1 |
commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Fri Feb 24 01:03:23 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 14:22:23 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3 |
7 |
|
8 |
Systemd fixes from Russell Coker. |
9 |
|
10 |
policy/modules/kernel/devices.if | 37 +++++ |
11 |
policy/modules/kernel/devices.te | 6 +- |
12 |
policy/modules/kernel/files.if | 127 +++++++++++++++ |
13 |
policy/modules/kernel/files.te | 6 +- |
14 |
policy/modules/system/authlogin.if | 9 + |
15 |
policy/modules/system/authlogin.te | 6 +- |
16 |
policy/modules/system/init.fc | 2 + |
17 |
policy/modules/system/init.if | 183 ++++++++++++++++++--- |
18 |
policy/modules/system/init.te | 317 +++++++++++++++++++++++++++++++++--- |
19 |
policy/modules/system/logging.fc | 5 +- |
20 |
policy/modules/system/logging.if | 18 ++ |
21 |
policy/modules/system/logging.te | 36 +++- |
22 |
policy/modules/system/lvm.if | 18 ++ |
23 |
policy/modules/system/lvm.te | 2 +- |
24 |
policy/modules/system/miscfiles.te | 6 +- |
25 |
policy/modules/system/systemd.fc | 11 +- |
26 |
policy/modules/system/systemd.if | 122 +++++++++++++- |
27 |
policy/modules/system/systemd.te | 49 +++++- |
28 |
policy/modules/system/udev.if | 20 +++ |
29 |
policy/modules/system/udev.te | 2 +- |
30 |
policy/modules/system/unconfined.if | 19 +++ |
31 |
policy/modules/system/unconfined.te | 2 +- |
32 |
policy/modules/system/userdomain.if | 71 ++++++++ |
33 |
policy/modules/system/userdomain.te | 2 +- |
34 |
24 files changed, 1011 insertions(+), 65 deletions(-) |
35 |
|
36 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
37 |
index 08e2e8af..b51a25ac 100644 |
38 |
--- a/policy/modules/kernel/devices.if |
39 |
+++ b/policy/modules/kernel/devices.if |
40 |
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',` |
41 |
|
42 |
######################################## |
43 |
## <summary> |
44 |
+## Allow full relabeling (to and from) of all device files. |
45 |
+## </summary> |
46 |
+## <param name="domain"> |
47 |
+## <summary> |
48 |
+## Domain allowed access. |
49 |
+## </summary> |
50 |
+## </param> |
51 |
+## <rolecap/> |
52 |
+# |
53 |
+interface(`dev_relabel_all_dev_files',` |
54 |
+ gen_require(` |
55 |
+ type device_t; |
56 |
+ ') |
57 |
+ |
58 |
+ relabel_files_pattern($1, device_t, device_t) |
59 |
+') |
60 |
+ |
61 |
+######################################## |
62 |
+## <summary> |
63 |
## List all of the device nodes in a device directory. |
64 |
## </summary> |
65 |
## <param name="domain"> |
66 |
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',` |
67 |
|
68 |
######################################## |
69 |
## <summary> |
70 |
+## Relabel hardware state directories. |
71 |
+## </summary> |
72 |
+## <param name="domain"> |
73 |
+## <summary> |
74 |
+## Domain allowed access. |
75 |
+## </summary> |
76 |
+## </param> |
77 |
+# |
78 |
+interface(`dev_relabel_sysfs_dirs',` |
79 |
+ gen_require(` |
80 |
+ type sysfs_t; |
81 |
+ ') |
82 |
+ |
83 |
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) |
84 |
+') |
85 |
+ |
86 |
+######################################## |
87 |
+## <summary> |
88 |
## Relabel from/to all sysfs types. |
89 |
## </summary> |
90 |
## <param name="domain"> |
91 |
|
92 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
93 |
index 66bc754e..470f0f00 100644 |
94 |
--- a/policy/modules/kernel/devices.te |
95 |
+++ b/policy/modules/kernel/devices.te |
96 |
@@ -1,4 +1,4 @@ |
97 |
-policy_module(devices, 1.20.2) |
98 |
+policy_module(devices, 1.20.3) |
99 |
|
100 |
######################################## |
101 |
# |
102 |
@@ -22,6 +22,10 @@ files_associate_tmp(device_t) |
103 |
fs_xattr_type(device_t) |
104 |
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); |
105 |
|
106 |
+optional_policy(` |
107 |
+ systemd_tmpfilesd_managed(device_t, fifo_file) |
108 |
+') |
109 |
+ |
110 |
# |
111 |
# Type for /dev/agpgart |
112 |
# |
113 |
|
114 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
115 |
index 6babfb90..0d6fe3c5 100644 |
116 |
--- a/policy/modules/kernel/files.if |
117 |
+++ b/policy/modules/kernel/files.if |
118 |
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',` |
119 |
|
120 |
######################################## |
121 |
## <summary> |
122 |
+## manage all pidfile directories |
123 |
+## in the /var/run directory. |
124 |
+## </summary> |
125 |
+## <param name="domain"> |
126 |
+## <summary> |
127 |
+## Domain allowed access. |
128 |
+## </summary> |
129 |
+## </param> |
130 |
+# |
131 |
+interface(`files_manage_all_pid_dirs',` |
132 |
+ gen_require(` |
133 |
+ attribute pidfile; |
134 |
+ ') |
135 |
+ |
136 |
+ manage_dirs_pattern($1, pidfile, pidfile) |
137 |
+') |
138 |
+ |
139 |
+######################################## |
140 |
+## <summary> |
141 |
## Read all process ID files. |
142 |
## </summary> |
143 |
## <param name="domain"> |
144 |
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',` |
145 |
|
146 |
######################################## |
147 |
## <summary> |
148 |
+## Execute generic programs in /var/run in the caller domain. |
149 |
+## </summary> |
150 |
+## <param name="domain"> |
151 |
+## <summary> |
152 |
+## Domain allowed access. |
153 |
+## </summary> |
154 |
+## </param> |
155 |
+# |
156 |
+interface(`files_exec_generic_pid_files',` |
157 |
+ gen_require(` |
158 |
+ type var_run_t; |
159 |
+ ') |
160 |
+ |
161 |
+ exec_files_pattern($1, var_run_t, var_run_t) |
162 |
+') |
163 |
+ |
164 |
+######################################## |
165 |
+## <summary> |
166 |
+## Relable all pid files |
167 |
+## </summary> |
168 |
+## <param name="domain"> |
169 |
+## <summary> |
170 |
+## Domain allowed access. |
171 |
+## </summary> |
172 |
+## </param> |
173 |
+# |
174 |
+interface(`files_relabel_all_pid_files',` |
175 |
+ gen_require(` |
176 |
+ attribute pidfile; |
177 |
+ ') |
178 |
+ |
179 |
+ relabel_files_pattern($1, pidfile, pidfile) |
180 |
+') |
181 |
+ |
182 |
+######################################## |
183 |
+## <summary> |
184 |
## Delete all process IDs. |
185 |
## </summary> |
186 |
## <param name="domain"> |
187 |
