
+###################################### |
207 |
+## <summary> |
208 |
+## Allow listing of the /run/systemd directory. |
209 |
+## </summary> |
210 |
+## <param name="domain"> |
211 |
+## <summary> |
212 |
+## Domain allowed access. |
213 |
+## </summary> |
214 |
+## </param> |
215 |
+# |
216 |
+interface(`init_list_pids',` |
217 |
+ gen_require(` |
218 |
+ type init_var_run_t; |
219 |
+ ') |
220 |
+ |
221 |
+ allow $1 init_var_run_t:dir list_dir_perms; |
222 |
+ files_search_pids($1) |
223 |
+') |
224 |
+ |
225 |
######################################## |
226 |
## <summary> |
227 |
## Create files in an init PID directory. |
228 |
@@ -1582,6 +1601,25 @@ interface(`init_all_labeled_script_domtrans',` |
229 |
|
230 |
######################################## |
231 |
## <summary> |
232 |
+## Allow getting service status of initrc_exec_t scripts |
233 |
+## </summary> |
234 |
+## <param name="domain"> |
235 |
+## <summary> |
236 |
+## Target domain |
237 |
+## </summary> |
238 |
+## </param> |
239 |
+# |
240 |
+interface(`init_get_script_status',` |
241 |
+ gen_require(` |
242 |
+ type initrc_exec_t; |
243 |
+ class service status; |
244 |
+ ') |
245 |
+ |
246 |
+ allow $1 initrc_exec_t:service status; |
247 |
+') |
248 |
+ |
249 |
+######################################## |
250 |
+## <summary> |
251 |
## Allow the role to start and stop |
252 |
## labeled services. |
253 |
## </summary> |
254 |
@@ -2890,6 +2928,26 @@ interface(`init_get_all_units_status',` |
255 |
allow $1 { init_script_file_type systemdunit }:service status; |
256 |
') |
257 |
|
258 |
+####################################### |
259 |
+## <summary> |
260 |
+## All perms on all systemd units. |
261 |
+## </summary> |
262 |
+## <param name="domain"> |
263 |
+## <summary> |
264 |
+## Domain allowed access. |
265 |
+## </summary> |
266 |
+## </param> |
267 |
+# |
268 |
+interface(`init_manage_all_units',` |
269 |
+ gen_require(` |
270 |
+ attribute systemdunit; |
271 |
+ class service all_service_perms; |
272 |
+ ') |
273 |
+ |
274 |
+ allow $1 systemdunit:service all_service_perms; |
275 |
+ allow $1 systemdunit:file getattr; |
276 |
+') |
277 |
+ |
278 |
######################################## |
279 |
## <summary> |
280 |
## Start all systemd units. |
281 |
@@ -2946,3 +3004,39 @@ interface(`init_reload_all_units',` |
282 |
|
283 |
allow $1 { init_script_file_type systemdunit }:service reload; |
284 |
') |
285 |
+ |
286 |
+######################################## |
287 |
+## <summary> |
288 |
+## Allow unconfined access to send instructions to init |
289 |
+## </summary> |
290 |
+## <param name="domain"> |
291 |
+## <summary> |
292 |
+## Target domain |
293 |
+## </summary> |
294 |
+## </param> |
295 |
+# |
296 |
+interface(`init_admin',` |
297 |
+ gen_require(` |
298 |
+ type initrc_exec_t; |
299 |
+ class service status; |
300 |
+ ') |
301 |
+ |
302 |
+ dev_manage_null_service($1) |
303 |
+ init_disable($1) |
304 |
+ init_enable($1) |
305 |
+ init_get_all_units_status($1) |
306 |
+ init_get_generic_units_status($1) |
307 |
+ init_get_system_status($1) |
308 |
+ init_manage_all_units($1) |
309 |
+ init_manage_script_service($1) |
310 |
+ init_reboot_system($1) |
311 |
+ init_reload($1) |
312 |
+ init_reload_all_units($1) |
313 |
+ init_shutdown_system($1) |
314 |
+ init_start_all_units($1) |
315 |
+ init_start_generic_units($1) |
316 |
+ init_stop_all_units($1) |
317 |
+ init_stop_generic_units($1) |
318 |
+ init_stop_system($1) |
319 |
+ init_telinit($1) |
320 |
+') |
321 |
|
322 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
323 |
index aed3e65a..02a240d8 100644 |
324 |
--- a/policy/modules/system/init.te |
325 |
+++ b/policy/modules/system/init.te |
326 |
@@ -1,4 +1,4 @@ |
327 |
-policy_module(init, 2.2.15) |
328 |
+policy_module(init, 2.2.16) |
329 |
|
330 |
gen_require(` |
331 |
class passwd rootok; |
332 |
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',` |
333 |
seutil_read_default_contexts(initrc_t) |
334 |
|
335 |
# /lib/rcscripts/net/system.sh rewrites resolv.conf :( |
336 |
- sysnet_create_config(initrc_t) |
337 |
- sysnet_write_config(initrc_t) |
338 |
- sysnet_setattr_config(initrc_t) |
