[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
Date:	Sat, 25 Feb 2017 16:58:39
Message-Id:	`1488040991.4b4fbc24ce430965cce854d871cefa9666be2569.perfinion@gentoo`

1

commit:     4b4fbc24ce430965cce854d871cefa9666be2569

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Sat Feb 25 14:35:10 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 25 16:43:11 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24

7

8

systemd: Further revisions from Russell Coker.

9

10

 policy/modules/kernel/devices.if    |  18 +++

11

 policy/modules/kernel/devices.te    |   2 +-

12

 policy/modules/kernel/filesystem.if |  20 ++++

13

 policy/modules/kernel/filesystem.te |   2 +-

14

 policy/modules/system/init.if       |  18 +++

15

 policy/modules/system/init.te       |   2 +-

16

 policy/modules/system/lvm.if        |  18 +++

17

 policy/modules/system/lvm.te        |   2 +-

18

 policy/modules/system/systemd.te    | 221 +++++++++++++++++++++++++++++++-----

19

 9 files changed, 270 insertions(+), 33 deletions(-)

20

21

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

22

index b51a25ac..7e09e6f2 100644

23

--- a/policy/modules/kernel/devices.if

24

+++ b/policy/modules/kernel/devices.if

25

@@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',`

26

27

 ########################################

28

 ## <summary>

29

+##     write generic sock files in /dev.

30

+## </summary>

31

+## <param name="domain">

32

+##     <summary>

33

+##     Domain to not audit.

34

+##     </summary>

35

+## </param>

36

+#

37

+interface(`dev_write_generic_sock_files',`

38

+	gen_require(`

39

+		type device_t;

40

+	')

41

+

42

+	write_sock_files_pattern($1, device_t, device_t)

43

+')

44

+

45

+########################################

46

+## <summary>

47

 ##	Create, delete, read, and write device nodes in device directories.

48

 ## </summary>

49

 ## <param name="domain">

50

51

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te

52

index 470f0f00..571abc30 100644

53

--- a/policy/modules/kernel/devices.te

54

+++ b/policy/modules/kernel/devices.te

55

@@ -1,4 +1,4 @@

56

-policy_module(devices, 1.20.3)

57

+policy_module(devices, 1.20.4)

58

59

 ########################################

60

#

61

62

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if

63

index bd6084b3..9069b0c2 100644

64

--- a/policy/modules/kernel/filesystem.if

65

+++ b/policy/modules/kernel/filesystem.if

66

@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`

67

68

 ########################################

69

 ## <summary>

70

+##     Get attributes of cgroup files.

71

+## </summary>

72

+## <param name="domain">

73

+##     <summary>

74

+##     Domain allowed access.

75

+##     </summary>

76

+## </param>

77

+#

78

+interface(`fs_getattr_cgroup_files',`

79

+	gen_require(`

80

+		type cgroup_t;

81

+	')

82

+

83

+	getattr_files_pattern($1, cgroup_t, cgroup_t)

84

+	fs_search_tmpfs($1)

85

+	dev_search_sysfs($1)

86

+')

87

+

88

+########################################

89

+## <summary>

90

 ##	Read cgroup files.

91

 ## </summary>

92

 ## <param name="domain">

93

94

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te

95

index be04ea8c..23705cd3 100644

96

--- a/policy/modules/kernel/filesystem.te

97

+++ b/policy/modules/kernel/filesystem.te

98

@@ -1,4 +1,4 @@

99

-policy_module(filesystem, 1.22.2)

100

+policy_module(filesystem, 1.22.3)

101

102

 ########################################

103

#

104

105

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if

106

index 8d65e648..6de0a2d7 100644

107

--- a/policy/modules/system/init.if

108

+++ b/policy/modules/system/init.if

109

@@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',`

110

111

 ########################################

112

 ## <summary>

113

+##      List /var/lib/systemd/ dir

114

+## </summary>

115

+## <param name="domain">

116

+##      <summary>

117

+##      Domain allowed access.