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',` |
188 |
|
189 |
######################################## |
190 |
## <summary> |
191 |
+## Create all pid sockets |
192 |
+## </summary> |
193 |
+## <param name="domain"> |
194 |
+## <summary> |
195 |
+## Domain allowed access. |
196 |
+## </summary> |
197 |
+## </param> |
198 |
+# |
199 |
+interface(`files_create_all_pid_sockets',` |
200 |
+ gen_require(` |
201 |
+ attribute pidfile; |
202 |
+ ') |
203 |
+ |
204 |
+ allow $1 pidfile:sock_file create_sock_file_perms; |
205 |
+') |
206 |
+ |
207 |
+######################################## |
208 |
+## <summary> |
209 |
+## Create all pid named pipes |
210 |
+## </summary> |
211 |
+## <param name="domain"> |
212 |
+## <summary> |
213 |
+## Domain allowed access. |
214 |
+## </summary> |
215 |
+## </param> |
216 |
+# |
217 |
+interface(`files_create_all_pid_pipes',` |
218 |
+ gen_require(` |
219 |
+ attribute pidfile; |
220 |
+ ') |
221 |
+ |
222 |
+ allow $1 pidfile:fifo_file create_fifo_file_perms; |
223 |
+') |
224 |
+ |
225 |
+######################################## |
226 |
+## <summary> |
227 |
+## Create all spool sockets |
228 |
+## </summary> |
229 |
+## <param name="domain"> |
230 |
+## <summary> |
231 |
+## Domain allowed access. |
232 |
+## </summary> |
233 |
+## </param> |
234 |
+# |
235 |
+interface(`files_create_all_spool_sockets',` |
236 |
+ gen_require(` |
237 |
+ attribute spoolfile; |
238 |
+ ') |
239 |
+ |
240 |
+ allow $1 spoolfile:sock_file create_sock_file_perms; |
241 |
+') |
242 |
+ |
243 |
+######################################## |
244 |
+## <summary> |
245 |
+## Delete all spool sockets |
246 |
+## </summary> |
247 |
+## <param name="domain"> |
248 |
+## <summary> |
249 |
+## Domain allowed access. |
250 |
+## </summary> |
251 |
+## </param> |
252 |
+# |
253 |
+interface(`files_delete_all_spool_sockets',` |
254 |
+ gen_require(` |
255 |
+ attribute spoolfile; |
256 |
+ ') |
257 |
+ |
258 |
+ allow $1 spoolfile:sock_file delete_sock_file_perms; |
259 |
+') |
260 |
+ |
261 |
+######################################## |
262 |
+## <summary> |
263 |
## Delete all process ID directories. |
264 |
## </summary> |
265 |
## <param name="domain"> |
266 |
|
267 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
268 |
index 7c861cc1..63ec6591 100644 |
269 |
--- a/policy/modules/kernel/files.te |
270 |
+++ b/policy/modules/kernel/files.te |
271 |
@@ -1,4 +1,4 @@ |
272 |
-policy_module(files, 1.23.4) |
273 |
+policy_module(files, 1.23.5) |
274 |
|
275 |
######################################## |
276 |
# |
277 |
@@ -174,6 +174,10 @@ type var_run_t; |
278 |
files_pid_file(var_run_t) |
279 |
files_mountpoint(var_run_t) |
280 |
|
281 |
+optional_policy(` |
282 |
+ systemd_tmpfilesd_managed(var_run_t, lnk_file) |
283 |
+') |
284 |
+ |
285 |
# |
286 |
# var_spool_t is the type of /var/spool |
287 |
# |
288 |
|
289 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
290 |
index 55ce2bd2..5bac5fb3 100644 |
291 |
--- a/policy/modules/system/authlogin.if |
292 |
+++ b/policy/modules/system/authlogin.if |
293 |
@@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',` |
294 |
seutil_read_config($1) |
295 |
seutil_read_default_contexts($1) |
296 |
|
297 |
+ userdom_search_user_runtime($1) |
298 |
+ userdom_read_user_tmpfs_files($1) |
299 |
+ |
300 |
tunable_policy(`allow_polyinstantiation',` |
301 |
files_polyinstantiate_all($1) |
302 |
') |
303 |
+ |
304 |
+ optional_policy(` |
305 |
+ systemd_read_logind_state($1) |
306 |
+ systemd_write_inherited_logind_sessions_pipes($1) |
307 |
+ systemd_use_passwd_agent_fds($1) |
308 |
+ ') |
309 |
') |
310 |
|
311 |
######################################## |
312 |
|
313 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
314 |
index b4273689..43c83620 100644 |
315 |
--- a/policy/modules/system/authlogin.te |
316 |
+++ b/policy/modules/system/authlogin.te |
317 |
@@ -1,4 +1,4 @@ |
318 |
-policy_module(authlogin, 2.10.1) |
319 |
+policy_module(authlogin, 2.10.2) |
320 |
|
321 |
######################################## |
322 |
# |
323 |
@@ -85,6 +85,10 @@ files_type(var_auth_t) |
324 |
type wtmp_t; |
325 |
logging_log_file(wtmp_t) |
326 |
|
327 |
+optional_policy(` |
328 |
+ systemd_tmpfilesd_managed(faillog_t, file) |
329 |
+') systemd_tmpfilesd_managed(var_auth_t, dir) |
330 |
+ |
331 |
######################################## |
332 |
# |
333 |
# Check password local policy |
334 |
|
335 |
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
336 |
index fe085d15..b08e7a2a 100644 |
337 |
--- a/policy/modules/system/init.fc |
338 |
+++ b/policy/modules/system/init.fc |
339 |
@@ -57,7 +57,9 @@ ifdef(`distro_gentoo', ` |
340 |
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) |
341 |
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
342 |
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
343 |
+/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
344 |
/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) |
345 |
+/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
346 |
|
347 |
ifdef(`distro_debian',` |
348 |
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
349 |
|
350 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
351 |
index 4a36e12a..162ce266 100644 |
352 |
--- a/policy/modules/system/init.if |
353 |
+++ b/policy/modules/system/init.if |
354 |
@@ -209,7 +209,7 @@ interface(`init_ranged_domain',` |
355 |
# |
356 |
interface(`init_daemon_domain',` |
357 |
gen_require(` |
358 |
- type initrc_t; |
359 |
+ type init_t, initrc_t; |
360 |
role system_r; |
361 |
attribute daemon; |
362 |
') |
363 |
@@ -240,6 +240,8 @@ interface(`init_daemon_domain',` |
364 |
init_domain($1, $2) |
365 |
# this may be because of late labelling |
366 |
kernel_dgram_send($1) |
367 |
+ |
368 |
+ allow $1 init_t:unix_dgram_socket sendto; |
369 |
') |
370 |
|
371 |
optional_policy(` |
372 |
@@ -400,8 +402,10 @@ interface(`init_system_domain',` |
373 |
gen_require(` |
374 |
type initrc_t; |
375 |
role system_r; |
376 |
+ attribute systemprocess; |
377 |
') |
378 |
|
379 |
+ typeattribute $1 systemprocess; |
380 |
application_domain($1, $2) |
381 |
|
382 |
role system_r types $1; |
