1 |
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9 |
2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
3 |
AuthorDate: Tue Oct 20 18:33:56 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 26 03:54:24 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1 |
7 |
|
8 |
Add systemd units for core refpolicy services. |
9 |
|
10 |
Only for services that already have a named init script. |
11 |
|
12 |
Add rules to init_startstop_service(), with conditional arg until |
13 |
all of refpolicy-contrib callers are updated. |
14 |
|
15 |
policy/modules/kernel/files.if | 18 ++++++++++++++++++ |
16 |
policy/modules/services/postgresql.if | 4 ++-- |
17 |
policy/modules/services/postgresql.te | 3 +++ |
18 |
policy/modules/system/init.if | 17 +++++++++++++++++ |
19 |
policy/modules/system/init.te | 3 +++ |
20 |
policy/modules/system/ipsec.if | 3 ++- |
21 |
policy/modules/system/ipsec.te | 3 +++ |
22 |
policy/modules/system/iptables.fc | 5 +++++ |
23 |
policy/modules/system/iptables.if | 4 ++-- |
24 |
policy/modules/system/iptables.te | 3 +++ |
25 |
policy/modules/system/logging.fc | 2 ++ |
26 |
policy/modules/system/logging.if | 8 ++++---- |
27 |
policy/modules/system/logging.te | 6 ++++++ |
28 |
policy/modules/system/lvm.fc | 6 ++++++ |
29 |
policy/modules/system/lvm.if | 4 ++-- |
30 |
policy/modules/system/lvm.te | 3 +++ |
31 |
policy/modules/system/setrans.if | 4 ++-- |
32 |
policy/modules/system/setrans.te | 3 +++ |
33 |
18 files changed, 86 insertions(+), 13 deletions(-) |
34 |
|
35 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
36 |
index cbb8afe..20acc0e 100644 |
37 |
--- a/policy/modules/kernel/files.if |
38 |
+++ b/policy/modules/kernel/files.if |
39 |
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',` |
40 |
exec_files_pattern($1, etc_t, etc_t) |
41 |
') |
42 |
|
43 |
+######################################## |
44 |
+## <summary> |
45 |
+## Get etc_t service status. |
46 |
+## </summary> |
47 |
+## <param name="domain"> |
48 |
+## <summary> |
49 |
+## Domain allowed access. |
50 |
+## </summary> |
51 |
+## </param> |
52 |
+# |
53 |
+interface(`files_get_etc_unit_status',` |
54 |
+ gen_require(` |
55 |
+ type etc_t; |
56 |
+ ') |
57 |
+ |
58 |
+ allow $1 etc_t:service status; |
59 |
+') |
60 |
+ |
61 |
####################################### |
62 |
## <summary> |
63 |
## Relabel from and to generic files in /etc. |
64 |
|
65 |
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if |
66 |
index 11526b6..32e5d06 100644 |
67 |
--- a/policy/modules/services/postgresql.if |
68 |
+++ b/policy/modules/services/postgresql.if |
69 |
@@ -587,7 +587,7 @@ interface(`postgresql_admin',` |
70 |
type postgresql_t, postgresql_var_run_t; |
71 |
type postgresql_tmp_t, postgresql_db_t; |
72 |
type postgresql_etc_t, postgresql_log_t; |
73 |
- type postgresql_initrc_exec_t; |
74 |
+ type postgresql_initrc_exec_t, postgresql_unit_t; |
75 |
') |
76 |
|
77 |
typeattribute $1 sepgsql_admin_type; |
78 |
@@ -595,7 +595,7 @@ interface(`postgresql_admin',` |
79 |
allow $1 postgresql_t:process { ptrace signal_perms }; |
80 |
ps_process_pattern($1, postgresql_t) |
81 |
|
82 |
- init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t) |
83 |
+ init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t) |
84 |
|
85 |
admin_pattern($1, postgresql_var_run_t) |
86 |
|
87 |
|
88 |
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te |
89 |
index b4ba0f1..6844c35 100644 |
90 |
--- a/policy/modules/services/postgresql.te |
91 |
+++ b/policy/modules/services/postgresql.te |
92 |
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t) |
93 |
type postgresql_tmp_t; |
94 |
files_tmp_file(postgresql_tmp_t) |
95 |
|
96 |
+type postgresql_unit_t; |
97 |
+init_unit_file(postgresql_unit_t) |
98 |
+ |
99 |
type postgresql_var_run_t; |
100 |
files_pid_file(postgresql_var_run_t) |
101 |
init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql") |