339 |
+ sysnet_manage_config(initrc_t) |
340 |
|
341 |
optional_policy(` |
342 |
abrt_manage_pid_files(initrc_t) |
343 |
|
344 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
345 |
index 22cb0fa3..bcebce9d 100644 |
346 |
--- a/policy/modules/system/locallogin.te |
347 |
+++ b/policy/modules/system/locallogin.te |
348 |
@@ -1,4 +1,4 @@ |
349 |
-policy_module(locallogin, 1.15.3) |
350 |
+policy_module(locallogin, 1.15.4) |
351 |
|
352 |
######################################## |
353 |
# |
354 |
@@ -193,6 +193,11 @@ optional_policy(` |
355 |
') |
356 |
|
357 |
optional_policy(` |
358 |
+ systemd_dbus_chat_logind(local_login_t) |
359 |
+ systemd_write_inherited_logind_sessions_pipes(local_login_t) |
360 |
+') |
361 |
+ |
362 |
+optional_policy(` |
363 |
unconfined_shell_domtrans(local_login_t) |
364 |
') |
365 |
|
366 |
|
367 |
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc |
368 |
index d2f755f2..1e6abbaf 100644 |
369 |
--- a/policy/modules/system/lvm.fc |
370 |
+++ b/policy/modules/system/lvm.fc |
371 |
@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',` |
372 |
|
373 |
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
374 |
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
375 |
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
376 |
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
377 |
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
378 |
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
379 |
|
380 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
381 |
index 977a374b..09740eb4 100644 |
382 |
--- a/policy/modules/system/lvm.te |
383 |
+++ b/policy/modules/system/lvm.te |
384 |
@@ -1,4 +1,4 @@ |
385 |
-policy_module(lvm, 1.19.7) |
386 |
+policy_module(lvm, 1.19.8) |
387 |
|
388 |
######################################## |
389 |
# |
390 |
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) |
391 |
files_etc_filetrans(lvm_t, lvm_metadata_t, file) |
392 |
files_search_mnt(lvm_t) |
393 |
|
394 |
+kernel_request_load_module(lvm_t) |
395 |
kernel_get_sysvipc_info(lvm_t) |
396 |
kernel_read_system_state(lvm_t) |
397 |
# Read system variables in /proc/sys |
398 |
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) |
399 |
# it has no reason to need this |
400 |
kernel_dontaudit_getattr_core_if(lvm_t) |
401 |
kernel_use_fds(lvm_t) |
402 |
+# for systemd-cryptsetup |
403 |
+kernel_read_crypto_sysctls(lvm_t) |
404 |
kernel_search_debugfs(lvm_t) |
405 |
|
406 |
corecmd_exec_bin(lvm_t) |
407 |
@@ -301,6 +304,8 @@ init_use_fds(lvm_t) |
408 |
init_dontaudit_getattr_initctl(lvm_t) |
409 |
init_use_script_ptys(lvm_t) |
410 |
init_read_script_state(lvm_t) |
411 |
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket |
412 |
+init_stream_connect(lvm_t) |
413 |
|
414 |
logging_send_syslog_msg(lvm_t) |
415 |
|
416 |
|
417 |
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if |
418 |
index 86313b66..a20a2d46 100644 |
419 |
--- a/policy/modules/system/sysnetwork.if |
420 |
+++ b/policy/modules/system/sysnetwork.if |
421 |
@@ -418,6 +418,25 @@ interface(`sysnet_create_config',` |
422 |
|
423 |
####################################### |
424 |
## <summary> |
425 |
+## Relabel network config files. |
426 |
+## </summary> |
427 |
+## <param name="domain"> |
428 |
+## <summary> |
429 |
+## Domain allowed access. |
430 |
+## </summary> |
431 |
+## </param> |
432 |
+# |
433 |
+interface(`sysnet_relabel_config',` |
434 |
+ gen_require(` |
435 |
+ type net_conf_t; |
436 |
+ ') |
437 |
+ |
438 |
+ files_search_etc($1) |
439 |
+ allow $1 net_conf_t:file { relabelfrom relabelto }; |
440 |
+') |
441 |
+ |
442 |
+####################################### |
443 |
+## <summary> |
444 |
## Create files in /etc with the type used for |
445 |
## the network config files. |
446 |
## </summary> |
447 |
@@ -455,6 +474,7 @@ interface(`sysnet_manage_config',` |
448 |
type net_conf_t; |
449 |
') |
450 |
|
451 |
+ files_search_etc($1) |
452 |
allow $1 net_conf_t:file manage_file_perms; |
453 |
|
454 |
ifdef(`distro_debian',` |
455 |
|
456 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
457 |
index a0f907e3..8e6d532a 100644 |
458 |
--- a/policy/modules/system/sysnetwork.te |
