| 1 |
commit: bce66e80249abbc0998755be34847b5b846d1e16 |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Thu Apr 6 21:37:50 2017 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Apr 10 16:58:44 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bce66e80 |
| 7 |
|
| 8 |
Systemd-related changes from Russell Coker. |
| 9 |
|
| 10 |
policy/modules/kernel/files.if | 36 ++++++++++++++ |
| 11 |
policy/modules/kernel/files.te | 2 +- |
| 12 |
policy/modules/roles/sysadm.te | 12 +---- |
| 13 |
policy/modules/services/ssh.if | 4 ++ |
| 14 |
policy/modules/services/ssh.te | 7 ++- |
| 15 |
policy/modules/services/xserver.te | 6 ++- |
| 16 |
policy/modules/system/fstools.te | 3 +- |
| 17 |
policy/modules/system/init.if | 94 +++++++++++++++++++++++++++++++++++++ |
| 18 |
policy/modules/system/init.te | 6 +-- |
| 19 |
policy/modules/system/locallogin.te | 7 ++- |
| 20 |
policy/modules/system/lvm.fc | 1 + |
| 21 |
policy/modules/system/lvm.te | 7 ++- |
| 22 |
policy/modules/system/sysnetwork.if | 20 ++++++++ |
| 23 |
policy/modules/system/sysnetwork.te | 2 +- |
| 24 |
policy/modules/system/systemd.if | 84 +++++++++++++++++++++++++++++++++ |
| 25 |
policy/modules/system/systemd.te | 5 +- |
| 26 |
policy/modules/system/udev.te | 12 ++++- |
| 27 |
policy/modules/system/unconfined.if | 4 ++ |
| 28 |
policy/modules/system/unconfined.te | 6 ++- |
| 29 |
19 files changed, 292 insertions(+), 26 deletions(-) |
| 30 |
|
| 31 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
| 32 |
index 9f9fdded..0462c1a7 100644 |
| 33 |
--- a/policy/modules/kernel/files.if |
| 34 |
+++ b/policy/modules/kernel/files.if |
| 35 |
@@ -3021,6 +3021,42 @@ interface(`files_get_etc_unit_status',` |
| 36 |
allow $1 etc_t:service status; |
| 37 |
') |
| 38 |
|
| 39 |
+######################################## |
| 40 |
+## <summary> |
| 41 |
+## start etc_t service |
| 42 |
+## </summary> |
| 43 |
+## <param name="domain"> |
| 44 |
+## <summary> |
| 45 |
+## Domain allowed access. |
| 46 |
+## </summary> |
| 47 |
+## </param> |
| 48 |
+# |
| 49 |
+interface(`files_start_etc_service',` |
| 50 |
+ gen_require(` |
| 51 |
+ type etc_t; |
| 52 |
+ ') |
| 53 |
+ |
| 54 |
+ allow $1 etc_t:service start; |
| 55 |
+') |
| 56 |
+ |
| 57 |
+######################################## |
| 58 |
+## <summary> |
| 59 |
+## stop etc_t service |
| 60 |
+## </summary> |
| 61 |
+## <param name="domain"> |
| 62 |
+## <summary> |
| 63 |
+## Domain allowed access. |
| 64 |
+## </summary> |
| 65 |
+## </param> |
| 66 |
+# |
| 67 |
+interface(`files_stop_etc_service',` |
| 68 |
+ gen_require(` |
| 69 |
+ type etc_t; |
| 70 |
+ ') |
| 71 |
+ |
| 72 |
+ allow $1 etc_t:service stop; |
| 73 |
+') |
| 74 |
+ |
| 75 |
####################################### |
| 76 |
## <summary> |
| 77 |
## Relabel from and to generic files in /etc. |
| 78 |
|
| 79 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
| 80 |
index 67be5c71..c979bcc1 100644 |
| 81 |
--- a/policy/modules/kernel/files.te |
| 82 |
+++ b/policy/modules/kernel/files.te |
| 83 |
@@ -1,4 +1,4 @@ |
| 84 |
-policy_module(files, 1.23.10) |
| 85 |
+policy_module(files, 1.23.11) |
| 86 |