102 |
|
103 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
104 |
index 192508f..cfe4bd4 100644 |
105 |
--- a/policy/modules/system/init.if |
106 |
+++ b/policy/modules/system/init.if |
107 |
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',` |
108 |
## Labeled init script file. |
109 |
## </summary> |
110 |
## </param> |
111 |
+## <param name="unit" optional="true"> |
112 |
+## <summary> |
113 |
+## Systemd unit file type. |
114 |
+## </summary> |
115 |
+## </param> |
116 |
# |
117 |
interface(`init_startstop_service',` |
118 |
gen_require(` |
119 |
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',` |
120 |
role_transition $2 $4 system_r; |
121 |
allow $2 system_r; |
122 |
') |
123 |
+ |
124 |
+ ifdef(`init_systemd',` |
125 |
+ # This ifelse condition is temporary, until |
126 |
+ # all callers are updated to provide unit files. |
127 |
+ ifelse(`$5',`',`',` |
128 |
+ gen_require(` |
129 |
+ class service { start stop }; |
130 |
+ ') |
131 |
+ |
132 |
+ allow $1 $5:service { start stop }; |
133 |
+ ') |
134 |
+ ') |
135 |
') |
136 |
') |
137 |
|
138 |
|
139 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
140 |
index 916b895..79400f2 100644 |
141 |
--- a/policy/modules/system/init.te |
142 |
+++ b/policy/modules/system/init.te |
143 |
@@ -746,6 +746,9 @@ ifdef(`init_systemd',` |
144 |
corecmd_shell_domtrans(init_t, initrc_t) |
145 |
|
146 |
files_read_boot_files(initrc_t) |
147 |
+ # Allow initrc_t to check /etc/fstab "service." It appears that |
148 |
+ # systemd is conflating files and services. |
149 |
+ files_get_etc_unit_status(initrc_t) |
150 |
files_setattr_pid_dirs(initrc_t) |
151 |
|
152 |
selinux_set_enforce_mode(initrc_t) |
153 |
|
154 |
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if |
155 |
index 3d64054..eec93e6 100644 |
156 |
--- a/policy/modules/system/ipsec.if |
157 |
+++ b/policy/modules/system/ipsec.if |
158 |
@@ -393,12 +393,13 @@ interface(`ipsec_admin',` |
159 |
type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; |
160 |
type ipsec_var_run_t, ipsec_mgmt_lock_t; |
161 |
type ipsec_mgmt_var_run_t, racoon_tmp_t; |
162 |
+ type ipsec_unit_t; |
163 |
') |
164 |
|
165 |
allow $1 ipsec_t:process { ptrace signal_perms }; |
166 |
ps_process_pattern($1, ipsec_t) |
167 |
|
168 |
- init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t) |
169 |
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t) |
170 |
|
171 |
ipsec_exec_mgmt($1) |
172 |
ipsec_stream_connect($1) |
173 |
|
174 |
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te |
175 |
index 3dd5c8b..f08fd01 100644 |
176 |
--- a/policy/modules/system/ipsec.te |
177 |
+++ b/policy/modules/system/ipsec.te |
178 |
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t) |
179 |
type ipsec_tmp_t; |
180 |
files_tmp_file(ipsec_tmp_t) |
181 |
|
182 |
+type ipsec_unit_t; |
183 |
+init_unit_file(ipsec_unit_t) |
184 |
+ |
185 |
# type for runtime files, including pluto.ctl |
186 |
type ipsec_var_run_t; |
187 |
files_pid_file(ipsec_var_run_t) |
188 |
|
189 |
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc |
190 |
index 73a1c4e..b3eda3e 100644 |
191 |
--- a/policy/modules/system/iptables.fc |
192 |
+++ b/policy/modules/system/iptables.fc |
193 |
@@ -14,6 +14,11 @@ |
194 |
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) |
195 |
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) |
196 |
|
197 |
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
198 |
+/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
199 |
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
200 |
+/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
201 |
+ |
202 |
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) |
203 |
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) |
204 |
/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) |
205 |
|
206 |
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if |