459 |
+++ b/policy/modules/system/sysnetwork.te |
460 |
@@ -1,4 +1,4 @@ |
461 |
-policy_module(sysnetwork, 1.20.7) |
462 |
+policy_module(sysnetwork, 1.20.8) |
463 |
|
464 |
######################################## |
465 |
# |
466 |
|
467 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
468 |
index 5e5268c0..cd6d2e4a 100644 |
469 |
--- a/policy/modules/system/systemd.if |
470 |
+++ b/policy/modules/system/systemd.if |
471 |
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pipes',` |
472 |
|
473 |
###################################### |
474 |
## <summary> |
475 |
+## Write systemd_login named pipe. |
476 |
+## </summary> |
477 |
+## <param name="domain"> |
478 |
+## <summary> |
479 |
+## Domain allowed access. |
480 |
+## </summary> |
481 |
+## </param> |
482 |
+# |
483 |
+interface(`systemd_write_logind_pid_pipes',` |
484 |
+ gen_require(` |
485 |
+ type systemd_logind_var_run_t; |
486 |
+ ') |
487 |
+ |
488 |
+ init_search_run($1) |
489 |
+ files_search_pids($1) |
490 |
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; |
491 |
+') |
492 |
+ |
493 |
+###################################### |
494 |
+## <summary> |
495 |
## Use inherited systemd |
496 |
## logind file descriptors. |
497 |
## </summary> |
498 |
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',` |
499 |
|
500 |
###################################### |
501 |
## <summary> |
502 |
+## Read logind sessions files. |
503 |
+## </summary> |
504 |
+## <param name="domain"> |
505 |
+## <summary> |
506 |
+## Domain allowed access. |
507 |
+## </summary> |
508 |
+## </param> |
509 |
+# |
510 |
+interface(`systemd_read_logind_sessions_files',` |
511 |
+ gen_require(` |
512 |
+ type systemd_sessions_var_run_t, systemd_logind_t; |
513 |
+ ') |
514 |
+ |
515 |
+ allow $1 systemd_logind_t:fd use; |
516 |
+ init_search_run($1) |
517 |
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms; |
518 |
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) |
519 |
+') |
520 |
+ |
521 |
+###################################### |
522 |
+## <summary> |
523 |
## Write inherited logind sessions pipes. |
524 |
## </summary> |
525 |
## <param name="domain"> |
526 |
@@ -172,6 +213,25 @@ interface(`systemd_signull_logind',` |
527 |
|
528 |
######################################## |
529 |
## <summary> |
530 |
+## Allow reading /run/systemd/machines |
531 |
+## </summary> |
532 |
+## <param name="domain"> |
533 |
+## <summary> |
534 |
+## Domain that can access the machines files |
535 |
+## </summary> |
536 |
+## </param> |
537 |
+# |
538 |
+interface(`systemd_read_machines',` |
539 |
+ gen_require(` |
540 |
+ type systemd_machined_var_run_t; |
541 |
+ ') |
542 |
+ |
543 |
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms; |
544 |
+ allow $1 systemd_machined_var_run_t:file read_file_perms; |
545 |
+') |
546 |
+ |
547 |
+######################################## |
548 |
+## <summary> |
549 |
## allow systemd_passwd_agent to inherit fds |
550 |
## </summary> |
551 |
## <param name="domain"> |
552 |
@@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',` |
553 |
allow systemd_passwd_agent_t $1:fd use; |
554 |
') |
555 |
|
556 |
+####################################### |
557 |
+## <summary> |
558 |
+## Allow a systemd_passwd_agent_t process to interact with a daemon |
559 |
+## that needs a password from the sysadmin. |
560 |
+## </summary> |
561 |
+## <param name="domain"> |
562 |
+## <summary> |
563 |
+## Domain allowed access. |
564 |
+## </summary> |
565 |
+## </param> |
566 |
+# |
567 |
+interface(`systemd_use_passwd_agent',` |
568 |
+ gen_require(` |
569 |
+ type systemd_passwd_agent_t; |
570 |
+ type systemd_passwd_var_run_t; |
571 |
+ ') |
572 |
+ |
573 |
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) |
574 |
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) |
575 |
+ |
576 |
+ allow systemd_passwd_agent_t $1:process signull; |
577 |
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; |
578 |
+') |
579 |
+ |
580 |
######################################## |
581 |
## <summary> |
582 |
## Transition to systemd_passwd_var_run_t when creating dirs |
583 |
|
