[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
Date:	Wed, 02 Dec 2015 15:45:34
Message-Id:	`1445831664.eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.swift@gentoo`

1

commit:     eaa1a1b1454ce8ae38f2d84774b3047e9203efd9

2

Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>

3

AuthorDate: Tue Oct 20 18:33:56 2015 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Mon Oct 26 03:54:24 2015 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1

7

8

Add systemd units for core refpolicy services.

9

10

Only for services that already have a named init script.

11

12

Add rules to init_startstop_service(), with conditional arg until

13

all of refpolicy-contrib callers are updated.

14

15

 policy/modules/kernel/files.if        | 18 ++++++++++++++++++

16

 policy/modules/services/postgresql.if |  4 ++--

17

 policy/modules/services/postgresql.te |  3 +++

18

 policy/modules/system/init.if         | 17 +++++++++++++++++

19

 policy/modules/system/init.te         |  3 +++

20

 policy/modules/system/ipsec.if        |  3 ++-

21

 policy/modules/system/ipsec.te        |  3 +++

22

 policy/modules/system/iptables.fc     |  5 +++++

23

 policy/modules/system/iptables.if     |  4 ++--

24

 policy/modules/system/iptables.te     |  3 +++

25

 policy/modules/system/logging.fc      |  2 ++

26

 policy/modules/system/logging.if      |  8 ++++----

27

 policy/modules/system/logging.te      |  6 ++++++

28

 policy/modules/system/lvm.fc          |  6 ++++++

29

 policy/modules/system/lvm.if          |  4 ++--

30

 policy/modules/system/lvm.te          |  3 +++

31

 policy/modules/system/setrans.if      |  4 ++--

32

 policy/modules/system/setrans.te      |  3 +++

33

 18 files changed, 86 insertions(+), 13 deletions(-)

34

35

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if

36

index cbb8afe..20acc0e 100644

37

--- a/policy/modules/kernel/files.if

38

+++ b/policy/modules/kernel/files.if

39

@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`

40

 	exec_files_pattern($1, etc_t, etc_t)

41

')

42

43

+########################################

44

+## <summary>

45

+##	Get etc_t service status.

46

+## </summary>

47

+## <param name="domain">

48

+##	<summary>

49

+##	Domain allowed access.

50

+##	</summary>

51

+## </param>

52

+#

53

+interface(`files_get_etc_unit_status',`

54

+	gen_require(`

55

+		type etc_t;

56

+	')

57

+

58

+	allow $1 etc_t:service status;

59

+')

60

+

61

 #######################################

62

 ## <summary>

63

 ##	Relabel from and to generic files in /etc.

64

65

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if

66

index 11526b6..32e5d06 100644

67

--- a/policy/modules/services/postgresql.if

68

+++ b/policy/modules/services/postgresql.if

69

@@ -587,7 +587,7 @@ interface(`postgresql_admin',`

70

 		type postgresql_t, postgresql_var_run_t;

71

 		type postgresql_tmp_t, postgresql_db_t;

72

 		type postgresql_etc_t, postgresql_log_t;

73

-		type postgresql_initrc_exec_t;

74

+		type postgresql_initrc_exec_t, postgresql_unit_t;

75

')

76

77

 	typeattribute $1 sepgsql_admin_type;

78

@@ -595,7 +595,7 @@ interface(`postgresql_admin',`

79

 	allow $1 postgresql_t:process { ptrace signal_perms };

80

 	ps_process_pattern($1, postgresql_t)

81

82

-	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)

83

+	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)

84

85

 	admin_pattern($1, postgresql_var_run_t)

86

87

88

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te

89

index b4ba0f1..6844c35 100644

90

--- a/policy/modules/services/postgresql.te

91

+++ b/policy/modules/services/postgresql.te

92

@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)

93

 type postgresql_tmp_t;

94

 files_tmp_file(postgresql_tmp_t)

95

96

+type postgresql_unit_t;

97

+init_unit_file(postgresql_unit_t)

98

+

99

 type postgresql_var_run_t;

100

 files_pid_file(postgresql_var_run_t)

101

 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")

102

103

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if

104

index 192508f..cfe4bd4 100644

105

--- a/policy/modules/system/init.if

106

+++ b/policy/modules/system/init.if

107

@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`

108

 ##	Labeled init script file.

109

 ##	</summary>

110

 ## </param>

111

+## <param name="unit" optional="true">

112

+##	<summary>

113

+##	Systemd unit file type.