|
| 87 |
######################################## |
| 88 |
# |
| 89 |
|
| 90 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
| 91 |
index 7b4bf4d9..d917e008 100644 |
| 92 |
--- a/policy/modules/roles/sysadm.te |
| 93 |
+++ b/policy/modules/roles/sysadm.te |
| 94 |
@@ -1,4 +1,4 @@ |
| 95 |
-policy_module(sysadm, 2.11.3) |
| 96 |
+policy_module(sysadm, 2.11.4) |
| 97 |
|
| 98 |
######################################## |
| 99 |
# |
| 100 |
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t) |
| 101 |
ubac_fd_exempt(sysadm_t) |
| 102 |
|
| 103 |
init_exec(sysadm_t) |
| 104 |
-init_get_system_status(sysadm_t) |
| 105 |
-init_disable(sysadm_t) |
| 106 |
-init_enable(sysadm_t) |
| 107 |
-init_reload(sysadm_t) |
| 108 |
-init_reboot_system(sysadm_t) |
| 109 |
-init_shutdown_system(sysadm_t) |
| 110 |
-init_start_generic_units(sysadm_t) |
| 111 |
-init_stop_generic_units(sysadm_t) |
| 112 |
-init_reload_generic_units(sysadm_t) |
| 113 |
+init_admin(sysadm_t) |
| 114 |
|
| 115 |
# Add/remove user home directories |
| 116 |
userdom_manage_user_home_dirs(sysadm_t) |
| 117 |
|
| 118 |
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if |
| 119 |
index 21374c77..2ea91129 100644 |
| 120 |
--- a/policy/modules/services/ssh.if |
| 121 |
+++ b/policy/modules/services/ssh.if |
| 122 |
@@ -271,6 +271,10 @@ template(`ssh_server_template', ` |
| 123 |
files_read_var_lib_symlinks($1_t) |
| 124 |
nx_spec_domtrans_server($1_t) |
| 125 |
') |
| 126 |
+ |
| 127 |
+ optional_policy(` |
| 128 |
+ systemd_read_logind_sessions_files($1_t) |
| 129 |
+ ') |
| 130 |
') |
| 131 |
|
| 132 |
######################################## |
| 133 |
|
| 134 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
| 135 |
index 8d974f90..1b246453 100644 |
| 136 |
--- a/policy/modules/services/ssh.te |
| 137 |
+++ b/policy/modules/services/ssh.te |
| 138 |
@@ -1,4 +1,4 @@ |
| 139 |
-policy_module(ssh, 2.9.2) |
| 140 |
+policy_module(ssh, 2.9.3) |
| 141 |
|
| 142 |
######################################## |
| 143 |
# |
| 144 |
@@ -317,6 +317,11 @@ optional_policy(` |
| 145 |
') |
| 146 |
|
| 147 |
optional_policy(` |
| 148 |
+ systemd_write_inherited_logind_sessions_pipes(sshd_t) |
| 149 |
+ systemd_dbus_chat_logind(sshd_t) |
| 150 |
+') |
| 151 |
+ |
| 152 |
+optional_policy(` |
| 153 |
unconfined_shell_domtrans(sshd_t) |
| 154 |
') |
| 155 |
|
| 156 |
|
| 157 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
| 158 |
index a692f7a2..4703673a 100644 |
| 159 |
--- a/policy/modules/services/xserver.te |
| 160 |
+++ b/policy/modules/services/xserver.te |
| 161 |
@@ -1,4 +1,4 @@ |
| 162 |
-policy_module(xserver, 3.13.6) |
| 163 |
+policy_module(xserver, 3.13.7) |
| 164 |
|
| 165 |
gen_require(` |
| 166 |
class x_drawable all_x_drawable_perms; |
| 167 |
@@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) |
| 168 |
allow xdm_t xauth_home_t:file manage_file_perms; |
| 169 |
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) |
| 170 |
|
| 171 |
+allow xauth_t xdm_t:fd use; |
| 172 |
+allow xauth_t xdm_t:fifo_file { getattr read }; |
| 173 |
+allow xauth_t xdm_t:unix_stream_socket { read write }; |