207 |
index 26ce647..5d2b406 100644 |
208 |
--- a/policy/modules/system/iptables.if |
209 |
+++ b/policy/modules/system/iptables.if |
210 |
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',` |
211 |
interface(`iptables_admin',` |
212 |
gen_require(` |
213 |
type iptables_t, iptables_initrc_exec_t, iptables_conf_t; |
214 |
- type iptables_tmp_t, iptables_var_run_t; |
215 |
+ type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; |
216 |
') |
217 |
|
218 |
allow $1 iptables_t:process { ptrace signal_perms }; |
219 |
ps_process_pattern($1, iptables_t) |
220 |
|
221 |
- init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t) |
222 |
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t) |
223 |
|
224 |
files_list_etc($1) |
225 |
admin_pattern($1, iptables_conf_t) |
226 |
|
227 |
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te |
228 |
index 8840633..aa999fb 100644 |
229 |
--- a/policy/modules/system/iptables.te |
230 |
+++ b/policy/modules/system/iptables.te |
231 |
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t) |
232 |
type iptables_tmp_t; |
233 |
files_tmp_file(iptables_tmp_t) |
234 |
|
235 |
+type iptables_unit_t; |
236 |
+init_unit_file(iptables_unit_t) |
237 |
+ |
238 |
type iptables_var_run_t; |
239 |
files_pid_file(iptables_var_run_t) |
240 |
|
241 |
|
242 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
243 |
index fb319d4..e504aec 100644 |
244 |
--- a/policy/modules/system/logging.fc |
245 |
+++ b/policy/modules/system/logging.fc |
246 |
@@ -17,6 +17,8 @@ |
247 |
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
248 |
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
249 |
|
250 |
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) |
251 |
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
252 |
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
253 |
|
254 |
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
255 |
|
256 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
257 |
index 6a279f3..9ededbf 100644 |
258 |
--- a/policy/modules/system/logging.if |
259 |
+++ b/policy/modules/system/logging.if |
260 |
@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',` |
261 |
gen_require(` |
262 |
type auditd_t, auditd_etc_t, auditd_log_t; |
263 |
type auditd_var_run_t; |
264 |
- type auditd_initrc_exec_t; |
265 |
+ type auditd_initrc_exec_t, auditd_unit_t; |
266 |
') |
267 |
|
268 |
allow $1 auditd_t:process { ptrace signal_perms }; |
269 |
@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',` |
270 |
|
271 |
logging_run_auditctl($1, $2) |
272 |
|
273 |
- init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t) |
274 |
+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t) |
275 |
') |
276 |
|
277 |
######################################## |
278 |
@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',` |
279 |
type syslogd_tmp_t, syslogd_var_lib_t; |
280 |
type syslogd_var_run_t, klogd_var_run_t; |
281 |
type klogd_tmp_t, var_log_t; |
282 |
- type syslogd_initrc_exec_t; |
283 |
+ type syslogd_initrc_exec_t, syslogd_unit_t; |
284 |
') |
285 |
|
286 |
allow $1 syslogd_t:process { ptrace signal_perms }; |
287 |
@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',` |
288 |
|
289 |
logging_manage_all_logs($1) |
290 |
|
291 |
- init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t) |
292 |
+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t) |
293 |
') |
294 |
|
295 |
######################################## |
296 |
|
297 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
298 |
index 6f7335e..fd941ab 100644 |
299 |
--- a/policy/modules/system/logging.te |
300 |
+++ b/policy/modules/system/logging.te |
301 |
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t) |
302 |
type auditd_initrc_exec_t; |
303 |
init_script_file(auditd_initrc_exec_t) |
304 |
|
305 |
+type auditd_unit_t; |
306 |
+init_unit_file(auditd_unit_t); |