584 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
585 |
index 672d289d..210ebc1d 100644 |
586 |
--- a/policy/modules/system/systemd.te |
587 |
+++ b/policy/modules/system/systemd.te |
588 |
@@ -1,4 +1,4 @@ |
589 |
-policy_module(systemd, 1.3.15) |
590 |
+policy_module(systemd, 1.3.16) |
591 |
|
592 |
######################################### |
593 |
# |
594 |
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t) |
595 |
seutil_read_config(systemd_tmpfiles_t) |
596 |
seutil_read_file_contexts(systemd_tmpfiles_t) |
597 |
|
598 |
-sysnet_create_config(systemd_tmpfiles_t) |
599 |
+sysnet_manage_config(systemd_tmpfiles_t) |
600 |
+sysnet_relabel_config(systemd_tmpfiles_t) |
601 |
|
602 |
systemd_log_parse_environment(systemd_tmpfiles_t) |
603 |
|
604 |
|
605 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
606 |
index f115d9f8..81543689 100644 |
607 |
--- a/policy/modules/system/udev.te |
608 |
+++ b/policy/modules/system/udev.te |
609 |
@@ -1,4 +1,4 @@ |
610 |
-policy_module(udev, 1.21.6) |
611 |
+policy_module(udev, 1.21.7) |
612 |
|
613 |
######################################## |
614 |
# |
615 |
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',` |
616 |
|
617 |
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; |
618 |
dontaudit udev_t self:capability sys_tty_config; |
619 |
-allow udev_t self:capability2 block_suspend; |
620 |
+allow udev_t self:capability2 { wake_alarm block_suspend }; |
621 |
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
622 |
allow udev_t self:process { execmem setfscreate }; |
623 |
allow udev_t self:fd use; |
624 |
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these |
625 |
files_read_usr_files(udev_t) |
626 |
files_read_etc_runtime_files(udev_t) |
627 |
files_read_etc_files(udev_t) |
628 |
+files_read_kernel_modules(udev_t) |
629 |
files_exec_etc_files(udev_t) |
630 |
files_getattr_generic_locks(udev_t) |
631 |
files_search_mnt(udev_t) |
632 |
@@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t) |
633 |
auth_use_nsswitch(udev_t) |
634 |
|
635 |
init_read_utmp(udev_t) |
636 |
+# systemd-udevd searches /run/systemd |
637 |
+init_search_run(udev_t) |
638 |
init_dontaudit_write_utmp(udev_t) |
639 |
init_getattr_initctl(udev_t) |
640 |
+init_start_all_units(udev_t) |
641 |
+init_stop_all_units(udev_t) |
642 |
+# for hdparm init script run by udev |
643 |
+init_get_script_status(udev_t) |
644 |
|
645 |
logging_search_logs(udev_t) |
646 |
logging_send_syslog_msg(udev_t) |
647 |
@@ -228,6 +235,7 @@ ifdef(`init_systemd',` |
648 |
|
649 |
init_dgram_send(udev_t) |
650 |
|
651 |
+ systemd_read_logind_sessions_files(udev_t) |
652 |
systemd_read_logind_pids(udev_t) |
653 |
',` |
654 |
fs_manage_tmpfs_dirs(udev_t) |
655 |
|
656 |
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if |
657 |
index 3f7f66a7..02f9dfce 100644 |
658 |
--- a/policy/modules/system/unconfined.if |
659 |
+++ b/policy/modules/system/unconfined.if |
660 |
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` |
661 |
class dbus all_dbus_perms; |
662 |
class nscd all_nscd_perms; |
663 |
class passwd all_passwd_perms; |
664 |
+ class service all_service_perms; |
665 |
') |
666 |
|
667 |
# Use most Linux capabilities |
668 |
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` |
669 |
files_unconfined($1) |
670 |
fs_unconfined($1) |
671 |
selinux_unconfined($1) |
672 |
+ files_get_etc_unit_status($1) |
673 |
+ files_start_etc_service($1) |
674 |
+ files_stop_etc_service($1) |
675 |
|
676 |
tunable_policy(`allow_execheap',` |
677 |
# Allow making the stack executable via mprotect. |
678 |
|
679 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
680 |
index c979a681..bfb8b1c5 100644 |
681 |
--- a/policy/modules/system/unconfined.te |
682 |
+++ b/policy/modules/system/unconfined.te |
683 |
@@ -1,4 +1,4 @@ |
684 |
-policy_module(unconfined, 3.9.2) |
685 |
+policy_module(unconfined, 3.9.3) |
686 |
|
687 |
######################################## |
688 |
# |
689 |
@@ -96,6 +96,10 @@ optional_policy(` |
690 |
') |
691 |
|
692 |
optional_policy(` |
693 |
+ init_admin(unconfined_t) |
694 |
+') |
695 |
+ |
696 |
+optional_policy(` |
697 |
inn_domtrans(unconfined_t) |
698 |
') |