| 174 |
+ |
| 175 |
kernel_request_load_module(xauth_t) |
| 176 |
|
| 177 |
domain_use_interactive_fds(xauth_t) |
| 178 |
|
| 179 |
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te |
| 180 |
index 9d729671..a56bfc05 100644 |
| 181 |
--- a/policy/modules/system/fstools.te |
| 182 |
+++ b/policy/modules/system/fstools.te |
| 183 |
@@ -1,4 +1,4 @@ |
| 184 |
-policy_module(fstools, 1.20.1) |
| 185 |
+policy_module(fstools, 1.20.2) |
| 186 |
|
| 187 |
######################################## |
| 188 |
# |
| 189 |
@@ -146,6 +146,7 @@ term_use_console(fsadm_t) |
| 190 |
init_use_fds(fsadm_t) |
| 191 |
init_use_script_ptys(fsadm_t) |
| 192 |
init_dontaudit_getattr_initctl(fsadm_t) |
| 193 |
+init_rw_script_stream_sockets(fsadm_t) |
| 194 |
|
| 195 |
logging_send_syslog_msg(fsadm_t) |
| 196 |
|
| 197 |
|
| 198 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
| 199 |
index e42a7db5..27794bbf 100644 |
| 200 |
--- a/policy/modules/system/init.if |
| 201 |
+++ b/policy/modules/system/init.if |
| 202 |
@@ -1175,6 +1175,25 @@ interface(`init_search_pids',` |
| 203 |
allow $1 init_var_run_t:dir search_dir_perms; |
| 204 |
') |
| 205 |
|
| 206 |
+###################################### |
| 207 |
+## <summary> |
| 208 |
+## Allow listing of the /run/systemd directory. |
| 209 |
+## </summary> |
| 210 |
+## <param name="domain"> |
| 211 |
+## <summary> |
| 212 |
+## Domain allowed access. |
| 213 |
+## </summary> |
| 214 |
+## </param> |
| 215 |
+# |
| 216 |
+interface(`init_list_pids',` |
| 217 |
+ gen_require(` |
| 218 |
+ type init_var_run_t; |
| 219 |
+ ') |
| 220 |
+ |
| 221 |
+ allow $1 init_var_run_t:dir list_dir_perms; |
| 222 |
+ files_search_pids($1) |
| 223 |
+') |
| 224 |
+ |
| 225 |
######################################## |
| 226 |
## <summary> |
| 227 |
## Create files in an init PID directory. |
| 228 |
@@ -1582,6 +1601,25 @@ interface(`init_all_labeled_script_domtrans',` |
| 229 |
|
| 230 |
######################################## |
| 231 |
## <summary> |
| 232 |
+## Allow getting service status of initrc_exec_t scripts |
| 233 |
+## </summary> |
| 234 |
+## <param name="domain"> |
| 235 |
+## <summary> |
| 236 |
+## Target domain |
| 237 |
+## </summary> |
| 238 |
+## </param> |
| 239 |
+# |
| 240 |
+interface(`init_get_script_status',` |
| 241 |
+ gen_require(` |
| 242 |
+ type initrc_exec_t; |
| 243 |
+ class service status; |
| 244 |
+ ') |
| 245 |
+ |
| 246 |
+ allow $1 initrc_exec_t:service status; |
| 247 |
+') |
| 248 |
+ |
| 249 |
+######################################## |
| 250 |
+## <summary> |
| 251 |
## Allow the role to start and stop |
| 252 |
## labeled services. |
| 253 |
## </summary> |
| 254 |
@@ -2890,6 +2928,26 @@ interface(`init_get_all_units_status',` |
| 255 |
allow $1 { init_script_file_type systemdunit }:service status; |
| 256 |
') |
| 257 |
|
| 258 |
+####################################### |
| 259 |
+## <summary> |
| 260 |
+## All perms on all systemd units. |
| 261 |
+## </summary> |
| 262 |
+## <param name="domain"> |
| 263 |
+## <summary> |
| 264 |
+## Domain allowed access. |
| 265 |
+## </summary> |
| 266 |
+## </param> |