383 |
@@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',` |
384 |
') |
385 |
') |
386 |
|
387 |
+###################################### |
388 |
+## <summary> |
389 |
+## Allow domain dyntransition to init_t domain. |
390 |
+## </summary> |
391 |
+## <param name="domain"> |
392 |
+## <summary> |
393 |
+## Domain allowed to transition. |
394 |
+## </summary> |
395 |
+## </param> |
396 |
+# |
397 |
+interface(`init_dyntrans',` |
398 |
+ gen_require(` |
399 |
+ type init_t; |
400 |
+ ') |
401 |
+ |
402 |
+ dyntrans_pattern($1, init_t) |
403 |
+') |
404 |
+ |
405 |
######################################## |
406 |
## <summary> |
407 |
## Mark the file type as a daemon pid file, allowing initrc_t |
408 |
@@ -708,6 +730,7 @@ interface(`init_stream_connect',` |
409 |
|
410 |
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) |
411 |
files_search_pids($1) |
412 |
+ allow $1 init_t:unix_stream_socket getattr; |
413 |
') |
414 |
|
415 |
######################################## |
416 |
@@ -1225,23 +1248,24 @@ interface(`init_write_initctl',` |
417 |
# |
418 |
interface(`init_telinit',` |
419 |
gen_require(` |
420 |
- type initctl_t; |
421 |
+ type initctl_t, init_t; |
422 |
') |
423 |
|
424 |
- dev_list_all_dev_nodes($1) |
425 |
+ ps_process_pattern($1, init_t) |
426 |
+ allow $1 init_t:process signal; |
427 |
+ # upstart uses a datagram socket instead of initctl pipe |
428 |
+ allow $1 self:unix_dgram_socket create_socket_perms; |
429 |
+ allow $1 init_t:unix_dgram_socket sendto; |
430 |
+ #576913 |
431 |
+ allow $1 init_t:unix_stream_socket connectto; |
432 |
+ |
433 |
allow $1 initctl_t:fifo_file rw_fifo_file_perms; |
434 |
|
435 |
- init_exec($1) |
436 |
+ corecmd_exec_bin($1) |
437 |
|
438 |
- tunable_policy(`init_upstart',` |
439 |
- gen_require(` |
440 |
- type init_t; |
441 |
- ') |
442 |
+ dev_list_all_dev_nodes($1) |
443 |
|
444 |
- # upstart uses a datagram socket instead of initctl pipe |
445 |
- allow $1 self:unix_dgram_socket create_socket_perms; |
446 |
- allow $1 init_t:unix_dgram_socket sendto; |
447 |
- ') |
448 |
+ init_exec($1) |
449 |
') |
450 |
|
451 |
######################################## |
452 |
@@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',` |
453 |
|
454 |
######################################## |
455 |
## <summary> |
456 |
+## Execute labelled init scripts with an automatic domain transition. |
457 |
+## </summary> |
458 |
+## <param name="domain"> |
459 |
+## <summary> |
460 |
+## Domain allowed to transition. |
461 |
+## </summary> |
462 |
+## </param> |
463 |
+# |
464 |
+interface(`init_domtrans_labeled_script',` |
465 |
+ gen_require(` |
466 |
+ type initrc_t; |
467 |
+ attribute init_script_file_type; |
468 |
+ attribute initrc_transition_domain; |
469 |
+ ') |
470 |
+ |
471 |
+ typeattribute $1 initrc_transition_domain; |
472 |
+ |
473 |
+ files_list_etc($1) |
474 |
+ domtrans_pattern($1, init_script_file_type, initrc_t) |
475 |
+ |
476 |
+ ifdef(`enable_mcs',` |
477 |
+ range_transition $1 init_script_file_type:process s0; |
478 |
+ ') |
479 |
+ |
480 |
+ ifdef(`enable_mls',` |
481 |
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; |
482 |
+ ') |
483 |
+') |
484 |
+ |
485 |
+######################################## |
486 |
+## <summary> |
487 |
## Execute a init script in a specified domain. |
488 |
## </summary> |
489 |
## <desc> |
490 |
@@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',` |
491 |
interface(`init_labeled_script_domtrans',` |
492 |
gen_require(` |
493 |
type initrc_t; |
494 |
+ attribute initrc_transition_domain; |
495 |
') |
496 |
|
497 |
+ typeattribute $1 initrc_transition_domain; |
498 |
domtrans_pattern($1, $2, initrc_t) |
499 |
files_search_etc($1) |
500 |
') |
501 |
@@ -1574,6 +1631,7 @@ interface(`init_run_daemon',` |
502 |
interface(`init_startstop_all_script_services',` |
503 |
gen_require(` |
504 |
attribute init_script_file_type; |
505 |
+ class service { start status stop }; |
506 |
') |
507 |
|
508 |
allow $1 init_script_file_type:service { start status stop }; |
509 |
@@ -1789,12 +1847,7 @@ interface(`init_read_script_state',` |
510 |
') |
511 |
|
512 |
kernel_search_proc($1) |
513 |
- read_files_pattern($1, initrc_t, initrc_t) |
514 |
- read_lnk_files_pattern($1, initrc_t, initrc_t) |
515 |
- list_dirs_pattern($1, initrc_t, initrc_t) |
516 |
- |
517 |
- # should move this to separate interface |
518 |
- allow $1 initrc_t:process getattr; |
519 |
+ ps_process_pattern($1, initrc_t) |
520 |
') |
521 |
|
522 |
######################################## |
523 |
@@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',` |
524 |
type initrc_var_run_t; |
525 |
') |
526 |
|
527 |
- dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; |
528 |
+ dontaudit $1 initrc_var_run_t:file rw_file_perms; |
529 |
') |
530 |
|
531 |
######################################## |
532 |
@@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',` |
533 |
files_pid_filetrans($1, initrc_var_run_t, file, "utmp") |
534 |
') |
535 |
|
536 |
+####################################### |
537 |
+## <summary> |
538 |
+## Create a directory in the /run/systemd directory. |
539 |
+## </summary> |
540 |
+## <param name="domain"> |
541 |
+## <summary> |
542 |
+## Domain allowed access. |
543 |
+## </summary> |
544 |
+## </param> |
545 |
+# |
546 |
+interface(`init_create_pid_dirs',` |
547 |
+ gen_require(` |
548 |
+ type init_var_run_t; |
549 |
+ ') |
550 |
+ |
551 |
+ allow $1 init_var_run_t:dir list_dir_perms; |
552 |
+ create_dirs_pattern($1, init_var_run_t, init_var_run_t) |
553 |
+') |
554 |
+ |
555 |
+######################################## |
556 |
+## <summary> |
557 |
+## Rename init_var_run_t files |
558 |
+## </summary> |
559 |
+## <param name="domain"> |
560 |
+## <summary> |
561 |
+## domain |
562 |
+## </summary> |
563 |
+## </param> |
564 |
+# |
565 |
+interface(`init_rename_pid_files',` |
566 |
+ gen_require(` |
567 |
+ type init_var_run_t; |
568 |
+ ') |
569 |
+ |
570 |
+ rename_files_pattern($1, init_var_run_t, init_var_run_t) |
571 |
+') |
572 |
+ |
573 |
+######################################## |
574 |
+## <summary> |
