Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
Date: Wed, 02 Dec 2015 15:45:39
Message-Id: 1445832616.cc84af253feefbacb7155575e1126a7abf0227ca.swift@gentoo
1 commit: cc84af253feefbacb7155575e1126a7abf0227ca
2 Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
3 AuthorDate: Fri Oct 23 18:35:33 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Mon Oct 26 04:10:16 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
7
8 Add systemd unit types.
9
10 Primarily contributed by the Tresys CLIP team.
11
12 policy/modules/contrib/alsa.fc | 5 +++++
13 policy/modules/contrib/alsa.te | 3 +++
14 policy/modules/contrib/bluetooth.fc | 3 +++
15 policy/modules/contrib/bluetooth.te | 3 +++
16 policy/modules/contrib/chronyd.fc | 5 +++++
17 policy/modules/contrib/chronyd.te | 3 +++
18 policy/modules/contrib/dbus.fc | 3 +++
19 policy/modules/contrib/dbus.te | 3 +++
20 policy/modules/contrib/dnsmasq.fc | 3 +++
21 policy/modules/contrib/dnsmasq.te | 3 +++
22 policy/modules/contrib/kdump.te | 3 +++
23 policy/modules/contrib/lircd.fc | 3 +++
24 policy/modules/contrib/lircd.te | 3 +++
25 policy/modules/contrib/logrotate.fc | 3 +++
26 policy/modules/contrib/logrotate.te | 3 +++
27 policy/modules/contrib/mandb.fc | 3 +++
28 policy/modules/contrib/mandb.te | 3 +++
29 policy/modules/contrib/networkmanager.fc | 4 ++++
30 policy/modules/contrib/networkmanager.te | 3 +++
31 policy/modules/contrib/ntp.fc | 3 +++
32 policy/modules/contrib/ntp.te | 3 +++
33 policy/modules/contrib/pcscd.fc | 3 +++
34 policy/modules/contrib/pcscd.te | 3 +++
35 policy/modules/contrib/plymouthd.fc | 3 +++
36 policy/modules/contrib/plymouthd.te | 3 +++
37 policy/modules/contrib/policykit.fc | 3 +++
38 policy/modules/contrib/policykit.te | 3 +++
39 policy/modules/contrib/qemu.fc | 2 ++
40 policy/modules/contrib/qemu.te | 3 +++
41 policy/modules/contrib/raid.fc | 4 ++++
42 policy/modules/contrib/raid.te | 3 +++
43 policy/modules/contrib/rpm.fc | 4 ++++
44 policy/modules/contrib/rpm.te | 3 +++
45 policy/modules/contrib/rtkit.fc | 3 +++
46 policy/modules/contrib/rtkit.te | 3 +++
47 policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
48 policy/modules/contrib/tcsd.fc | 3 +++
49 policy/modules/contrib/tcsd.te | 3 +++
50 38 files changed, 135 insertions(+)
51
52 diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
53 index 6c3c0ba..a8c8a64 100644
54 --- a/policy/modules/contrib/alsa.fc
55 +++ b/policy/modules/contrib/alsa.fc
56 @@ -14,6 +14,11 @@ ifdef(`distro_debian',`
57 /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
58 /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
59
60 +# Systemd unit files
61 +/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
62 +/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
63 +/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
64 +
65 /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
66 /usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
67
68
69 diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
70 index 46d12e8..24d5287 100644
71 --- a/policy/modules/contrib/alsa.te
72 +++ b/policy/modules/contrib/alsa.te
73 @@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
74 type alsa_tmpfs_t;
75 files_tmpfs_file(alsa_tmpfs_t)
76
77 +type alsa_unit_t;
78 +init_unit_file(alsa_unit_t)
79 +
80 type alsa_var_lib_t;
81 files_type(alsa_var_lib_t)
82
83
84 diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
85 index a28101f..bcce998 100644
86 --- a/policy/modules/contrib/bluetooth.fc
87 +++ b/policy/modules/contrib/bluetooth.fc
88 @@ -10,6 +10,9 @@
89 /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
90 /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
91
92 +# Systemd unit file
93 +/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
94 +
95 /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
96 /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
97 /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
98
99 diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
100 index 08f3c20..d69c283 100644
101 --- a/policy/modules/contrib/bluetooth.te
102 +++ b/policy/modules/contrib/bluetooth.te
103 @@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
104 type bluetooth_tmp_t;
105 files_tmp_file(bluetooth_tmp_t)
106
107 +type bluetooth_unit_t;
108 +init_unit_file(bluetooth_unit_t)