| 267 |
+# |
| 268 |
+interface(`init_manage_all_units',` |
| 269 |
+ gen_require(` |
| 270 |
+ attribute systemdunit; |
| 271 |
+ class service all_service_perms; |
| 272 |
+ ') |
| 273 |
+ |
| 274 |
+ allow $1 systemdunit:service all_service_perms; |
| 275 |
+ allow $1 systemdunit:file getattr; |
| 276 |
+') |
| 277 |
+ |
| 278 |
######################################## |
| 279 |
## <summary> |
| 280 |
## Start all systemd units. |
| 281 |
@@ -2946,3 +3004,39 @@ interface(`init_reload_all_units',` |
| 282 |
|
| 283 |
allow $1 { init_script_file_type systemdunit }:service reload; |
| 284 |
') |
| 285 |
+ |
| 286 |
+######################################## |
| 287 |
+## <summary> |
| 288 |
+## Allow unconfined access to send instructions to init |
| 289 |
+## </summary> |
| 290 |
+## <param name="domain"> |
| 291 |
+## <summary> |
| 292 |
+## Target domain |
| 293 |
+## </summary> |
| 294 |
+## </param> |
| 295 |
+# |
| 296 |
+interface(`init_admin',` |
| 297 |
+ gen_require(` |
| 298 |
+ type initrc_exec_t; |
| 299 |
+ class service status; |
| 300 |
+ ') |
| 301 |
+ |
| 302 |
+ dev_manage_null_service($1) |
| 303 |
+ init_disable($1) |
| 304 |
+ init_enable($1) |
| 305 |
+ init_get_all_units_status($1) |
| 306 |
+ init_get_generic_units_status($1) |
| 307 |
+ init_get_system_status($1) |
| 308 |
+ init_manage_all_units($1) |
| 309 |
+ init_manage_script_service($1) |
| 310 |
+ init_reboot_system($1) |
| 311 |
+ init_reload($1) |
| 312 |
+ init_reload_all_units($1) |
| 313 |
+ init_shutdown_system($1) |
| 314 |
+ init_start_all_units($1) |
| 315 |
+ init_start_generic_units($1) |
| 316 |
+ init_stop_all_units($1) |
| 317 |
+ init_stop_generic_units($1) |
| 318 |
+ init_stop_system($1) |
| 319 |
+ init_telinit($1) |
| 320 |
+') |
| 321 |
|
| 322 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 323 |
index aed3e65a..02a240d8 100644 |
| 324 |
--- a/policy/modules/system/init.te |
| 325 |
+++ b/policy/modules/system/init.te |
| 326 |
@@ -1,4 +1,4 @@ |
| 327 |
-policy_module(init, 2.2.15) |
| 328 |
+policy_module(init, 2.2.16) |
| 329 |
|
| 330 |
gen_require(` |
| 331 |
class passwd rootok; |
| 332 |
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',` |
| 333 |
seutil_read_default_contexts(initrc_t) |
| 334 |
|
| 335 |
# /lib/rcscripts/net/system.sh rewrites resolv.conf :( |
| 336 |
- sysnet_create_config(initrc_t) |
| 337 |
- sysnet_write_config(initrc_t) |
| 338 |
- sysnet_setattr_config(initrc_t) |
| 339 |
+ sysnet_manage_config(initrc_t) |
| 340 |
|
| 341 |
optional_policy(` |
| 342 |
abrt_manage_pid_files(initrc_t) |
| 343 |
|
| 344 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
| 345 |
index 22cb0fa3..bcebce9d 100644 |
| 346 |
--- a/policy/modules/system/locallogin.te |
| 347 |
+++ b/policy/modules/system/locallogin.te |
| 348 |
@@ -1,4 +1,4 @@ |
| 349 |
-policy_module(locallogin, 1.15.3) |
| 350 |
+policy_module(locallogin, 1.15.4) |
| 351 |
|
| 352 |
######################################## |
| 353 |
# |
| 354 |
@@ -193,6 +193,11 @@ optional_policy(` |
| 355 |
') |
| 356 |
|
| 357 |
optional_policy(` |
| 358 |
+ systemd_dbus_chat_logind(local_login_t) |