118

+##      </summary>

119

+## </param>

120

+#

121

+interface(`init_list_var_lib_dirs',`

122

+	gen_require(`

123

+		type init_var_lib_t;

124

+	')

125

+

126

+	allow $1 init_var_lib_t:dir list_dir_perms;

127

+')

128

+

129

+########################################

130

+## <summary>

131

 ##	Manage files in /var/lib/systemd/.

132

 ## </summary>

133

 ## <param name="domain">

134

135

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

136

index 54ca2ceb..c9c1eb6b 100644

137

--- a/policy/modules/system/init.te

138

+++ b/policy/modules/system/init.te

139

@@ -1,4 +1,4 @@

140

-policy_module(init, 2.2.6)

141

+policy_module(init, 2.2.7)

142

143

 gen_require(`

144

 	class passwd rootok;

145

146

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if

147

index 88fa9442..49cee54d 100644

148

--- a/policy/modules/system/lvm.if

149

+++ b/policy/modules/system/lvm.if

150

@@ -65,6 +65,24 @@ interface(`lvm_run',`

151

152

 ########################################

153

 ## <summary>

154

+##      Send lvm a null signal.

155

+## </summary>

156

+## <param name="domain">

157

+##      <summary>

158

+##      Domain allowed access.

159

+##      </summary>

160

+## </param>

161

+#

162

+interface(`lvm_signull',`

163

+	gen_require(`

164

+		type lvm_t;

165

+	')

166

+

167

+	allow $1 lvm_t:process signull;

168

+')

169

+

170

+########################################

171

+## <summary>

172

 ##	Read LVM configuration files.

173

 ## </summary>

174

 ## <param name="domain">

175

176

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te

177

index f8fed91d..e6984249 100644

178

--- a/policy/modules/system/lvm.te

179

+++ b/policy/modules/system/lvm.te

180

@@ -1,4 +1,4 @@

181

-policy_module(lvm, 1.19.3)

182

+policy_module(lvm, 1.19.4)

183

184

 ########################################

185

#

186

187

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

188

index 40719e93..6c8caa8d 100644

189

--- a/policy/modules/system/systemd.te

190

+++ b/policy/modules/system/systemd.te

191

@@ -1,4 +1,4 @@

192

-policy_module(systemd, 1.3.7)

193

+policy_module(systemd, 1.3.8)

194

195

 #########################################

196

#

197

@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)

198

199

 ######################################

200

#

201

-# systemd log parse enviroment

202

-#

203

-

204

-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)

205

-dontaudit systemd_log_parse_env_type self:capability net_admin;

206

-

207

-kernel_read_system_state(systemd_log_parse_env_type)

208

-

209

-dev_write_kmsg(systemd_log_parse_env_type)

210

-

211

-term_use_console(systemd_log_parse_env_type)

212

-

213

-init_read_state(systemd_log_parse_env_type)

214

-

215

-logging_send_syslog_msg(systemd_log_parse_env_type)

216

-

217

-######################################

218

-#

219

 # Backlight local policy

220

#

221

222

@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t)

223

224

 systemd_log_parse_environment(systemd_cgroups_t)

225

226

-#######################################

227

+######################################

228

#

229

-# locale local policy

230

+# coredump local policy

231

#

232

233

-kernel_read_kernel_sysctls(systemd_locale_t)

234

+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };

235

+allow systemd_coredump_t self:capability { setgid setuid setpcap };

236

+allow systemd_coredump_t self:process { getcap setcap setfscreate };

237

238

-files_read_etc_files(systemd_locale_t)

239

+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)

240

241

-seutil_read_file_contexts(systemd_locale_t)

242

+kernel_read_kernel_sysctls(systemd_coredump_t)

243

+kernel_read_system_state(systemd_coredump_t)

244

+kernel_rw_pipes(systemd_coredump_t)

245

+kernel_use_fds(systemd_coredump_t)

246

247

-systemd_log_parse_environment(systemd_locale_t)

248

+corecmd_exec_bin(systemd_coredump_t)

249

+corecmd_read_all_executables(systemd_coredump_t)

250

+

251

+dev_write_kmsg(systemd_coredump_t)

252

+

253

+files_read_etc_files(systemd_coredump_t)

254

+files_search_var_lib(systemd_coredump_t)

255

+

256

+fs_getattr_xattr_fs(systemd_coredump_t)

257

+

258

+selinux_getattr_fs(systemd_coredump_t)

259

+

260

+init_list_var_lib_dirs(systemd_coredump_t)