114

+##	</summary>

115

+## </param>

116

#

117

 interface(`init_startstop_service',`

118

 	gen_require(`

119

@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`

120

 			role_transition $2 $4 system_r;

121

 			allow $2 system_r;

122

')

123

+

124

+		ifdef(`init_systemd',`

125

+			# This ifelse condition is temporary, until

126

+			# all callers are updated to provide unit files.

127

+			ifelse(`$5',`',`',`

128

+				gen_require(`

129

+					class service { start stop };

130

+				')

131

+

132

+				allow $1 $5:service { start stop };

133

+			')

134

+		')

135

')

136

')

137

138

139

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

140

index 916b895..79400f2 100644

141

--- a/policy/modules/system/init.te

142

+++ b/policy/modules/system/init.te

143

@@ -746,6 +746,9 @@ ifdef(`init_systemd',`

144

 	corecmd_shell_domtrans(init_t, initrc_t)

145

146

 	files_read_boot_files(initrc_t)

147

+	# Allow initrc_t to check /etc/fstab "service." It appears that

148

+	# systemd is conflating files and services.

149

+	files_get_etc_unit_status(initrc_t)

150

 	files_setattr_pid_dirs(initrc_t)

151

152

 	selinux_set_enforce_mode(initrc_t)

153

154

diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if

155

index 3d64054..eec93e6 100644

156

--- a/policy/modules/system/ipsec.if

157

+++ b/policy/modules/system/ipsec.if

158

@@ -393,12 +393,13 @@ interface(`ipsec_admin',`

159

 		type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;

160

 		type ipsec_var_run_t, ipsec_mgmt_lock_t;

161

 		type ipsec_mgmt_var_run_t, racoon_tmp_t;

162

+		type ipsec_unit_t;

163

')

164

165

 	allow $1 ipsec_t:process { ptrace signal_perms };

166

 	ps_process_pattern($1, ipsec_t)

167

168

-	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)

169

+	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)

170

171

 	ipsec_exec_mgmt($1)

172

 	ipsec_stream_connect($1)

173

174

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te

175

index 3dd5c8b..f08fd01 100644

176

--- a/policy/modules/system/ipsec.te

177

+++ b/policy/modules/system/ipsec.te

178

@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)

179

 type ipsec_tmp_t;

180

 files_tmp_file(ipsec_tmp_t)

181

182

+type ipsec_unit_t;

183

+init_unit_file(ipsec_unit_t)

184

+

185

 # type for runtime files, including pluto.ctl

186

 type ipsec_var_run_t;

187

 files_pid_file(ipsec_var_run_t)

188

189

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc

190

index 73a1c4e..b3eda3e 100644

191

--- a/policy/modules/system/iptables.fc

192

+++ b/policy/modules/system/iptables.fc

193

@@ -14,6 +14,11 @@

194

 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)

195

 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)

196

197

+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)

198

+/usr/lib/systemd/system/[^/]*ebtables.*	 -- gen_context(system_u:object_r:iptables_unit_t,s0)

199

+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)

200

+/usr/lib/systemd/system/[^/]*iptables.*	-- gen_context(system_u:object_r:iptables_unit_t,s0)

201

+

202

 /usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)

203

 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)

204

 /usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)