| 359 |
+ systemd_write_inherited_logind_sessions_pipes(local_login_t) |
| 360 |
+') |
| 361 |
+ |
| 362 |
+optional_policy(` |
| 363 |
unconfined_shell_domtrans(local_login_t) |
| 364 |
') |
| 365 |
|
| 366 |
|
| 367 |
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc |
| 368 |
index d2f755f2..1e6abbaf 100644 |
| 369 |
--- a/policy/modules/system/lvm.fc |
| 370 |
+++ b/policy/modules/system/lvm.fc |
| 371 |
@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',` |
| 372 |
|
| 373 |
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
| 374 |
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
| 375 |
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
| 376 |
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
| 377 |
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
| 378 |
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
| 379 |
|
| 380 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
| 381 |
index 977a374b..09740eb4 100644 |
| 382 |
--- a/policy/modules/system/lvm.te |
| 383 |
+++ b/policy/modules/system/lvm.te |
| 384 |
@@ -1,4 +1,4 @@ |
| 385 |
-policy_module(lvm, 1.19.7) |
| 386 |
+policy_module(lvm, 1.19.8) |
| 387 |
|
| 388 |
######################################## |
| 389 |
# |
| 390 |
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) |
| 391 |
files_etc_filetrans(lvm_t, lvm_metadata_t, file) |
| 392 |
files_search_mnt(lvm_t) |
| 393 |
|
| 394 |
+kernel_request_load_module(lvm_t) |
| 395 |
kernel_get_sysvipc_info(lvm_t) |
| 396 |
kernel_read_system_state(lvm_t) |
| 397 |
# Read system variables in /proc/sys |
| 398 |
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) |
| 399 |
# it has no reason to need this |
| 400 |
kernel_dontaudit_getattr_core_if(lvm_t) |
| 401 |
kernel_use_fds(lvm_t) |
| 402 |
+# for systemd-cryptsetup |
| 403 |
+kernel_read_crypto_sysctls(lvm_t) |
| 404 |
kernel_search_debugfs(lvm_t) |
| 405 |
|
| 406 |
corecmd_exec_bin(lvm_t) |
| 407 |
@@ -301,6 +304,8 @@ init_use_fds(lvm_t) |
| 408 |
init_dontaudit_getattr_initctl(lvm_t) |
| 409 |
init_use_script_ptys(lvm_t) |
| 410 |
init_read_script_state(lvm_t) |
| 411 |
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket |
| 412 |
+init_stream_connect(lvm_t) |
| 413 |
|
| 414 |
logging_send_syslog_msg(lvm_t) |
| 415 |
|
| 416 |
|
| 417 |
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if |
| 418 |
index 86313b66..a20a2d46 100644 |
| 419 |
--- a/policy/modules/system/sysnetwork.if |
| 420 |
+++ b/policy/modules/system/sysnetwork.if |
| 421 |
@@ -418,6 +418,25 @@ interface(`sysnet_create_config',` |
| 422 |
|
| 423 |
####################################### |
| 424 |
## <summary> |
| 425 |
+## Relabel network config files. |
| 426 |
+## </summary> |
| 427 |
+## <param name="domain"> |
| 428 |
+## <summary> |
| 429 |
+## Domain allowed access. |
| 430 |
+## </summary> |
| 431 |
+## </param> |
| 432 |
+# |
| 433 |
+interface(`sysnet_relabel_config',` |
| 434 |
+ gen_require(` |
| 435 |
+ type net_conf_t; |
| 436 |
+ ') |
| 437 |
+ |
| 438 |
+ files_search_etc($1) |
| 439 |
+ allow $1 net_conf_t:file { relabelfrom relabelto }; |
| 440 |
+') |
| 441 |
+ |