109 +
110 type bluetooth_var_lib_t;
111 files_type(bluetooth_var_lib_t)
112
113
114 diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
115 index fd5fbbb..a4a42ea 100644
116 --- a/policy/modules/contrib/chronyd.fc
117 +++ b/policy/modules/contrib/chronyd.fc
118 @@ -2,6 +2,11 @@
119
120 /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
121
122 +# Systend unit files
123 +/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
124 +/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
125 +
126 +
127 /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
128
129 /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
130
131 diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
132 index 7a16731..3167bae 100644
133 --- a/policy/modules/contrib/chronyd.te
134 +++ b/policy/modules/contrib/chronyd.te
135 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
136 type chronyd_tmpfs_t;
137 files_tmpfs_file(chronyd_tmpfs_t)
138
139 +type chronyd_unit_t;
140 +init_unit_file(chronyd_unit_t)
141 +
142 type chronyd_var_lib_t;
143 files_type(chronyd_var_lib_t)
144
145
146 diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
147 index dda905b..309a462 100644
148 --- a/policy/modules/contrib/dbus.fc
149 +++ b/policy/modules/contrib/dbus.fc
150 @@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
151
152 /usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
153
154 +# Systemd unit file
155 +/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
156 +
157 /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
158
159 /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
160
161 diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
162 index 6f2b890..e79a81a 100644
163 --- a/policy/modules/contrib/dbus.te
164 +++ b/policy/modules/contrib/dbus.te
165 @@ -22,6 +22,9 @@ type dbusd_exec_t;
166 corecmd_executable_file(dbusd_exec_t)
167 typealias dbusd_exec_t alias system_dbusd_exec_t;
168
169 +type dbusd_unit_t;
170 +init_unit_file(dbusd_unit_t)
171 +
172 type session_dbusd_home_t;
173 userdom_user_home_content(session_dbusd_home_t)
174
175
176 diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
177 index 8ca133c..89edbaa 100644
178 --- a/policy/modules/contrib/dnsmasq.fc
179 +++ b/policy/modules/contrib/dnsmasq.fc
180 @@ -3,6 +3,9 @@
181
182 /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
183
184 +# Systemd unit file
185 +/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
186 +
187 /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
188
189 /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
190
191 diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
192 index 15b29cb..c71ace8 100644
193 --- a/policy/modules/contrib/dnsmasq.te
194 +++ b/policy/modules/contrib/dnsmasq.te
195 @@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
196 type dnsmasq_lease_t;
197 files_type(dnsmasq_lease_t)
198
199 +type dnsmasq_unit_t;
200 +init_unit_file(dnsmasq_unit_t)
201 +
202 type dnsmasq_var_log_t;
203 logging_log_file(dnsmasq_var_log_t)
204
205
206 diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
207 index 7c4e3f1..57e24e6 100644
208 --- a/policy/modules/contrib/kdump.te
209 +++ b/policy/modules/contrib/kdump.te
210 @@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
211 type kdump_initrc_exec_t;
212 init_script_file(kdump_initrc_exec_t)
213
214 +type kdump_unit_t;
215 +init_unit_file(kdump_unit_t)
216 +
217 type kdumpctl_t;
218 type kdumpctl_exec_t;
219 init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
220
221 diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
222 index c7a726a..76e497e 100644
223 --- a/policy/modules/contrib/lircd.fc
224 +++ b/policy/modules/contrib/lircd.fc
225 @@ -5,6 +5,9 @@
226
227 /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
228
229 +# Systemd unit file
230 +/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
231 +
232 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
233
234 /var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
235
236 diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
237 index 0064b06..26690f2 100644
238 --- a/policy/modules/contrib/lircd.te
239 +++ b/policy/modules/contrib/lircd.te
240 @@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
241 type lircd_etc_t;
242 files_type(lircd_etc_t)
243
244 +type lircd_unit_t;