575 |
+## Rename and de init_var_run_t files |
576 |
+## </summary> |
577 |
+## <param name="domain"> |
578 |
+## <summary> |
579 |
+## domain |
580 |
+## </summary> |
581 |
+## </param> |
582 |
+# |
583 |
+interface(`init_delete_pid_files',` |
584 |
+ gen_require(` |
585 |
+ type init_var_run_t; |
586 |
+ ') |
587 |
+ |
588 |
+ delete_files_pattern($1, init_var_run_t, init_var_run_t) |
589 |
+') |
590 |
+ |
591 |
+####################################### |
592 |
+## <summary> |
593 |
+## Allow the specified domain to write to |
594 |
+## init sock file. |
595 |
+## </summary> |
596 |
+## <param name="domain"> |
597 |
+## <summary> |
598 |
+## Domain allowed access. |
599 |
+## </summary> |
600 |
+## </param> |
601 |
+# |
602 |
+interface(`init_write_pid_socket',` |
603 |
+ gen_require(` |
604 |
+ type init_var_run_t; |
605 |
+ ') |
606 |
+ |
607 |
+ allow $1 init_var_run_t:sock_file write; |
608 |
+') |
609 |
+ |
610 |
+######################################## |
611 |
+## <summary> |
612 |
+## Read init unnamed pipes. |
613 |
+## </summary> |
614 |
+## <param name="domain"> |
615 |
+## <summary> |
616 |
+## Domain allowed access. |
617 |
+## </summary> |
618 |
+## </param> |
619 |
+# |
620 |
+interface(`init_read_pid_pipes',` |
621 |
+ gen_require(` |
622 |
+ type init_var_run_t; |
623 |
+ ') |
624 |
+ |
625 |
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) |
626 |
+') |
627 |
+ |
628 |
######################################## |
629 |
## <summary> |
630 |
## Allow the specified domain to connect to daemon with a tcp socket |
631 |
|
632 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
633 |
index a43bf19b..54ca2ceb 100644 |
634 |
--- a/policy/modules/system/init.te |
635 |
+++ b/policy/modules/system/init.te |
636 |
@@ -1,4 +1,4 @@ |
637 |
-policy_module(init, 2.2.5) |
638 |
+policy_module(init, 2.2.6) |
639 |
|
640 |
gen_require(` |
641 |
class passwd rootok; |
642 |
@@ -16,13 +16,22 @@ gen_require(` |
643 |
## </desc> |
644 |
gen_tunable(init_upstart, false) |
645 |
|
646 |
+## <desc> |
647 |
+## <p> |
648 |
+## Allow all daemons the ability to read/write terminals |
649 |
+## </p> |
650 |
+## </desc> |
651 |
+gen_tunable(init_daemons_use_tty, false) |
652 |
+ |
653 |
attribute init_script_domain_type; |
654 |
attribute init_script_file_type; |
655 |
attribute init_run_all_scripts_domain; |
656 |
attribute systemdunit; |
657 |
+attribute initrc_transition_domain; |
658 |
|
659 |
# Mark process types as daemons |
660 |
attribute daemon; |
661 |
+attribute systemprocess; |
662 |
|
663 |
# Mark file type as a daemon pid file |
664 |
attribute daemonpidfile; |
665 |
@@ -33,7 +42,7 @@ attribute daemonrundir; |
666 |
# |
667 |
# init_t is the domain of the init process. |
668 |
# |
669 |
-type init_t; |
670 |
+type init_t, initrc_transition_domain; |
671 |
type init_exec_t; |
672 |
domain_type(init_t) |
673 |
domain_entry_file(init_t, init_exec_t) |
674 |
@@ -110,6 +119,7 @@ ifdef(`enable_mls',` |
675 |
|
676 |
# Use capabilities. old rule: |
677 |
allow init_t self:capability ~sys_module; |
678 |
+allow init_t self:capability2 { wake_alarm block_suspend }; |
679 |
# is ~sys_module really needed? observed: |
680 |
# sys_boot |
681 |
# sys_tty_config |
682 |
@@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto; |
683 |
allow init_t init_var_run_t:file manage_file_perms; |
684 |
files_pid_filetrans(init_t, init_var_run_t, file) |
685 |
|
686 |
+# for systemd to manage service file symlinks |
687 |
+allow init_t init_var_run_t:file manage_lnk_file_perms; |
688 |
+ |
689 |
allow init_t initctl_t:fifo_file manage_fifo_file_perms; |
690 |
dev_filetrans(init_t, initctl_t, fifo_file) |
691 |
|
692 |
@@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t) |
693 |
|
694 |
domain_getpgid_all_domains(init_t) |
695 |
domain_kill_all_domains(init_t) |
696 |
+domain_getattr_all_domains(init_t) |
697 |
domain_signal_all_domains(init_t) |
698 |
domain_signull_all_domains(init_t) |
699 |
domain_sigstop_all_domains(init_t) |
700 |
@@ -199,6 +213,10 @@ ifdef(`init_systemd',` |
701 |
# handle instances where an old labeled init script is encountered. |
702 |
typeattribute init_t init_run_all_scripts_domain; |
703 |
|
704 |
+ allow init_t systemprocess:process { dyntransition siginh }; |
705 |
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; |
706 |
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms; |
707 |
+ |
708 |
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit }; |
709 |
allow init_t self:capability2 { audit_read block_suspend }; |
710 |
allow init_t self:netlink_kobject_uevent_socket create_socket_perms; |
711 |
@@ -206,6 +224,18 @@ ifdef(`init_systemd',` |
712 |
allow init_t self:netlink_selinux_socket create_socket_perms; |
713 |
allow init_t self:unix_dgram_socket lock; |
714 |
|
715 |
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms; |
716 |
+ allow init_t daemon:unix_dgram_socket create_socket_perms; |
717 |
+ allow init_t daemon:tcp_socket create_stream_socket_perms; |
718 |
+ allow init_t daemon:udp_socket create_socket_perms; |
719 |
+ allow daemon init_t:unix_dgram_socket sendto; |
720 |
+ |
721 |
+ allow init_run_all_scripts_domain systemdunit:service { status start stop }; |
722 |
+ |
723 |
+ allow systemprocess init_t:unix_dgram_socket sendto; |
724 |
+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; |
725 |
+ |
726 |
+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; |
727 |
manage_files_pattern(init_t, init_var_run_t, init_var_run_t) |
728 |
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) |
729 |
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) |
730 |
@@ -269,6 +299,9 @@ ifdef(`init_systemd',` |
731 |
# for network namespaces |
732 |
fs_read_nsfs_files(init_t) |
733 |
|
734 |
+ # need write to /var/run/systemd/notify |
735 |
+ init_write_pid_socket(daemon) |
736 |
+ |
737 |
# systemd_socket_activated policy |
738 |
mls_socket_write_all_levels(init_t) |
739 |
|
740 |
@@ -355,6 +388,11 @@ optional_policy(` |
741 |
') |
742 |
|
743 |
optional_policy(` |
744 |
+ udev_read_db(init_t) |
745 |
+ udev_relabelto_db(init_t) |
746 |
+') |