| 442 |
+####################################### |
| 443 |
+## <summary> |
| 444 |
## Create files in /etc with the type used for |
| 445 |
## the network config files. |
| 446 |
## </summary> |
| 447 |
@@ -455,6 +474,7 @@ interface(`sysnet_manage_config',` |
| 448 |
type net_conf_t; |
| 449 |
') |
| 450 |
|
| 451 |
+ files_search_etc($1) |
| 452 |
allow $1 net_conf_t:file manage_file_perms; |
| 453 |
|
| 454 |
ifdef(`distro_debian',` |
| 455 |
|
| 456 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
| 457 |
index a0f907e3..8e6d532a 100644 |
| 458 |
--- a/policy/modules/system/sysnetwork.te |
| 459 |
+++ b/policy/modules/system/sysnetwork.te |
| 460 |
@@ -1,4 +1,4 @@ |
| 461 |
-policy_module(sysnetwork, 1.20.7) |
| 462 |
+policy_module(sysnetwork, 1.20.8) |
| 463 |
|
| 464 |
######################################## |
| 465 |
# |
| 466 |
|
| 467 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
| 468 |
index 5e5268c0..cd6d2e4a 100644 |
| 469 |
--- a/policy/modules/system/systemd.if |
| 470 |
+++ b/policy/modules/system/systemd.if |
| 471 |
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pipes',` |
| 472 |
|
| 473 |
###################################### |
| 474 |
## <summary> |
| 475 |
+## Write systemd_login named pipe. |
| 476 |
+## </summary> |
| 477 |
+## <param name="domain"> |
| 478 |
+## <summary> |
| 479 |
+## Domain allowed access. |
| 480 |
+## </summary> |
| 481 |
+## </param> |
| 482 |
+# |
| 483 |
+interface(`systemd_write_logind_pid_pipes',` |
| 484 |
+ gen_require(` |
| 485 |
+ type systemd_logind_var_run_t; |
| 486 |
+ ') |
| 487 |
+ |
| 488 |
+ init_search_run($1) |
| 489 |
+ files_search_pids($1) |
| 490 |
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; |
| 491 |
+') |
| 492 |
+ |
| 493 |
+###################################### |
| 494 |
+## <summary> |
| 495 |
## Use inherited systemd |
| 496 |
## logind file descriptors. |
| 497 |
## </summary> |
| 498 |
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',` |
| 499 |
|
| 500 |
###################################### |
| 501 |
## <summary> |
| 502 |
+## Read logind sessions files. |
| 503 |
+## </summary> |
| 504 |
+## <param name="domain"> |
| 505 |
+## <summary> |
| 506 |
+## Domain allowed access. |
| 507 |
+## </summary> |
| 508 |
+## </param> |
| 509 |
+# |
| 510 |
+interface(`systemd_read_logind_sessions_files',` |
| 511 |
+ gen_require(` |
| 512 |
+ type systemd_sessions_var_run_t, systemd_logind_t; |
| 513 |
+ ') |
| 514 |
+ |
| 515 |
+ allow $1 systemd_logind_t:fd use; |
| 516 |
+ init_search_run($1) |
| 517 |
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms; |
| 518 |
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) |
| 519 |
+') |
| 520 |
+ |
| 521 |
+###################################### |
| 522 |
+## <summary> |
| 523 |
## Write inherited logind sessions pipes. |
| 524 |
## </summary> |
| 525 |
## <param name="domain"> |
| 526 |
@@ -172,6 +213,25 @@ interface(`systemd_signull_logind',` |
| 527 |
|
| 528 |
######################################## |
| 529 |
## <summary> |
| 530 |
+## Allow reading /run/systemd/machines |
| 531 |
+## </summary> |
| 532 |