245 +init_unit_file(lircd_unit_t)
246 +
247 type lircd_var_run_t alias lircd_sock_t;
248 files_pid_file(lircd_var_run_t)
249
250
251 diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
252 index 207ec10..ad21596 100644
253 --- a/policy/modules/contrib/logrotate.fc
254 +++ b/policy/modules/contrib/logrotate.fc
255 @@ -1,6 +1,9 @@
256 /etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
257 /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
258
259 +# Systemd unit file
260 +/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
261 +
262 /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
263
264 /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
265
266 diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
267 index 311defd..33f534b 100644
268 --- a/policy/modules/contrib/logrotate.te
269 +++ b/policy/modules/contrib/logrotate.te
270 @@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
271 type logrotate_var_lib_t;
272 files_type(logrotate_var_lib_t)
273
274 +type logrotate_unit_t;
275 +init_unit_file(logrotate_unit_t)
276 +
277 mta_base_mail_template(logrotate)
278 role system_r types logrotate_mail_t;
279
280
281 diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
282 index 8ae78b5..9f2825e 100644
283 --- a/policy/modules/contrib/mandb.fc
284 +++ b/policy/modules/contrib/mandb.fc
285 @@ -1 +1,4 @@
286 /etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
287 +
288 +# Systemd unit file
289 +/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
290
291 diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
292 index e29882f..46860dd 100644
293 --- a/policy/modules/contrib/mandb.te
294 +++ b/policy/modules/contrib/mandb.te
295 @@ -13,6 +13,9 @@ type mandb_exec_t;
296 application_domain(mandb_t, mandb_exec_t)
297 role mandb_roles types mandb_t;
298
299 +type mandb_unit_t;
300 +init_unit_file(mandb_unit_t)
301 +
302 ########################################
303 #
304 # Local policy
305
306 diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
307 index 5ffd285..c192c7f 100644
308 --- a/policy/modules/contrib/networkmanager.fc
309 +++ b/policy/modules/contrib/networkmanager.fc
310 @@ -17,6 +17,10 @@
311 /usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
312 /usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
313
314 +# Systemd unit files
315 +/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
316 +/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
317 +
318 /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
319 /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
320
321
322 diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
323 index 427dfe4..a977b9a 100644
324 --- a/policy/modules/contrib/networkmanager.te
325 +++ b/policy/modules/contrib/networkmanager.te
326 @@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
327 type NetworkManager_tmp_t;
328 files_tmp_file(NetworkManager_tmp_t)
329
330 +type NetworkManager_unit_t;
331 +init_unit_file(NetworkManager_unit_t)
332 +
333 type NetworkManager_var_lib_t;
334 files_type(NetworkManager_var_lib_t)
335
336
337 diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
338 index c74d996..c01eb54 100644
339 --- a/policy/modules/contrib/ntp.fc
340 +++ b/policy/modules/contrib/ntp.fc
341 @@ -11,6 +11,9 @@
342
343 /etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
344
345 +# Systemd unit file
346 +/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
347 +
348 /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
349 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
350 /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
351
352 diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
353 index 7600674..1f24dab 100644
354 --- a/policy/modules/contrib/ntp.te
355 +++ b/policy/modules/contrib/ntp.te
356 @@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
357 type ntpd_tmpfs_t;
358 files_tmpfs_file(ntpd_tmpfs_t)
359
360 +type ntpd_unit_t;
361 +init_unit_file(ntpd_unit_t)
362 +
363 type ntpd_var_run_t;
364 files_pid_file(ntpd_var_run_t)
365
366
367 diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
368 index 58363c7..5d1beba 100644
369 --- a/policy/modules/contrib/pcscd.fc
370 +++ b/policy/modules/contrib/pcscd.fc
371 @@ -2,6 +2,9 @@
372
373 /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
374