747 |
+ |
748 |
+optional_policy(` |
749 |
unconfined_domain(init_t) |
750 |
') |
751 |
|
752 |
@@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) |
753 |
allow initrc_t initrc_var_run_t:file manage_file_perms; |
754 |
files_pid_filetrans(initrc_t, initrc_var_run_t, file) |
755 |
|
756 |
+allow initrc_t daemon:process siginh; |
757 |
+ |
758 |
can_exec(initrc_t, initrc_tmp_t) |
759 |
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
760 |
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
761 |
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
762 |
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) |
763 |
+allow initrc_t initrc_tmp_t:dir relabelfrom; |
764 |
|
765 |
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |
766 |
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |
767 |
@@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t) |
768 |
|
769 |
dev_read_rand(initrc_t) |
770 |
dev_read_urand(initrc_t) |
771 |
+dev_dontaudit_read_kmsg(initrc_t) |
772 |
dev_write_kmsg(initrc_t) |
773 |
dev_write_rand(initrc_t) |
774 |
dev_write_urand(initrc_t) |
775 |
@@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t) |
776 |
dev_read_realtime_clock(initrc_t) |
777 |
dev_read_sound_mixer(initrc_t) |
778 |
dev_write_sound_mixer(initrc_t) |
779 |
+dev_setattr_generic_dirs(initrc_t) |
780 |
dev_setattr_all_chr_files(initrc_t) |
781 |
dev_rw_lvm_control(initrc_t) |
782 |
+dev_rw_generic_chr_files(initrc_t) |
783 |
dev_delete_lvm_control_dev(initrc_t) |
784 |
dev_manage_generic_symlinks(initrc_t) |
785 |
dev_manage_generic_files(initrc_t) |
786 |
@@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t) |
787 |
dev_delete_generic_symlinks(initrc_t) |
788 |
dev_getattr_all_blk_files(initrc_t) |
789 |
dev_getattr_all_chr_files(initrc_t) |
790 |
-# Early devtmpfs |
791 |
-dev_rw_generic_chr_files(initrc_t) |
792 |
+dev_rw_xserver_misc(initrc_t) |
793 |
|
794 |
domain_kill_all_domains(initrc_t) |
795 |
domain_signal_all_domains(initrc_t) |
796 |
domain_signull_all_domains(initrc_t) |
797 |
domain_sigstop_all_domains(initrc_t) |
798 |
+domain_sigstop_all_domains(initrc_t) |
799 |
domain_sigchld_all_domains(initrc_t) |
800 |
domain_read_all_domains_state(initrc_t) |
801 |
domain_getattr_all_domains(initrc_t) |
802 |
-domain_dontaudit_ptrace_all_domains(initrc_t) |
803 |
domain_getsession_all_domains(initrc_t) |
804 |
domain_use_interactive_fds(initrc_t) |
805 |
# for lsof which is used by alsa shutdown: |
806 |
@@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) |
807 |
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) |
808 |
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) |
809 |
domain_dontaudit_getattr_all_pipes(initrc_t) |
810 |
+domain_obj_id_change_exemption(initrc_t) |
811 |
|
812 |
files_getattr_all_dirs(initrc_t) |
813 |
files_getattr_all_files(initrc_t) |
814 |
@@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t) |
815 |
files_getattr_all_pipes(initrc_t) |
816 |
files_getattr_all_sockets(initrc_t) |
817 |
files_purge_tmp(initrc_t) |
818 |
-files_delete_all_locks(initrc_t) |
819 |
+files_manage_all_locks(initrc_t) |
820 |
+files_manage_boot_files(initrc_t) |
821 |
files_read_all_pids(initrc_t) |
822 |
+files_delete_root_files(initrc_t) |
823 |
files_delete_all_pids(initrc_t) |
824 |
files_delete_all_pid_dirs(initrc_t) |
825 |
files_read_etc_files(initrc_t) |
826 |
@@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t) |
827 |
# cjp: not sure why these are here; should use mount policy |
828 |
files_list_default(initrc_t) |
829 |
files_mounton_default(initrc_t) |
830 |
+files_manage_mnt_dirs(initrc_t) |
831 |
+files_manage_mnt_files(initrc_t) |
832 |
|
833 |
-fs_write_cgroup_files(initrc_t) |
834 |
+fs_delete_cgroup_dirs(initrc_t) |
835 |
+fs_list_cgroup_dirs(initrc_t) |
836 |
+fs_rw_cgroup_files(initrc_t) |
837 |
fs_list_inotifyfs(initrc_t) |
838 |
fs_register_binary_executable_type(initrc_t) |
839 |
# rhgb-console writes to ramfs |
840 |
@@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t) |
841 |
fs_unmount_all_fs(initrc_t) |
842 |
fs_remount_all_fs(initrc_t) |
843 |
fs_getattr_all_fs(initrc_t) |
844 |
+fs_search_all(initrc_t) |
845 |
+fs_getattr_nfsd_files(initrc_t) |
846 |
|
847 |
# initrc_t needs to do a pidof which requires ptrace |
848 |
mcs_ptrace_all(initrc_t) |
849 |
+mcs_file_read_all(initrc_t) |
850 |
+mcs_file_write_all(initrc_t) |
851 |
mcs_killall(initrc_t) |
852 |
mcs_process_set_categories(initrc_t) |
853 |
|
854 |
@@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t) |
855 |
mls_process_write_all_levels(initrc_t) |
856 |
mls_rangetrans_source(initrc_t) |
857 |
mls_fd_share_all_levels(initrc_t) |
858 |
+mls_socket_write_to_clearance(initrc_t) |
859 |
|
860 |
selinux_get_enforce_mode(initrc_t) |
861 |
|
862 |
@@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t) |
863 |
auth_delete_pam_console_data(initrc_t) |
864 |
auth_use_nsswitch(initrc_t) |
865 |
|
866 |
+init_get_system_status(initrc_t) |
867 |
+init_stream_connect(initrc_t) |
868 |
+init_start_all_units(initrc_t) |
869 |
+init_stop_all_units(initrc_t) |
870 |
+ |
871 |
libs_rw_ld_so_cache(initrc_t) |
872 |
libs_exec_lib_files(initrc_t) |
873 |
libs_exec_ld_so(initrc_t) |
874 |
@@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t) |
875 |
|
876 |
miscfiles_read_localization(initrc_t) |
877 |
# slapd needs to read cert files from its initscript |
878 |
-miscfiles_read_generic_certs(initrc_t) |
879 |
+miscfiles_manage_generic_cert_files(initrc_t) |
880 |
|
881 |
seutil_read_config(initrc_t) |
882 |
|
883 |
@@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t) |
884 |
# Allow access to the sysadm TTYs. Note that this will give access to the |
885 |
# TTYs to any process in the initrc_t domain. Therefore, daemons and such |
886 |
# started from init should be placed in their own domain. |
887 |
-userdom_use_user_terminals(initrc_t) |
888 |
+userdom_use_inherited_user_terminals(initrc_t) |
889 |
|
890 |
ifdef(`distro_debian',` |
891 |
kernel_getattr_core_if(initrc_t) |
892 |
@@ -643,6 +703,10 @@ ifdef(`distro_gentoo',` |
893 |
sysnet_setattr_config(initrc_t) |