205

206

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if

207

index 26ce647..5d2b406 100644

208

--- a/policy/modules/system/iptables.if

209

+++ b/policy/modules/system/iptables.if

210

@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`

211

 interface(`iptables_admin',`

212

 	gen_require(`

213

 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;

214

-		type iptables_tmp_t, iptables_var_run_t;

215

+		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;

216

')

217

218

 	allow $1 iptables_t:process { ptrace signal_perms };

219

 	ps_process_pattern($1, iptables_t)

220

221

-	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)

222

+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)

223

224

 	files_list_etc($1)

225

 	admin_pattern($1, iptables_conf_t)

226

227

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te

228

index 8840633..aa999fb 100644

229

--- a/policy/modules/system/iptables.te

230

+++ b/policy/modules/system/iptables.te

231

@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)

232

 type iptables_tmp_t;

233

 files_tmp_file(iptables_tmp_t)

234

235

+type iptables_unit_t;

236

+init_unit_file(iptables_unit_t)

237

+

238

 type iptables_var_run_t;

239

 files_pid_file(iptables_var_run_t)

240

241

242

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc

243

index fb319d4..e504aec 100644

244

--- a/policy/modules/system/logging.fc

245

+++ b/policy/modules/system/logging.fc

246

@@ -17,6 +17,8 @@

247

 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)

248

 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)

249

250

+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)

251

+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)

252

 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)

253

254

 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)

255

256

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if

257

index 6a279f3..9ededbf 100644

258

--- a/policy/modules/system/logging.if

259

+++ b/policy/modules/system/logging.if

260

@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`

261

 	gen_require(`

262

 		type auditd_t, auditd_etc_t, auditd_log_t;

263

 		type auditd_var_run_t;

264

-		type auditd_initrc_exec_t;

265

+		type auditd_initrc_exec_t, auditd_unit_t;

266

')

267

268

 	allow $1 auditd_t:process { ptrace signal_perms };

269

@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`

270

271

 	logging_run_auditctl($1, $2)

272

273

-	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)

274

+	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)

275

')

276

277

 ########################################

278

@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`

279

 		type syslogd_tmp_t, syslogd_var_lib_t;

280

 		type syslogd_var_run_t, klogd_var_run_t;

281

 		type klogd_tmp_t, var_log_t;

282

-		type syslogd_initrc_exec_t;

283

+		type syslogd_initrc_exec_t, syslogd_unit_t;

284

')

285

286

 	allow $1 syslogd_t:process { ptrace signal_perms };

287

@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`

288

289

 	logging_manage_all_logs($1)

290

291

-	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)

292

+	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)

293

')

294

295

 ########################################

296

297

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te

298

index 6f7335e..fd941ab 100644

299

--- a/policy/modules/system/logging.te

300

+++ b/policy/modules/system/logging.te

301

@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)

302

 type auditd_initrc_exec_t;

303

 init_script_file(auditd_initrc_exec_t)

304

305

+type auditd_unit_t;

306

+init_unit_file(auditd_unit_t);

307

+

308

 type auditd_var_run_t;

309

 files_pid_file(auditd_var_run_t)

310

311

@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)

312

 type syslogd_tmp_t;

313

 files_tmp_file(syslogd_tmp_t)

314

315

+type syslogd_unit_t;

316

+init_unit_file(syslogd_unit_t)

317

+

318

 type syslogd_var_lib_t;

319

 files_type(syslogd_var_lib_t)

320

321

322

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc

323

index ea5ba34..83782b0 100644

324

--- a/policy/modules/system/lvm.fc

325

+++ b/policy/modules/system/lvm.fc

326

@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`

327

#

328

 # /usr

329

#

330

+

331

+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)

332

+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)

333

+/usr/lib/systemd/system/lvm2-.*	-- gen_context(system_u:object_r:lvm_unit_t,s0)

334

+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)

335

+

336

 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)

337

 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)