375 +# Systemd unit file
376 +/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
377 +
378 /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
379 /var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
380 /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
381
382 diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
383 index bf5066f..f863ba2 100644
384 --- a/policy/modules/contrib/pcscd.te
385 +++ b/policy/modules/contrib/pcscd.te
386 @@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
387 type pcscd_initrc_exec_t;
388 init_script_file(pcscd_initrc_exec_t)
389
390 +type pcscd_unit_t;
391 +init_unit_file(pcscd_unit_t)
392 +
393 type pcscd_var_run_t;
394 files_pid_file(pcscd_var_run_t)
395 init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
396
397 diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
398 index 735500f..2d9b956 100644
399 --- a/policy/modules/contrib/plymouthd.fc
400 +++ b/policy/modules/contrib/plymouthd.fc
401 @@ -4,6 +4,9 @@
402
403 /usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
404
405 +# Systemd unit file
406 +/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
407 +
408 /usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
409
410 /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
411
412 diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
413 index 3078ce9..8dadb33 100644
414 --- a/policy/modules/contrib/plymouthd.te
415 +++ b/policy/modules/contrib/plymouthd.te
416 @@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
417 type plymouthd_spool_t;
418 files_type(plymouthd_spool_t)
419
420 +type plymouthd_unit_t;
421 +init_unit_file(plymouthd_unit_t)
422 +
423 type plymouthd_var_lib_t;
424 files_type(plymouthd_var_lib_t)
425
426
427 diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
428 index 1d76c72..774c12b 100644
429 --- a/policy/modules/contrib/policykit.fc
430 +++ b/policy/modules/contrib/policykit.fc
431 @@ -8,6 +8,9 @@
432 /usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
433 /usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
434
435 +# Systemd unit file
436 +/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
437 +
438 /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
439 /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
440 /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
441
442 diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
443 index ee91778..108007e 100644
444 --- a/policy/modules/contrib/policykit.te
445 +++ b/policy/modules/contrib/policykit.te
446 @@ -34,6 +34,9 @@ files_type(policykit_reload_t)
447 type policykit_tmp_t;
448 files_tmp_file(policykit_tmp_t)
449
450 +type policykit_unit_t;
451 +init_unit_file(policykit_unit_t)
452 +
453 type policykit_var_lib_t alias polkit_var_lib_t;
454 files_type(policykit_var_lib_t)
455
456
457 diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
458 index f1304fb..cfb18ec 100644
459 --- a/policy/modules/contrib/qemu.fc
460 +++ b/policy/modules/contrib/qemu.fc
461 @@ -3,6 +3,8 @@
462 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
463 /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
464
465 +/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
466 +
467 /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
468
469 ifdef(`distro_gentoo',`
470
471 diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
472 index 136f6f3..a17ed0c 100644
473 --- a/policy/modules/contrib/qemu.te
474 +++ b/policy/modules/contrib/qemu.te
475 @@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
476 virt_domain_template(qemu)
477 role qemu_roles types qemu_t;
478
479 +type qemu_unit_t;
480 +init_unit_file(qemu_unit_t)
481 +
482 ########################################
483 #
484 # Local policy
485
486 diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
487 index 5806046..2ea0889 100644
488 --- a/policy/modules/contrib/raid.fc
489 +++ b/policy/modules/contrib/raid.fc
490 @@ -11,6 +11,10 @@
491 /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
492 /sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
493
494 +# Systemd unit files
495 +/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
496 +/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
497 +
498 /usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
499 /usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