261

+init_read_state(systemd_coredump_t)

262

+init_search_pids(systemd_coredump_t)

263

+init_write_pid_socket(systemd_coredump_t)

264

+

265

+logging_send_syslog_msg(systemd_coredump_t)

266

+

267

+seutil_search_default_contexts(systemd_coredump_t)

268

269

-optional_policy(`

270

-	dbus_connect_system_bus(systemd_locale_t)

271

-	dbus_system_bus_client(systemd_locale_t)

272

-')

273

274

 #######################################

275

#

276

@@ -262,6 +264,42 @@ optional_policy(`

277

 	dbus_connect_system_bus(systemd_hostnamed_t)

278

')

279

280

+#######################################

281

+#

282

+# locale local policy

283

+#

284

+

285

+kernel_read_kernel_sysctls(systemd_locale_t)

286

+

287

+files_read_etc_files(systemd_locale_t)

288

+

289

+seutil_read_file_contexts(systemd_locale_t)

290

+

291

+systemd_log_parse_environment(systemd_locale_t)

292

+

293

+optional_policy(`

294

+	dbus_connect_system_bus(systemd_locale_t)

295

+	dbus_system_bus_client(systemd_locale_t)

296

+')

297

+

298

+######################################

299

+#

300

+# systemd log parse enviroment

301

+#

302

+

303

+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)

304

+dontaudit systemd_log_parse_env_type self:capability net_admin;

305

+

306

+kernel_read_system_state(systemd_log_parse_env_type)

307

+

308

+dev_write_kmsg(systemd_log_parse_env_type)

309

+

310

+term_use_console(systemd_log_parse_env_type)

311

+

312

+init_read_state(systemd_log_parse_env_type)

313

+

314

+logging_send_syslog_msg(systemd_log_parse_env_type)

315

+

316

 #########################################

317

#

318

 # Logind local policy

319

@@ -325,6 +363,71 @@ optional_policy(`

320

 	dbus_connect_system_bus(systemd_logind_t)

321

')

322

323

+#########################################

324

+#

325

+# machined local policy

326

+#

327

+

328

+allow systemd_machined_t self:capability sys_ptrace;

329

+allow systemd_machined_t self:process setfscreate;

330

+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };

331

+

332

+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)

333

+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;

334

+

335

+kernel_read_kernel_sysctls(systemd_machined_t)

336

+kernel_read_system_state(systemd_machined_t)

337

+

338

+files_read_etc_files(systemd_machined_t)

339

+

340

+fs_getattr_cgroup(systemd_machined_t)

341

+fs_getattr_tmpfs(systemd_machined_t)

342

+

343

+selinux_getattr_fs(systemd_machined_t)

344

+

345

+init_read_script_state(systemd_machined_t)

346

+init_get_system_status(systemd_machined_t)

347

+init_read_state(systemd_machined_t)

348

+init_service_start(systemd_machined_t)

349

+init_service_status(systemd_machined_t)

350

+init_start_system(systemd_machined_t)

351

+init_stop_system(systemd_machined_t)

352

+

353

+logging_send_syslog_msg(systemd_machined_t)

354

+

355

+seutil_search_default_contexts(systemd_machined_t)

356

+

357

+optional_policy(`

358

+	init_dbus_chat(systemd_machined_t)

359

+	init_dbus_send_script(systemd_machined_t)

360

+

361

+	dbus_connect_system_bus(systemd_machined_t)

362

+	dbus_system_bus_client(systemd_machined_t)

363

+')

364

+

365

+########################################

366

+#

367

+# systemd_notify local policy

368

+#

369

+allow systemd_notify_t self:capability chown;

370

+allow systemd_notify_t self:process { setfscreate setsockcreate };

371

+

372

+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;

373

+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;

374

+

375

+domain_use_interactive_fds(systemd_notify_t)

376

+

377

+files_read_etc_files(systemd_notify_t)

378

+files_read_usr_files(systemd_notify_t)

379

+

380

+fs_getattr_cgroup_files(systemd_notify_t)

381

+

382

+auth_use_nsswitch(systemd_notify_t)

383

+

384

+init_rw_stream_sockets(systemd_notify_t)

385

+

386

+miscfiles_read_localization(systemd_notify_t)