307 |
+ |
308 |
type auditd_var_run_t; |
309 |
files_pid_file(auditd_var_run_t) |
310 |
|
311 |
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t) |
312 |
type syslogd_tmp_t; |
313 |
files_tmp_file(syslogd_tmp_t) |
314 |
|
315 |
+type syslogd_unit_t; |
316 |
+init_unit_file(syslogd_unit_t) |
317 |
+ |
318 |
type syslogd_var_lib_t; |
319 |
files_type(syslogd_var_lib_t) |
320 |
|
321 |
|
322 |
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc |
323 |
index ea5ba34..83782b0 100644 |
324 |
--- a/policy/modules/system/lvm.fc |
325 |
+++ b/policy/modules/system/lvm.fc |
326 |
@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',` |
327 |
# |
328 |
# /usr |
329 |
# |
330 |
+ |
331 |
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
332 |
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
333 |
+/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
334 |
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
335 |
+ |
336 |
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) |
337 |
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) |
338 |
|
339 |
|
340 |
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if |
341 |
index 6561474..5774034 100644 |
342 |
--- a/policy/modules/system/lvm.if |
343 |
+++ b/policy/modules/system/lvm.if |
344 |
@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',` |
345 |
# |
346 |
interface(`lvm_admin',` |
347 |
gen_require(` |
348 |
- type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t; |
349 |
+ type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t; |
350 |
type lvm_etc_t, lvm_lock_t, lvm_metadata_t; |
351 |
type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t; |
352 |
') |
353 |
@@ -170,7 +170,7 @@ interface(`lvm_admin',` |
354 |
allow $1 clvmd_t:process { ptrace signal_perms }; |
355 |
ps_process_pattern($1, clvmd_t) |
356 |
|
357 |
- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t) |
358 |
+ init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t) |
359 |
|
360 |
files_search_etc($1) |
361 |
admin_pattern($1, lvm_etc_t) |
362 |
|
363 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
364 |
index f0bea03..61bd92b 100644 |
365 |
--- a/policy/modules/system/lvm.te |
366 |
+++ b/policy/modules/system/lvm.te |
367 |
@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t) |
368 |
type lvm_metadata_t; |
369 |
files_type(lvm_metadata_t) |
370 |
|
371 |
+type lvm_unit_t; |
372 |
+init_unit_file(lvm_unit_t) |
373 |
+ |
374 |
type lvm_var_lib_t; |
375 |
files_type(lvm_var_lib_t) |
376 |
|
377 |
|
378 |
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if |
379 |
index 2a8ecaa..9478dd9 100644 |
380 |
--- a/policy/modules/system/setrans.if |
381 |
+++ b/policy/modules/system/setrans.if |
382 |
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',` |
383 |
interface(`setrans_admin',` |
384 |
gen_require(` |
385 |
type setrans_t, setrans_initrc_exec_t; |
386 |
- type setrans_var_run_t; |
387 |
+ type setrans_var_run_t, setrans_unit_t; |
388 |
') |
389 |
|
390 |
allow $1 setrans_t:process { ptrace signal_perms }; |
391 |
ps_process_pattern($1, setrans_t) |
392 |
|
393 |
- init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t) |
394 |
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t) |
395 |
|
396 |
files_search_pids($1) |
397 |
admin_pattern($1, setrans_var_run_t) |
398 |
|
399 |
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te |
400 |
index 2df8b53..e4d4500 100644 |
401 |
--- a/policy/modules/system/setrans.te |
402 |
+++ b/policy/modules/system/setrans.te |
403 |
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t) |
404 |
type setrans_initrc_exec_t; |
405 |
init_script_file(setrans_initrc_exec_t) |
406 |
|
407 |
+type setrans_unit_t; |
408 |
+init_unit_file(setrans_unit_t) |
409 |
+ |
410 |
type setrans_var_run_t; |
411 |
files_pid_file(setrans_var_run_t) |
412 |
mls_trusted_object(setrans_var_run_t) |