894 |
|
895 |
optional_policy(` |
896 |
+ abrt_manage_pid_files(initrc_t) |
897 |
+ ') |
898 |
+ |
899 |
+ optional_policy(` |
900 |
alsa_read_lib(initrc_t) |
901 |
') |
902 |
|
903 |
@@ -663,7 +727,7 @@ ifdef(`distro_redhat',` |
904 |
|
905 |
# Red Hat systems seem to have a stray |
906 |
# fd open from the initrd |
907 |
- kernel_dontaudit_use_fds(initrc_t) |
908 |
+ kernel_use_fds(initrc_t) |
909 |
files_dontaudit_read_root_files(initrc_t) |
910 |
|
911 |
# These seem to be from the initrd |
912 |
@@ -707,8 +771,25 @@ ifdef(`distro_redhat',` |
913 |
') |
914 |
|
915 |
optional_policy(` |
916 |
+ abrt_manage_pid_files(initrc_t) |
917 |
+ ') |
918 |
+ |
919 |
+ optional_policy(` |
920 |
bind_manage_config_dirs(initrc_t) |
921 |
bind_write_config(initrc_t) |
922 |
+ bind_setattr_zone_dirs(initrc_t) |
923 |
+ ') |
924 |
+ |
925 |
+ optional_policy(` |
926 |
+ devicekit_append_inherited_log_files(initrc_t) |
927 |
+ ') |
928 |
+ |
929 |
+ optional_policy(` |
930 |
+ gnome_manage_gconf_config(initrc_t) |
931 |
+ ') |
932 |
+ |
933 |
+ optional_policy(` |
934 |
+ pulseaudio_stream_connect(initrc_t) |
935 |
') |
936 |
|
937 |
optional_policy(` |
938 |
@@ -716,6 +797,9 @@ ifdef(`distro_redhat',` |
939 |
rpc_write_exports(initrc_t) |
940 |
rpc_manage_nfs_state_data(initrc_t) |
941 |
') |
942 |
+ optional_policy(` |
943 |
+ rpcbind_stream_connect(initrc_t) |
944 |
+ ') |
945 |
|
946 |
optional_policy(` |
947 |
sysnet_rw_dhcp_config(initrc_t) |
948 |
@@ -734,7 +818,32 @@ ifdef(`distro_suse',` |
949 |
') |
950 |
') |
951 |
|
952 |
+ifdef(`enabled_mls',` |
953 |
+ optional_policy(` |
954 |
+ # allow init scripts to su |
955 |
+ su_restricted_domain_template(initrc, initrc_t, system_r) |
956 |
+ # Allow initrc_su_t, now defined, to transition to postgresql_t |
957 |
+ postgresql_domtrans(initrc_su_t) |
958 |
+ # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output) |
959 |
+ allow initrc_su_t initrc_devpts_t:chr_file { read write }; |
960 |
+ ') |
961 |
+') |
962 |
+ |
963 |
ifdef(`init_systemd',` |
964 |
+ allow init_t self:system { status reboot halt reload }; |
965 |
+ |
966 |
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto }; |
967 |
+ allow init_t self:process { setsockcreate setfscreate setrlimit }; |
968 |
+ allow init_t self:process { getcap setcap }; |
969 |
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
970 |
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms; |
971 |
+ # Until systemd is fixed |
972 |
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; |
973 |
+ allow init_t self:udp_socket create_socket_perms; |
974 |
+ allow init_t self:netlink_route_socket create_netlink_socket_perms; |
975 |
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms; |
976 |
+ allow initrc_t init_t:system { status reboot halt reload }; |
977 |
+ allow init_t self:capability2 audit_read; |
978 |
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) |
979 |
files_lock_filetrans(initrc_t, initrc_lock_t, file) |
980 |
|
981 |
@@ -746,11 +855,25 @@ ifdef(`init_systemd',` |
982 |
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set) |
983 |
|
984 |
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) |
985 |
+ allow initrc_t systemd_unit_t:service reload; |
986 |
|
987 |
manage_files_pattern(initrc_t, systemdunit, systemdunit) |
988 |
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) |
989 |
+ allow initrc_t systemdunit:service reload; |
990 |
+ allow initrc_t init_script_file_type:service { stop start status reload }; |
991 |
|
992 |
kernel_dgram_send(initrc_t) |
993 |
+ kernel_list_unlabeled(init_t) |
994 |
+ kernel_read_network_state(init_t) |
995 |
+ kernel_rw_kernel_sysctl(init_t) |
996 |
+ kernel_rw_net_sysctls(init_t) |
997 |
+ kernel_read_all_sysctls(init_t) |
998 |
+ kernel_read_software_raid_state(init_t) |
999 |
+ kernel_unmount_debugfs(init_t) |
1000 |
+ kernel_setsched(init_t) |
1001 |
+ |
1002 |
+ auth_relabel_login_records(init_t) |
1003 |
+ auth_relabel_pam_console_data_dirs(init_t) |
1004 |
|
1005 |
# run systemd misc initializations |
1006 |
# in the initrc_t domain, as would be |
1007 |
@@ -760,28 +883,83 @@ ifdef(`init_systemd',` |
1008 |
corecmd_bin_domtrans(init_t, initrc_t) |
1009 |
corecmd_shell_domtrans(init_t, initrc_t) |
1010 |
|
1011 |
- files_read_boot_files(initrc_t) |
1012 |
+ dev_write_kmsg(init_t) |
1013 |
+ dev_write_urand(init_t) |
1014 |
+ dev_rw_lvm_control(init_t) |
1015 |
+ dev_rw_autofs(init_t) |
1016 |
+ dev_manage_generic_symlinks(init_t) |
1017 |
+ dev_manage_generic_dirs(init_t) |
1018 |
+ dev_manage_generic_files(init_t) |
1019 |
+ dev_manage_null_service(initrc_t) |
1020 |
+ dev_read_generic_chr_files(init_t) |
1021 |
+ dev_relabel_generic_dev_dirs(init_t) |
1022 |
+ dev_relabel_all_dev_nodes(init_t) |
1023 |
+ dev_relabel_all_dev_files(init_t) |
1024 |
+ dev_manage_sysfs_dirs(init_t) |
1025 |
+ dev_relabel_sysfs_dirs(init_t) |
1026 |
+ # systemd writes to /dev/watchdog on shutdown |
1027 |
+ dev_write_watchdog(init_t) |
1028 |
+ |
1029 |
# Allow initrc_t to check /etc/fstab "service." It appears that |
1030 |
# systemd is conflating files and services. |
1031 |
+ files_create_all_pid_pipes(init_t) |
1032 |
+ files_create_all_pid_sockets(init_t) |
1033 |
+ files_create_all_spool_sockets(init_t) |
1034 |
+ files_create_lock_dirs(init_t) |
1035 |
+ files_delete_all_pids(init_t) |
1036 |
+ files_delete_all_spool_sockets(init_t) |
1037 |
+ files_exec_generic_pid_files(init_t) |
1038 |
files_get_etc_unit_status(initrc_t) |
1039 |
+ files_list_locks(init_t) |
1040 |
+ files_list_spool(init_t) |
1041 |
+ files_list_var(init_t) |
1042 |
+ files_manage_all_pid_dirs(init_t) |
1043 |
+ files_manage_generic_tmp_dirs(init_t) |
1044 |
+ files_manage_urandom_seed(init_t) |
1045 |
+ files_mounton_all_mountpoints(init_t) |
1046 |
+ files_read_boot_files(initrc_t) |
1047 |
+ files_relabel_all_lock_dirs(init_t) |
1048 |
+ files_relabel_all_pid_dirs(init_t) |
1049 |
+ files_relabel_all_pid_files(init_t) |
1050 |
+ files_search_all(init_t) |
1051 |
files_setattr_pid_dirs(initrc_t) |
1052 |
+ files_unmount_all_file_type_fs(init_t) |
1053 |
|
1054 |