338

339

340

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if

341

index 6561474..5774034 100644

342

--- a/policy/modules/system/lvm.if

343

+++ b/policy/modules/system/lvm.if

344

@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`

345

#

346

 interface(`lvm_admin',`

347

 	gen_require(`

348

-		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;

349

+		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;

350

 		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;

351

 		type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;

352

')

353

@@ -170,7 +170,7 @@ interface(`lvm_admin',`

354

 	allow $1 clvmd_t:process { ptrace signal_perms };

355

 	ps_process_pattern($1, clvmd_t)

356

357

-	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)

358

+	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)

359

360

 	files_search_etc($1)

361

 	admin_pattern($1, lvm_etc_t)

362

363

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te

364

index f0bea03..61bd92b 100644

365

--- a/policy/modules/system/lvm.te

366

+++ b/policy/modules/system/lvm.te

367

@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)

368

 type lvm_metadata_t;

369

 files_type(lvm_metadata_t)

370

371

+type lvm_unit_t;

372

+init_unit_file(lvm_unit_t)

373

+

374

 type lvm_var_lib_t;

375

 files_type(lvm_var_lib_t)

376

377

378

diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if

379

index 2a8ecaa..9478dd9 100644

380

--- a/policy/modules/system/setrans.if

381

+++ b/policy/modules/system/setrans.if

382

@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`

383

 interface(`setrans_admin',`

384

 	gen_require(`

385

 		type setrans_t, setrans_initrc_exec_t;

386

-		type setrans_var_run_t;

387

+		type setrans_var_run_t, setrans_unit_t;

388

')

389

390

 	allow $1 setrans_t:process { ptrace signal_perms };

391

 	ps_process_pattern($1, setrans_t)

392

393

-	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)

394

+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)

395

396

 	files_search_pids($1)

397

 	admin_pattern($1, setrans_var_run_t)

398

399

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te

400

index 2df8b53..e4d4500 100644

401

--- a/policy/modules/system/setrans.te

402

+++ b/policy/modules/system/setrans.te

403

@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)

404

 type setrans_initrc_exec_t;

405

 init_script_file(setrans_initrc_exec_t)

406

407

+type setrans_unit_t;

408

+init_unit_file(setrans_unit_t)

409

+

410

 type setrans_var_run_t;

411

 files_pid_file(setrans_var_run_t)

412

 mls_trusted_object(setrans_var_run_t)