500 /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
501
502 diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
503 index dfe62e3..b6aea09 100644
504 --- a/policy/modules/contrib/raid.te
505 +++ b/policy/modules/contrib/raid.te
506 @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
507 type mdadm_initrc_exec_t;
508 init_script_file(mdadm_initrc_exec_t)
509
510 +type mdadm_unit_t;
511 +init_unit_file(mdadm_unit_t)
512 +
513 type mdadm_var_run_t alias mdadm_map_t;
514 files_pid_file(mdadm_var_run_t)
515 dev_associate(mdadm_var_run_t)
516
517 diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
518 index ebe91fc..1ebd4a1 100644
519 --- a/policy/modules/contrib/rpm.fc
520 +++ b/policy/modules/contrib/rpm.fc
521 @@ -13,6 +13,10 @@
522 /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
523 /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
524
525 +# Systemd unit file
526 +/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
527 +/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
528 +
529 /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
530 /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
531
532
533 diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
534 index de5c91f..5cac092 100644
535 --- a/policy/modules/contrib/rpm.te
536 +++ b/policy/modules/contrib/rpm.te
537 @@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
538 type rpm_log_t;
539 logging_log_file(rpm_log_t)
540
541 +type rpm_unit_t;
542 +init_unit_file(rpm_unit_t)
543 +
544 type rpm_var_lib_t;
545 files_type(rpm_var_lib_t)
546 typealias rpm_var_lib_t alias var_lib_rpm_t;
547
548 diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
549 index 75bbf38..a3021da 100644
550 --- a/policy/modules/contrib/rtkit.fc
551 +++ b/policy/modules/contrib/rtkit.fc
552 @@ -3,3 +3,6 @@
553 /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
554
555 /usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
556 +
557 +# Systemd unit file
558 +/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
559
560 diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
561 index 906ebb5..1aa52c4 100644
562 --- a/policy/modules/contrib/rtkit.te
563 +++ b/policy/modules/contrib/rtkit.te
564 @@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
565 type rtkit_daemon_initrc_exec_t;
566 init_script_file(rtkit_daemon_initrc_exec_t)
567
568 +type rtkit_daemon_unit_t;
569 +init_unit_file(rtkit_daemon_unit_t)
570 +
571 ########################################
572 #
573 # Local policy
574
575 diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
576 index d1706bf..819d19b 100644
577 --- a/policy/modules/contrib/shutdown.if
578 +++ b/policy/modules/contrib/shutdown.if
579 @@ -91,6 +91,24 @@ interface(`shutdown_signal',`
580
581 ########################################
582 ## <summary>
583 +## Send SIGCHLD signals to shutdown.
584 +## </summary>
585 +## <param name="domain">
586 +## <summary>
587 +## Domain allowed access.
588 +## </summary>
589 +## </param>
590 +#
591 +interface(`shutdown_sigchld',`
592 + gen_require(`
593 + type shutdown_t;
594 + ')
595 +
596 + allow $1 shutdown_t:process sigchld;
597 +')
598 +
599 +########################################
600 +## <summary>
601 ## Get attributes of shutdown executable files.
602 ## </summary>
603 ## <param name="domain">
604
605 diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
606 index c2c2636..0e086e7 100644
607 --- a/policy/modules/contrib/tcsd.fc
608 +++ b/policy/modules/contrib/tcsd.fc
609 @@ -1,5 +1,8 @@
610 /etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
611
612 +# Systemd unit file
613 +/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
614 +
615 /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
616
617 /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
618
619 diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
620 index 272c114..439cf27 100644
621 --- a/policy/modules/contrib/tcsd.te
622 +++ b/policy/modules/contrib/tcsd.te
623 @@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
624 type tcsd_initrc_exec_t;
625 init_script_file(tcsd_initrc_exec_t)
626
627 +type tcsd_unit_t;
628 +init_unit_file(tcsd_unit_t)
629 +
630 type tcsd_var_lib_t;
631 files_type(tcsd_var_lib_t)
Report Message
Find on MARC Find on Google Groups