+## <param name="domain"> |
| 533 |
+## <summary> |
| 534 |
+## Domain that can access the machines files |
| 535 |
+## </summary> |
| 536 |
+## </param> |
| 537 |
+# |
| 538 |
+interface(`systemd_read_machines',` |
| 539 |
+ gen_require(` |
| 540 |
+ type systemd_machined_var_run_t; |
| 541 |
+ ') |
| 542 |
+ |
| 543 |
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms; |
| 544 |
+ allow $1 systemd_machined_var_run_t:file read_file_perms; |
| 545 |
+') |
| 546 |
+ |
| 547 |
+######################################## |
| 548 |
+## <summary> |
| 549 |
## allow systemd_passwd_agent to inherit fds |
| 550 |
## </summary> |
| 551 |
## <param name="domain"> |
| 552 |
@@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',` |
| 553 |
allow systemd_passwd_agent_t $1:fd use; |
| 554 |
') |
| 555 |
|
| 556 |
+####################################### |
| 557 |
+## <summary> |
| 558 |
+## Allow a systemd_passwd_agent_t process to interact with a daemon |
| 559 |
+## that needs a password from the sysadmin. |
| 560 |
+## </summary> |
| 561 |
+## <param name="domain"> |
| 562 |
+## <summary> |
| 563 |
+## Domain allowed access. |
| 564 |
+## </summary> |
| 565 |
+## </param> |
| 566 |
+# |
| 567 |
+interface(`systemd_use_passwd_agent',` |
| 568 |
+ gen_require(` |
| 569 |
+ type systemd_passwd_agent_t; |
| 570 |
+ type systemd_passwd_var_run_t; |
| 571 |
+ ') |
| 572 |
+ |
| 573 |
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) |
| 574 |
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) |
| 575 |
+ |
| 576 |
+ allow systemd_passwd_agent_t $1:process signull; |
| 577 |
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; |
| 578 |
+') |
| 579 |
+ |
| 580 |
######################################## |
| 581 |
## <summary> |
| 582 |
## Transition to systemd_passwd_var_run_t when creating dirs |
| 583 |
|
| 584 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 585 |
index 672d289d..210ebc1d 100644 |
| 586 |
--- a/policy/modules/system/systemd.te |
| 587 |
+++ b/policy/modules/system/systemd.te |
| 588 |
@@ -1,4 +1,4 @@ |
| 589 |
-policy_module(systemd, 1.3.15) |
| 590 |
+policy_module(systemd, 1.3.16) |
| 591 |
|
| 592 |
######################################### |
| 593 |
# |
| 594 |
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t) |
| 595 |
seutil_read_config(systemd_tmpfiles_t) |
| 596 |
seutil_read_file_contexts(systemd_tmpfiles_t) |
| 597 |
|
| 598 |
-sysnet_create_config(systemd_tmpfiles_t) |
| 599 |
+sysnet_manage_config(systemd_tmpfiles_t) |
| 600 |
+sysnet_relabel_config(systemd_tmpfiles_t) |
| 601 |
|
| 602 |
systemd_log_parse_environment(systemd_tmpfiles_t) |
| 603 |
|
| 604 |
|
| 605 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
| 606 |
index f115d9f8..81543689 100644 |
| 607 |
--- a/policy/modules/system/udev.te |
| 608 |
+++ b/policy/modules/system/udev.te |
| 609 |
@@ -1,4 +1,4 @@ |
| 610 |
-policy_module(udev, 1.21.6) |
| 611 |
+policy_module(udev, 1.21.7) |
| 612 |
|
| 613 |
######################################## |
| 614 |
# |
| 615 |
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',` |
| 616 |
|
| 617 |