1	commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
2	Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
3	AuthorDate: Tue Oct 20 18:33:56 2015 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Mon Oct 26 03:54:24 2015 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1
7
8	Add systemd units for core refpolicy services.
9
10	Only for services that already have a named init script.
11
12	Add rules to init_startstop_service(), with conditional arg until
13	all of refpolicy-contrib callers are updated.
14
15	policy/modules/kernel/files.if \| 18 ++++++++++++++++++
16	policy/modules/services/postgresql.if \| 4 ++--
17	policy/modules/services/postgresql.te \| 3 +++
18	policy/modules/system/init.if \| 17 +++++++++++++++++
19	policy/modules/system/init.te \| 3 +++
20	policy/modules/system/ipsec.if \| 3 ++-
21	policy/modules/system/ipsec.te \| 3 +++
22	policy/modules/system/iptables.fc \| 5 +++++
23	policy/modules/system/iptables.if \| 4 ++--
24	policy/modules/system/iptables.te \| 3 +++
25	policy/modules/system/logging.fc \| 2 ++
26	policy/modules/system/logging.if \| 8 ++++----
27	policy/modules/system/logging.te \| 6 ++++++
28	policy/modules/system/lvm.fc \| 6 ++++++
29	policy/modules/system/lvm.if \| 4 ++--
30	policy/modules/system/lvm.te \| 3 +++
31	policy/modules/system/setrans.if \| 4 ++--
32	policy/modules/system/setrans.te \| 3 +++
33	18 files changed, 86 insertions(+), 13 deletions(-)
34
35	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
36	index cbb8afe..20acc0e 100644
37	--- a/policy/modules/kernel/files.if
38	+++ b/policy/modules/kernel/files.if
39	@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
40	exec_files_pattern($1, etc_t, etc_t)
41	')
42
43	+########################################
44	+## <summary>
45	+## Get etc_t service status.
46	+## </summary>
47	+## <param name="domain">
48	+## <summary>
49	+## Domain allowed access.
50	+## </summary>
51	+## </param>
52	+#
53	+interface(`files_get_etc_unit_status',`
54	+ gen_require(`
55	+ type etc_t;
56	+ ')
57	+
58	+ allow $1 etc_t:service status;
59	+')
60	+
61	#######################################
62	## <summary>
63	## Relabel from and to generic files in /etc.
64
65	diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
66	index 11526b6..32e5d06 100644
67	--- a/policy/modules/services/postgresql.if
68	+++ b/policy/modules/services/postgresql.if
69	@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
70	type postgresql_t, postgresql_var_run_t;
71	type postgresql_tmp_t, postgresql_db_t;
72	type postgresql_etc_t, postgresql_log_t;
73	- type postgresql_initrc_exec_t;
74	+ type postgresql_initrc_exec_t, postgresql_unit_t;
75	')
76
77	typeattribute $1 sepgsql_admin_type;
78	@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
79	allow $1 postgresql_t:process { ptrace signal_perms };
80	ps_process_pattern($1, postgresql_t)
81
82	- init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
83	+ init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
84
85	admin_pattern($1, postgresql_var_run_t)
86
87
88	diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
89	index b4ba0f1..6844c35 100644
90	--- a/policy/modules/services/postgresql.te
91	+++ b/policy/modules/services/postgresql.te
92	@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
93	type postgresql_tmp_t;
94	files_tmp_file(postgresql_tmp_t)
95
96	+type postgresql_unit_t;
97	+init_unit_file(postgresql_unit_t)
98	+
99	type postgresql_var_run_t;
100	files_pid_file(postgresql_var_run_t)
101	init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
102
103	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
104	index 192508f..cfe4bd4 100644
105	--- a/policy/modules/system/init.if
106	+++ b/policy/modules/system/init.if
107	@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
108	## Labeled init script file.
109	## </summary>
110	## </param>
111	+## <param name="unit" optional="true">
112	+## <summary>
113	+## Systemd unit file type.
114	+## </summary>
115	+## </param>
116	#
117	interface(`init_startstop_service',`
118	gen_require(`
119	@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
120	role_transition $2 $4 system_r;
121	allow $2 system_r;
122	')
123	+
124	+ ifdef(`init_systemd',`
125	+ # This ifelse condition is temporary, until
126	+ # all callers are updated to provide unit files.
127	+ ifelse(`$5',`',`',`
128	+ gen_require(`
129	+ class service { start stop };
130	+ ')
131	+
132	+ allow $1 $5:service { start stop };
133	+ ')
134	+ ')
135	')
136	')
137
138
139	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
140	index 916b895..79400f2 100644
141	--- a/policy/modules/system/init.te
142	+++ b/policy/modules/system/init.te
143	@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