387

+

388

 ########################################

389

#

390

 # Nspawn local policy

391

@@ -332,6 +435,66 @@ optional_policy(`

392

393

 init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)

394

395

+#######################################

396

+#

397

+# systemd_passwd_agent_t local policy

398

+#

399

+

400

+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };

401

+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };

402

+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;

403

+

404

+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);

405

+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);

406

+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);

407

+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);

408

+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })

409

+

410

+kernel_read_system_state(systemd_passwd_agent_t)

411

+kernel_stream_connect(systemd_passwd_agent_t)

412

+

413

+dev_create_generic_dirs(systemd_passwd_agent_t)

414

+dev_read_generic_files(systemd_passwd_agent_t)

415

+dev_write_generic_sock_files(systemd_passwd_agent_t)

416

+dev_write_kmsg(systemd_passwd_agent_t)

417

+

418

+files_read_etc_files(systemd_passwd_agent_t)

419

+

420

+fs_getattr_xattr_fs(systemd_passwd_agent_t)

421

+

422

+selinux_get_enforce_mode(systemd_passwd_agent_t)

423

+selinux_getattr_fs(systemd_passwd_agent_t)

424

+

425

+term_read_console(systemd_passwd_agent_t)

426

+

427

+auth_use_nsswitch(systemd_passwd_agent_t)

428

+

429

+init_create_pid_dirs(systemd_passwd_agent_t)

430

+init_read_pid_pipes(systemd_passwd_agent_t)

431

+init_read_state(systemd_passwd_agent_t)

432

+init_read_utmp(systemd_passwd_agent_t)

433

+init_stream_connect(systemd_passwd_agent_t)

434

+

435

+logging_send_syslog_msg(systemd_passwd_agent_t)

436

+

437

+miscfiles_read_localization(systemd_passwd_agent_t)

438

+

439

+seutil_search_default_contexts(systemd_passwd_agent_t)

440

+

441

+userdom_use_user_ptys(systemd_passwd_agent_t)

442

+

443

+optional_policy(`

444

+	getty_use_fds(systemd_passwd_agent_t)

445

+')

446

+

447

+optional_policy(`

448

+	lvm_signull(systemd_passwd_agent_t)

449

+')

450

+

451

+optional_policy(`

452

+	plymouthd_stream_connect(systemd_passwd_agent_t)

453

+')