- selinux_set_enforce_mode(initrc_t) |
1055 |
+ fs_getattr_all_fs(init_t) |
1056 |
+ fs_list_auto_mountpoints(init_t) |
1057 |
+ fs_manage_cgroup_dirs(init_t) |
1058 |
+ fs_manage_cgroup_files(init_t) |
1059 |
+ fs_manage_hugetlbfs_dirs(init_t) |
1060 |
+ fs_manage_tmpfs_dirs(init_t) |
1061 |
+ fs_mount_all_fs(init_t) |
1062 |
+ fs_remount_all_fs(init_t) |
1063 |
+ fs_unmount_all_fs(init_t) |
1064 |
+ fs_search_cgroup_dirs(daemon) |
1065 |
|
1066 |
- init_stream_connect(initrc_t) |
1067 |
+ init_get_all_units_status(initrc_t) |
1068 |
init_manage_var_lib_files(initrc_t) |
1069 |
+ init_read_script_state(init_t) |
1070 |
init_rw_stream_sockets(initrc_t) |
1071 |
- init_get_all_units_status(initrc_t) |
1072 |
init_stop_all_units(initrc_t) |
1073 |
+ init_stream_connect(initrc_t) |
1074 |
|
1075 |
# Create /etc/audit.rules.prev after firstboot remediation |
1076 |
logging_manage_audit_config(initrc_t) |
1077 |
|
1078 |
+ selinux_compute_create_context(init_t) |
1079 |
+ selinux_set_enforce_mode(initrc_t) |
1080 |
+ selinux_unmount_fs(init_t) |
1081 |
+ selinux_validate_context(init_t) |
1082 |
# lvm2-activation-generator checks file labels |
1083 |
seutil_read_file_contexts(initrc_t) |
1084 |
+ seutil_read_file_contexts(init_t) |
1085 |
|
1086 |
+ storage_getattr_removable_dev(init_t) |
1087 |
+ systemd_manage_all_units(init_t) |
1088 |
systemd_start_power_units(initrc_t) |
1089 |
|
1090 |
+ term_relabel_pty_dirs(init_t) |
1091 |
+ |
1092 |
optional_policy(` |
1093 |
# create /var/lock/lvm/ |
1094 |
lvm_create_lock_dirs(initrc_t) |
1095 |
@@ -800,6 +978,8 @@ optional_policy(` |
1096 |
optional_policy(` |
1097 |
apache_read_config(initrc_t) |
1098 |
apache_list_modules(initrc_t) |
1099 |
+ # webmin seems to cause this. |
1100 |
+ apache_search_sys_content(daemon) |
1101 |
') |
1102 |
|
1103 |
optional_policy(` |
1104 |
@@ -821,6 +1001,7 @@ optional_policy(` |
1105 |
|
1106 |
optional_policy(` |
1107 |
cgroup_stream_connect_cgred(initrc_t) |
1108 |
+ domain_setpriority_all_domains(initrc_t) |
1109 |
') |
1110 |
|
1111 |
optional_policy(` |
1112 |
@@ -837,6 +1018,12 @@ optional_policy(` |
1113 |
') |
1114 |
|
1115 |
optional_policy(` |
1116 |
+ cron_read_pipes(initrc_t) |
1117 |
+ # managing /etc/cron.d/mailman content |
1118 |
+ cron_manage_system_spool(initrc_t) |
1119 |
+') |
1120 |
+ |
1121 |
+optional_policy(` |
1122 |
dev_getattr_printer_dev(initrc_t) |
1123 |
|
1124 |
cups_read_log(initrc_t) |
1125 |
@@ -853,9 +1040,13 @@ optional_policy(` |
1126 |
dbus_connect_system_bus(initrc_t) |
1127 |
dbus_system_bus_client(initrc_t) |
1128 |
dbus_read_config(initrc_t) |
1129 |
+ dbus_manage_lib_files(initrc_t) |
1130 |
+ |
1131 |
+ init_dbus_chat(initrc_t) |
1132 |
|
1133 |
optional_policy(` |
1134 |
consolekit_dbus_chat(initrc_t) |
1135 |
+ consolekit_manage_log(initrc_t) |
1136 |
') |
1137 |
|
1138 |
optional_policy(` |
1139 |
@@ -897,6 +1088,11 @@ optional_policy(` |
1140 |
') |
1141 |
|
1142 |
optional_policy(` |
1143 |
+ modutils_read_module_config(initrc_t) |
1144 |
+ modutils_domtrans_insmod(initrc_t) |
1145 |
+') |
1146 |
+ |
1147 |
+optional_policy(` |
1148 |
inn_exec_config(initrc_t) |
1149 |
') |
1150 |
|
1151 |
@@ -937,6 +1133,7 @@ optional_policy(` |
1152 |
lpd_list_spool(initrc_t) |
1153 |
|
1154 |
lpd_read_config(initrc_t) |
1155 |
+ lpd_manage_spool(init_t) |
1156 |
') |
1157 |
|
1158 |
optional_policy(` |
1159 |
@@ -960,6 +1157,7 @@ optional_policy(` |
1160 |
|
1161 |
optional_policy(` |
1162 |
mta_read_config(initrc_t) |
1163 |
+ mta_write_config(initrc_t) |
1164 |
mta_dontaudit_read_spool_symlinks(initrc_t) |
1165 |
') |
1166 |
|
1167 |
@@ -982,6 +1180,10 @@ optional_policy(` |
1168 |
') |
1169 |
|
1170 |
optional_policy(` |
1171 |
+ plymouthd_stream_connect(initrc_t) |
1172 |
+') |
1173 |
+ |
1174 |
+optional_policy(` |
1175 |
postgresql_manage_db(initrc_t) |
1176 |
postgresql_read_config(initrc_t) |
1177 |
') |
1178 |
@@ -1024,8 +1226,6 @@ optional_policy(` |
1179 |
# bash tries ioctl for some reason |
1180 |
files_dontaudit_ioctl_all_pids(initrc_t) |
1181 |
|
1182 |
- # why is this needed: |
1183 |
- rpm_manage_db(initrc_t) |
1184 |
') |
1185 |
|
1186 |
optional_policy(` |
1187 |
@@ -1044,15 +1244,6 @@ optional_policy(` |
1188 |
') |
1189 |
|
1190 |
optional_policy(` |
1191 |
- # allow init scripts to su |
1192 |
- su_restricted_domain_template(initrc, initrc_t, system_r) |
1193 |
- # Allow initrc_su_t, now defined, to transition to postgresql_t |
1194 |
- postgresql_domtrans(initrc_su_t) |
1195 |
- # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output) |
1196 |
- allow initrc_su_t initrc_devpts_t:chr_file { read write }; |
1197 |
-') |
1198 |
- |
1199 |
-optional_policy(` |
1200 |
ssh_dontaudit_read_server_keys(initrc_t) |
1201 |
ssh_setattr_key_files(initrc_t) |
1202 |
') |
1203 |
@@ -1066,7 +1257,6 @@ optional_policy(` |
1204 |
') |
1205 |
|
1206 |
optional_policy(` |
1207 |
- udev_rw_db(initrc_t) |
1208 |
udev_manage_pid_files(initrc_t) |
1209 |
udev_manage_pid_dirs(initrc_t) |
1210 |
udev_manage_rules_files(initrc_t) |
1211 |
@@ -1082,6 +1272,12 @@ optional_policy(` |
1212 |
') |
1213 |
|
1214 |
optional_policy(` |
1215 |
+ domain_role_change_exemption(initrc_t) |
1216 |
+ |
1217 |
+ mcs_file_read_all(initrc_t) |
1218 |
+ mcs_file_write_all(initrc_t) |
1219 |
+ mcs_killall(initrc_t) |
1220 |
+ |
1221 |
unconfined_domain(initrc_t) |
1222 |
|
1223 |
ifdef(`distro_redhat',` |
1224 |
@@ -1092,6 +1288,15 @@ optional_policy(` |
1225 |
optional_policy(` |
1226 |
mono_domtrans(initrc_t) |
1227 |
') |
1228 |
+ |
1229 |
+ optional_policy(` |
1230 |
+ rtkit_scheduled(initrc_t) |
1231 |
+ ') |
1232 |
+') |
1233 |
+ |
1234 |
+optional_policy(` |
1235 |
+ rpm_read_db(initrc_t) |
1236 |
+ rpm_delete_db(initrc_t) |
1237 |
') |
1238 |
|
1239 |
optional_policy(` |
1240 |
@@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',` |
1241 |
udev_pid_filetrans_rules(initrc_t, dir, "rules.d") |
1242 |
') |
1243 |
') |
1244 |
+ |
1245 |
+######################################## |
1246 |
+# |
1247 |
+# Rules applied to all daemons |
1248 |
+# |
1249 |
+ |
1250 |
+domain_dontaudit_use_interactive_fds(daemon) |