144	corecmd_shell_domtrans(init_t, initrc_t)
145
146	files_read_boot_files(initrc_t)
147	+ # Allow initrc_t to check /etc/fstab "service." It appears that
148	+ # systemd is conflating files and services.
149	+ files_get_etc_unit_status(initrc_t)
150	files_setattr_pid_dirs(initrc_t)
151
152	selinux_set_enforce_mode(initrc_t)
153
154	diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
155	index 3d64054..eec93e6 100644
156	--- a/policy/modules/system/ipsec.if
157	+++ b/policy/modules/system/ipsec.if
158	@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
159	type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
160	type ipsec_var_run_t, ipsec_mgmt_lock_t;
161	type ipsec_mgmt_var_run_t, racoon_tmp_t;
162	+ type ipsec_unit_t;
163	')
164
165	allow $1 ipsec_t:process { ptrace signal_perms };
166	ps_process_pattern($1, ipsec_t)
167
168	- init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
169	+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
170
171	ipsec_exec_mgmt($1)
172	ipsec_stream_connect($1)
173
174	diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
175	index 3dd5c8b..f08fd01 100644
176	--- a/policy/modules/system/ipsec.te
177	+++ b/policy/modules/system/ipsec.te
178	@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
179	type ipsec_tmp_t;
180	files_tmp_file(ipsec_tmp_t)
181
182	+type ipsec_unit_t;
183	+init_unit_file(ipsec_unit_t)
184	+
185	# type for runtime files, including pluto.ctl
186	type ipsec_var_run_t;
187	files_pid_file(ipsec_var_run_t)
188
189	diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
190	index 73a1c4e..b3eda3e 100644
191	--- a/policy/modules/system/iptables.fc
192	+++ b/policy/modules/system/iptables.fc
193	@@ -14,6 +14,11 @@
194	/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
195	/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
196
197	+/usr/lib/systemd/system/[^/]arptables. -- gen_context(system_u:object_r:iptables_unit_t,s0)
198	+/usr/lib/systemd/system/[^/]ebtables. -- gen_context(system_u:object_r:iptables_unit_t,s0)
199	+/usr/lib/systemd/system/[^/]ip6tables. -- gen_context(system_u:object_r:iptables_unit_t,s0)
200	+/usr/lib/systemd/system/[^/]iptables. -- gen_context(system_u:object_r:iptables_unit_t,s0)
201	+
202	/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
203	/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
204	/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
205
206	diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
207	index 26ce647..5d2b406 100644
208	--- a/policy/modules/system/iptables.if
209	+++ b/policy/modules/system/iptables.if
210	@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
211	interface(`iptables_admin',`
212	gen_require(`
213	type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
214	- type iptables_tmp_t, iptables_var_run_t;
215	+ type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
216	')
217
218	allow $1 iptables_t:process { ptrace signal_perms };
219	ps_process_pattern($1, iptables_t)
220
221	- init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
222	+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
223
224	files_list_etc($1)
225	admin_pattern($1, iptables_conf_t)
226
227	diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
228	index 8840633..aa999fb 100644
229	--- a/policy/modules/system/iptables.te
230	+++ b/policy/modules/system/iptables.te
231	@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
232	type iptables_tmp_t;
233	files_tmp_file(iptables_tmp_t)
234
235	+type iptables_unit_t;
236	+init_unit_file(iptables_unit_t)
237	+
238	type iptables_var_run_t;
239	files_pid_file(iptables_var_run_t)
240
241
242	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
243	index fb319d4..e504aec 100644
244	--- a/policy/modules/system/logging.fc
245	+++ b/policy/modules/system/logging.fc
246	@@ -17,6 +17,8 @@
247	/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
248	/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
249
250	+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
251	+/usr/lib/systemd/system/[^/]systemd-journal. -- gen_context(system_u:object_r:syslogd_unit_t,s0)
252	/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
253
254	/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
255
256	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
257	index 6a279f3..9ededbf 100644
258	--- a/policy/modules/system/logging.if
259	+++ b/policy/modules/system/logging.if
260	@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`
261	gen_require(`
262	type auditd_t, auditd_etc_t, auditd_log_t;
263	type auditd_var_run_t;
264	- type auditd_initrc_exec_t;
265	+ type auditd_initrc_exec_t, auditd_unit_t;
266	')
267
268	allow $1 auditd_t:process { ptrace signal_perms };