454

+

455

456

 #########################################

457

#

1	commit: 4b4fbc24ce430965cce854d871cefa9666be2569
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Sat Feb 25 14:35:10 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 25 16:43:11 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24
7
8	systemd: Further revisions from Russell Coker.
9
10	policy/modules/kernel/devices.if \| 18 +++
11	policy/modules/kernel/devices.te \| 2 +-
12	policy/modules/kernel/filesystem.if \| 20 ++++
13	policy/modules/kernel/filesystem.te \| 2 +-
14	policy/modules/system/init.if \| 18 +++
15	policy/modules/system/init.te \| 2 +-
16	policy/modules/system/lvm.if \| 18 +++
17	policy/modules/system/lvm.te \| 2 +-
18	policy/modules/system/systemd.te \| 221 +++++++++++++++++++++++++++++++-----
19	9 files changed, 270 insertions(+), 33 deletions(-)
20
21	diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
22	index b51a25ac..7e09e6f2 100644
23	--- a/policy/modules/kernel/devices.if
24	+++ b/policy/modules/kernel/devices.if
25	@@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',`
26
27	########################################
28	## <summary>
29	+## write generic sock files in /dev.
30	+## </summary>
31	+## <param name="domain">
32	+## <summary>
33	+## Domain to not audit.
34	+## </summary>
35	+## </param>
36	+#
37	+interface(`dev_write_generic_sock_files',`
38	+ gen_require(`
39	+ type device_t;
40	+ ')
41	+
42	+ write_sock_files_pattern($1, device_t, device_t)
43	+')
44	+
45	+########################################
46	+## <summary>
47	## Create, delete, read, and write device nodes in device directories.
48	## </summary>
49	## <param name="domain">
50
51	diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
52	index 470f0f00..571abc30 100644
53	--- a/policy/modules/kernel/devices.te
54	+++ b/policy/modules/kernel/devices.te
55	@@ -1,4 +1,4 @@
56	-policy_module(devices, 1.20.3)
57	+policy_module(devices, 1.20.4)
58
59	########################################
60	#
61
62	diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
63	index bd6084b3..9069b0c2 100644
64	--- a/policy/modules/kernel/filesystem.if
65	+++ b/policy/modules/kernel/filesystem.if
66	@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
67
68	########################################
69	## <summary>
70	+## Get attributes of cgroup files.
71	+## </summary>
72	+## <param name="domain">
73	+## <summary>
74	+## Domain allowed access.
75	+## </summary>
76	+## </param>
77	+#
78	+interface(`fs_getattr_cgroup_files',`
79	+ gen_require(`
80	+ type cgroup_t;
81	+ ')
82	+
83	+ getattr_files_pattern($1, cgroup_t, cgroup_t)
84	+ fs_search_tmpfs($1)
85	+ dev_search_sysfs($1)
86	+')
87	+
88	+########################################
89	+## <summary>
90	## Read cgroup files.
91	## </summary>
92	## <param name="domain">
93
94	diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
95	index be04ea8c..23705cd3 100644
96	--- a/policy/modules/kernel/filesystem.te
97	+++ b/policy/modules/kernel/filesystem.te
98	@@ -1,4 +1,4 @@
99	-policy_module(filesystem, 1.22.2)
100	+policy_module(filesystem, 1.22.3)
101
102	########################################
103	#
104
105	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
106	index 8d65e648..6de0a2d7 100644
107	--- a/policy/modules/system/init.if
108	+++ b/policy/modules/system/init.if
109	@@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',`
110
111	########################################
112	## <summary>
113	+## List /var/lib/systemd/ dir
114	+## </summary>
115	+## <param name="domain">
116	+## <summary>
117	+## Domain allowed access.
118	+## </summary>
119	+## </param>
120	+#
121	+interface(`init_list_var_lib_dirs',`
122	+ gen_require(`
123	+ type init_var_lib_t;
124	+ ')
125	+
126	+ allow $1 init_var_lib_t:dir list_dir_perms;
127	+')
128	+
129	+########################################
130	+## <summary>
131	## Manage files in /var/lib/systemd/.
132	## </summary>
133	## <param name="domain">
134
135	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
136	index 54ca2ceb..c9c1eb6b 100644
137	--- a/policy/modules/system/init.te
138	+++ b/policy/modules/system/init.te
139	@@ -1,4 +1,4 @@
140	-policy_module(init, 2.2.6)
141	+policy_module(init, 2.2.7)
142
143	gen_require(`
144	class passwd rootok;
145
146	diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
147	index 88fa9442..49cee54d 100644
148	--- a/policy/modules/system/lvm.if
149	+++ b/policy/modules/system/lvm.if
150	@@ -65,6 +65,24 @@ interface(`lvm_run',`
151
152	########################################
153	## <summary>