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; |
| 618 |
dontaudit udev_t self:capability sys_tty_config; |
| 619 |
-allow udev_t self:capability2 block_suspend; |
| 620 |
+allow udev_t self:capability2 { wake_alarm block_suspend }; |
| 621 |
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
| 622 |
allow udev_t self:process { execmem setfscreate }; |
| 623 |
allow udev_t self:fd use; |
| 624 |
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these |
| 625 |
files_read_usr_files(udev_t) |
| 626 |
files_read_etc_runtime_files(udev_t) |
| 627 |
files_read_etc_files(udev_t) |
| 628 |
+files_read_kernel_modules(udev_t) |
| 629 |
files_exec_etc_files(udev_t) |
| 630 |
files_getattr_generic_locks(udev_t) |
| 631 |
files_search_mnt(udev_t) |
| 632 |
@@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t) |
| 633 |
auth_use_nsswitch(udev_t) |
| 634 |
|
| 635 |
init_read_utmp(udev_t) |
| 636 |
+# systemd-udevd searches /run/systemd |
| 637 |
+init_search_run(udev_t) |
| 638 |
init_dontaudit_write_utmp(udev_t) |
| 639 |
init_getattr_initctl(udev_t) |
| 640 |
+init_start_all_units(udev_t) |
| 641 |
+init_stop_all_units(udev_t) |
| 642 |
+# for hdparm init script run by udev |
| 643 |
+init_get_script_status(udev_t) |
| 644 |
|
| 645 |
logging_search_logs(udev_t) |
| 646 |
logging_send_syslog_msg(udev_t) |
| 647 |
@@ -228,6 +235,7 @@ ifdef(`init_systemd',` |
| 648 |
|
| 649 |
init_dgram_send(udev_t) |
| 650 |
|
| 651 |
+ systemd_read_logind_sessions_files(udev_t) |
| 652 |
systemd_read_logind_pids(udev_t) |
| 653 |
',` |
| 654 |
fs_manage_tmpfs_dirs(udev_t) |
| 655 |
|
| 656 |
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if |
| 657 |
index 3f7f66a7..02f9dfce 100644 |
| 658 |
--- a/policy/modules/system/unconfined.if |
| 659 |
+++ b/policy/modules/system/unconfined.if |
| 660 |
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` |
| 661 |
class dbus all_dbus_perms; |
| 662 |
class nscd all_nscd_perms; |
| 663 |
class passwd all_passwd_perms; |
| 664 |
+ class service all_service_perms; |
| 665 |
') |
| 666 |
|
| 667 |
# Use most Linux capabilities |
| 668 |
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` |
| 669 |
files_unconfined($1) |
| 670 |
fs_unconfined($1) |
| 671 |
selinux_unconfined($1) |
| 672 |
+ files_get_etc_unit_status($1) |
| 673 |
+ files_start_etc_service($1) |
| 674 |
+ files_stop_etc_service($1) |
| 675 |
|
| 676 |
tunable_policy(`allow_execheap',` |
| 677 |
# Allow making the stack executable via mprotect. |
| 678 |
|
| 679 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
| 680 |
index c979a681..bfb8b1c5 100644 |
| 681 |
--- a/policy/modules/system/unconfined.te |
| 682 |
+++ b/policy/modules/system/unconfined.te |
| 683 |
@@ -1,4 +1,4 @@ |
| 684 |
-policy_module(unconfined, 3.9.2) |
| 685 |
+policy_module(unconfined, 3.9.3) |
| 686 |
|
| 687 |
######################################## |
| 688 |
# |
| 689 |
@@ -96,6 +96,10 @@ optional_policy(` |
| 690 |
') |
| 691 |
|
| 692 |
optional_policy(` |
| 693 |
+ init_admin(unconfined_t) |
| 694 |
+') |
| 695 |
+ |
| 696 |
+optional_policy(` |
| 697 |
inn_domtrans(unconfined_t) |
| 698 |
') |
Archives