269	@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`
270
271	logging_run_auditctl($1, $2)
272
273	- init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
274	+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
275	')
276
277	########################################
278	@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`
279	type syslogd_tmp_t, syslogd_var_lib_t;
280	type syslogd_var_run_t, klogd_var_run_t;
281	type klogd_tmp_t, var_log_t;
282	- type syslogd_initrc_exec_t;
283	+ type syslogd_initrc_exec_t, syslogd_unit_t;
284	')
285
286	allow $1 syslogd_t:process { ptrace signal_perms };
287	@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`
288
289	logging_manage_all_logs($1)
290
291	- init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
292	+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
293	')
294
295	########################################
296
297	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
298	index 6f7335e..fd941ab 100644
299	--- a/policy/modules/system/logging.te
300	+++ b/policy/modules/system/logging.te
301	@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
302	type auditd_initrc_exec_t;
303	init_script_file(auditd_initrc_exec_t)
304
305	+type auditd_unit_t;
306	+init_unit_file(auditd_unit_t);
307	+
308	type auditd_var_run_t;
309	files_pid_file(auditd_var_run_t)
310
311	@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
312	type syslogd_tmp_t;
313	files_tmp_file(syslogd_tmp_t)
314
315	+type syslogd_unit_t;
316	+init_unit_file(syslogd_unit_t)
317	+
318	type syslogd_var_lib_t;
319	files_type(syslogd_var_lib_t)
320
321
322	diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
323	index ea5ba34..83782b0 100644
324	--- a/policy/modules/system/lvm.fc
325	+++ b/policy/modules/system/lvm.fc
326	@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`
327	#
328	# /usr
329	#
330	+
331	+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
332	+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
333	+/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
334	+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
335	+
336	/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
337	/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
338
339
340	diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
341	index 6561474..5774034 100644
342	--- a/policy/modules/system/lvm.if
343	+++ b/policy/modules/system/lvm.if
344	@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
345	#
346	interface(`lvm_admin',`
347	gen_require(`
348	- type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
349	+ type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
350	type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
351	type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
352	')
353	@@ -170,7 +170,7 @@ interface(`lvm_admin',`
354	allow $1 clvmd_t:process { ptrace signal_perms };
355	ps_process_pattern($1, clvmd_t)
356
357	- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
358	+ init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
359
360	files_search_etc($1)
361	admin_pattern($1, lvm_etc_t)
362
363	diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
364	index f0bea03..61bd92b 100644
365	--- a/policy/modules/system/lvm.te
366	+++ b/policy/modules/system/lvm.te
367	@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
368	type lvm_metadata_t;
369	files_type(lvm_metadata_t)
370
371	+type lvm_unit_t;
372	+init_unit_file(lvm_unit_t)
373	+
374	type lvm_var_lib_t;
375	files_type(lvm_var_lib_t)
376
377
378	diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
379	index 2a8ecaa..9478dd9 100644
380	--- a/policy/modules/system/setrans.if
381	+++ b/policy/modules/system/setrans.if
382	@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
383	interface(`setrans_admin',`
384	gen_require(`
385	type setrans_t, setrans_initrc_exec_t;
386	- type setrans_var_run_t;
387	+ type setrans_var_run_t, setrans_unit_t;
388	')
389
390	allow $1 setrans_t:process { ptrace signal_perms };
391	ps_process_pattern($1, setrans_t)
392
393	- init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
394	+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
395
396	files_search_pids($1)
397	admin_pattern($1, setrans_var_run_t)
398
399	diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
400	index 2df8b53..e4d4500 100644
401	--- a/policy/modules/system/setrans.te
402	+++ b/policy/modules/system/setrans.te
403	@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
404	type setrans_initrc_exec_t;
405	init_script_file(setrans_initrc_exec_t)
406
407	+type setrans_unit_t;
408	+init_unit_file(setrans_unit_t)
409	+
410	type setrans_var_run_t;
411	files_pid_file(setrans_var_run_t)
412	mls_trusted_object(setrans_var_run_t)

Gentoo Archives: gentoo-commits