154	+## Send lvm a null signal.
155	+## </summary>
156	+## <param name="domain">
157	+## <summary>
158	+## Domain allowed access.
159	+## </summary>
160	+## </param>
161	+#
162	+interface(`lvm_signull',`
163	+ gen_require(`
164	+ type lvm_t;
165	+ ')
166	+
167	+ allow $1 lvm_t:process signull;
168	+')
169	+
170	+########################################
171	+## <summary>
172	## Read LVM configuration files.
173	## </summary>
174	## <param name="domain">
175
176	diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
177	index f8fed91d..e6984249 100644
178	--- a/policy/modules/system/lvm.te
179	+++ b/policy/modules/system/lvm.te
180	@@ -1,4 +1,4 @@
181	-policy_module(lvm, 1.19.3)
182	+policy_module(lvm, 1.19.4)
183
184	########################################
185	#
186
187	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
188	index 40719e93..6c8caa8d 100644
189	--- a/policy/modules/system/systemd.te
190	+++ b/policy/modules/system/systemd.te
191	@@ -1,4 +1,4 @@
192	-policy_module(systemd, 1.3.7)
193	+policy_module(systemd, 1.3.8)
194
195	#########################################
196	#
197	@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
198
199	######################################
200	#
201	-# systemd log parse enviroment
202	-#
203	-
204	-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
205	-dontaudit systemd_log_parse_env_type self:capability net_admin;
206	-
207	-kernel_read_system_state(systemd_log_parse_env_type)
208	-
209	-dev_write_kmsg(systemd_log_parse_env_type)
210	-
211	-term_use_console(systemd_log_parse_env_type)
212	-
213	-init_read_state(systemd_log_parse_env_type)
214	-
215	-logging_send_syslog_msg(systemd_log_parse_env_type)
216	-
217	-######################################
218	-#
219	# Backlight local policy
220	#
221
222	@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t)
223
224	systemd_log_parse_environment(systemd_cgroups_t)
225
226	-#######################################
227	+######################################
228	#
229	-# locale local policy
230	+# coredump local policy
231	#
232
233	-kernel_read_kernel_sysctls(systemd_locale_t)
234	+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
235	+allow systemd_coredump_t self:capability { setgid setuid setpcap };
236	+allow systemd_coredump_t self:process { getcap setcap setfscreate };
237
238	-files_read_etc_files(systemd_locale_t)
239	+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
240
241	-seutil_read_file_contexts(systemd_locale_t)
242	+kernel_read_kernel_sysctls(systemd_coredump_t)
243	+kernel_read_system_state(systemd_coredump_t)
244	+kernel_rw_pipes(systemd_coredump_t)
245	+kernel_use_fds(systemd_coredump_t)
246
247	-systemd_log_parse_environment(systemd_locale_t)
248	+corecmd_exec_bin(systemd_coredump_t)
249	+corecmd_read_all_executables(systemd_coredump_t)
250	+
251	+dev_write_kmsg(systemd_coredump_t)
252	+
253	+files_read_etc_files(systemd_coredump_t)
254	+files_search_var_lib(systemd_coredump_t)
255	+
256	+fs_getattr_xattr_fs(systemd_coredump_t)
257	+
258	+selinux_getattr_fs(systemd_coredump_t)
259	+
260	+init_list_var_lib_dirs(systemd_coredump_t)
261	+init_read_state(systemd_coredump_t)
262	+init_search_pids(systemd_coredump_t)
263	+init_write_pid_socket(systemd_coredump_t)
264	+
265	+logging_send_syslog_msg(systemd_coredump_t)
266	+
267	+seutil_search_default_contexts(systemd_coredump_t)
268
269	-optional_policy(`
270	- dbus_connect_system_bus(systemd_locale_t)
271	- dbus_system_bus_client(systemd_locale_t)
272	-')
273
274	#######################################
275	#
276	@@ -262,6 +264,42 @@ optional_policy(`
277	dbus_connect_system_bus(systemd_hostnamed_t)
278	')
279
280	+#######################################
281	+#
282	+# locale local policy
283	+#
284	+
285	+kernel_read_kernel_sysctls(systemd_locale_t)
286	+
287	+files_read_etc_files(systemd_locale_t)
288	+
289	+seutil_read_file_contexts(systemd_locale_t)
290	+
291	+systemd_log_parse_environment(systemd_locale_t)
292	+
293	+optional_policy(`
294	+ dbus_connect_system_bus(systemd_locale_t)
295	+ dbus_system_bus_client(systemd_locale_t)
296	+')
297	+
298	+######################################
299	+#
300	+# systemd log parse enviroment
301	+#
302	+
303	+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
304	+dontaudit systemd_log_parse_env_type self:capability net_admin;
305	+
306	+kernel_read_system_state(systemd_log_parse_env_type)
307	+
308	+dev_write_kmsg(systemd_log_parse_env_type)
309	+
310	+term_use_console(systemd_log_parse_env_type)
311	+
312	+init_read_state(systemd_log_parse_env_type)
313	+
314	+logging_send_syslog_msg(systemd_log_parse_env_type)
315	+
316	#########################################
317	#
318	# Logind local policy
319	@@ -325,6 +363,71 @@ optional_policy(`
320	dbus_connect_system_bus(systemd_logind_t)
321	')
322
323	+#########################################
324	+#
325	+# machined local policy
326	+#
327	+
328	+allow systemd_machined_t self:capability sys_ptrace;
329	+allow systemd_machined_t self:process setfscreate;
330	+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
331	+
332	+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
333	+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
334	+
335	+kernel_read_kernel_sysctls(systemd_machined_t)
336	+kernel_read_system_state(systemd_machined_t)
337	+
338	+files_read_etc_files(systemd_machined_t)
339	+
340	+fs_getattr_cgroup(systemd_machined_t)
341	+fs_getattr_tmpfs(systemd_machined_t)
342	+
343	+selinux_getattr_fs(systemd_machined_t)
344	+
345	+init_read_script_state(systemd_machined_t)
346	+init_get_system_status(systemd_machined_t)
347	+init_read_state(systemd_machined_t)
348	+init_service_start(systemd_machined_t)
349	+init_service_status(systemd_machined_t)
350	+init_start_system(systemd_machined_t)
351	+init_stop_system(systemd_machined_t)
352	+
353	+logging_send_syslog_msg(systemd_machined_t)
354	+
355	+seutil_search_default_contexts(systemd_machined_t)
356	+
357	+optional_policy(`
358	+ init_dbus_chat(systemd_machined_t)
359	+ init_dbus_send_script(systemd_machined_t)
360	+
361	+ dbus_connect_system_bus(systemd_machined_t)
362	+ dbus_system_bus_client(systemd_machined_t)
363	+')
364	+
365	+########################################
366	+#
367	+# systemd_notify local policy
368	+#
369	+allow systemd_notify_t self:capability chown;
370	+allow systemd_notify_t self:process { setfscreate setsockcreate };
371	+
372	+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
373	+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
374	+
375	+domain_use_interactive_fds(systemd_notify_t)
376	+
377	+files_read_etc_files(systemd_notify_t)
378	+files_read_usr_files(systemd_notify_t)
379	+
380	+fs_getattr_cgroup_files(systemd_notify_t)
381	+
382	+auth_use_nsswitch(systemd_notify_t)
383	+
384	+init_rw_stream_sockets(systemd_notify_t)
385	+
386	+miscfiles_read_localization(systemd_notify_t)
387	+
388	########################################
389	#
390	# Nspawn local policy
391	@@ -332,6 +435,66 @@ optional_policy(`
392
393	init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
394
395	+#######################################
396	+#
397	+# systemd_passwd_agent_t local policy
398	+#
399	+
400	+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
401	+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
402	+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
403	+
404	+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
405	+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
406	+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
407	+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
408	+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
409	+
410	+kernel_read_system_state(systemd_passwd_agent_t)
411	+kernel_stream_connect(systemd_passwd_agent_t)
412	+
413	+dev_create_generic_dirs(systemd_passwd_agent_t)
414	+dev_read_generic_files(systemd_passwd_agent_t)
415	+dev_write_generic_sock_files(systemd_passwd_agent_t)
416	+dev_write_kmsg(systemd_passwd_agent_t)
417	+
418	+files_read_etc_files(systemd_passwd_agent_t)
419	+
420	+fs_getattr_xattr_fs(systemd_passwd_agent_t)
421	+
422	+selinux_get_enforce_mode(systemd_passwd_agent_t)
423	+selinux_getattr_fs(systemd_passwd_agent_t)
424	+
425	+term_read_console(systemd_passwd_agent_t)
426	+
427	+auth_use_nsswitch(systemd_passwd_agent_t)
428	+
429	+init_create_pid_dirs(systemd_passwd_agent_t)
430	+init_read_pid_pipes(systemd_passwd_agent_t)
431	+init_read_state(systemd_passwd_agent_t)
432	+init_read_utmp(systemd_passwd_agent_t)
433	+init_stream_connect(systemd_passwd_agent_t)
434	+
435	+logging_send_syslog_msg(systemd_passwd_agent_t)
436	+
437	+miscfiles_read_localization(systemd_passwd_agent_t)
438	+
439	+seutil_search_default_contexts(systemd_passwd_agent_t)
440	+
441	+userdom_use_user_ptys(systemd_passwd_agent_t)
442	+
443	+optional_policy(`
444	+ getty_use_fds(systemd_passwd_agent_t)
445	+')
446	+
447	+optional_policy(`
448	+ lvm_signull(systemd_passwd_agent_t)
449	+')
450	+
451	+optional_policy(`
452	+ plymouthd_stream_connect(systemd_passwd_agent_t)
453	+')
454	+
455
456	#########################################
457	#

Gentoo Archives: gentoo-commits