1251 |
+ |
1252 |
+# daemons started from init will |
1253 |
+# inherit fds from init for the console |
1254 |
+term_dontaudit_use_console(daemon) |
1255 |
+ |
1256 |
+init_dontaudit_use_fds(daemon) |
1257 |
+# init script ptys are the stdin/out/err |
1258 |
+# when using run_init |
1259 |
+init_use_script_ptys(daemon) |
1260 |
+ |
1261 |
+tunable_policy(`init_daemons_use_tty',` |
1262 |
+ term_use_unallocated_ttys(daemon) |
1263 |
+ term_use_generic_ptys(daemon) |
1264 |
+ term_use_all_ttys(daemon) |
1265 |
+ term_use_all_ptys(daemon) |
1266 |
+',` |
1267 |
+ term_dontaudit_use_unallocated_ttys(daemon) |
1268 |
+ term_dontaudit_use_generic_ptys(daemon) |
1269 |
+ term_dontaudit_use_all_ttys(daemon) |
1270 |
+ term_dontaudit_use_all_ptys(daemon) |
1271 |
+ ') |
1272 |
+ |
1273 |
+tunable_policy(`use_nfs_home_dirs',` |
1274 |
+ fs_dontaudit_rw_nfs_files(daemon) |
1275 |
+') |
1276 |
+ |
1277 |
+tunable_policy(`use_samba_home_dirs',` |
1278 |
+ fs_dontaudit_rw_cifs_files(daemon) |
1279 |
+') |
1280 |
+ |
1281 |
+optional_policy(` |
1282 |
+ unconfined_dontaudit_rw_pipes(daemon) |
1283 |
+ unconfined_dontaudit_rw_stream_sockets(daemon) |
1284 |
+') |
1285 |
+ |
1286 |
+optional_policy(` |
1287 |
+ userdom_dontaudit_rw_all_users_stream_sockets(daemon) |
1288 |
+ userdom_dontaudit_read_user_tmp_files(daemon) |
1289 |
+ userdom_dontaudit_write_user_tmp_files(daemon) |
1290 |
+') |
1291 |
+ |
1292 |
+######################################## |
1293 |
+# |
1294 |
+# Rules applied to all system processes |
1295 |
+# |
1296 |
+ |
1297 |
+dontaudit systemprocess init_t:unix_stream_socket getattr; |
1298 |
+ |
1299 |
+optional_policy(` |
1300 |
+ userdom_dontaudit_search_user_home_dirs(systemprocess) |
1301 |
+ userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) |
1302 |
+ userdom_dontaudit_write_user_tmp_files(systemprocess) |
1303 |
+') |
1304 |
|
1305 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
1306 |
index 6258954a..b7098cd5 100644 |
1307 |
--- a/policy/modules/system/logging.fc |
1308 |
+++ b/policy/modules/system/logging.fc |
1309 |
@@ -8,8 +8,9 @@ |
1310 |
|
1311 |
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) |
1312 |
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
1313 |
-/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1314 |
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
1315 |
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1316 |
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1317 |
|
1318 |
/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) |
1319 |
/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) |
1320 |
@@ -54,6 +55,8 @@ ifdef(`distro_redhat',` |
1321 |
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) |
1322 |
') |
1323 |
|
1324 |
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
1325 |
+ |
1326 |
/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) |
1327 |
/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) |
1328 |
/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) |
1329 |
|
1330 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
1331 |
index ba463497..102c4319 100644 |
1332 |
--- a/policy/modules/system/logging.if |
1333 |
+++ b/policy/modules/system/logging.if |
1334 |
@@ -841,6 +841,24 @@ interface(`logging_append_all_logs',` |
1335 |
|
1336 |
######################################## |
1337 |
## <summary> |
1338 |
+## Append to all log files. |
1339 |
+## </summary> |
1340 |
+## <param name="domain"> |
1341 |
+## <summary> |
1342 |
+## Domain allowed access. |
1343 |
+## </summary> |
1344 |
+## </param> |
1345 |
+# |
1346 |
+interface(`logging_append_all_inherited_logs',` |
1347 |
+ gen_require(` |
1348 |
+ attribute logfile; |
1349 |
+ ') |
1350 |
+ |
1351 |
+ allow $1 logfile:file { getattr append ioctl lock }; |
1352 |
+') |
1353 |
+ |
1354 |
+######################################## |
1355 |
+## <summary> |
1356 |
## Read all log files. |
1357 |
## </summary> |
1358 |
## <param name="domain"> |
1359 |
|
1360 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
1361 |
index 10d2fc9f..9a6c714a 100644 |
1362 |
--- a/policy/modules/system/logging.te |
1363 |
+++ b/policy/modules/system/logging.te |
1364 |
@@ -1,4 +1,4 @@ |
1365 |
-policy_module(logging, 1.25.2) |
1366 |
+policy_module(logging, 1.25.3) |
1367 |
|
1368 |
######################################## |
1369 |
# |
1370 |
@@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms; |
1371 |
# Create and bind to /dev/log or /var/run/log. |
1372 |
allow syslogd_t devlog_t:sock_file manage_sock_file_perms; |
1373 |
files_pid_filetrans(syslogd_t, devlog_t, sock_file) |
1374 |
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") |
1375 |
|
1376 |
# create/append log files. |
1377 |
manage_files_pattern(syslogd_t, var_log_t, var_log_t) |
1378 |
@@ -405,6 +406,9 @@ files_search_spool(syslogd_t) |
1379 |
# Allow access for syslog-ng |
1380 |
allow syslogd_t var_log_t:dir { create setattr }; |
1381 |
|
1382 |
+# for systemd but can not be conditional |
1383 |
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") |
1384 |
+ |
1385 |
# manage temporary files |
1386 |
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) |
1387 |
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) |
1388 |
@@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t) |
1389 |
# manage pid file |
1390 |
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) |
1391 |
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) |
1392 |
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms; |
1393 |
|
1394 |
kernel_read_system_state(syslogd_t) |
1395 |
kernel_read_network_state(syslogd_t) |
1396 |
@@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t) |
1397 |
|
1398 |
miscfiles_read_localization(syslogd_t) |
1399 |
|
1400 |
+seutil_read_config(syslogd_t) |
1401 |
+ |
1402 |
userdom_dontaudit_use_unpriv_user_fds(syslogd_t) |
1403 |
userdom_dontaudit_search_user_home_dirs(syslogd_t) |
1404 |
|
1405 |
ifdef(`init_systemd',` |
1406 |
- # systemd-journald permissions |
1407 |
- |
1408 |
- allow syslogd_t self:capability { chown setgid setuid }; |
1409 |
+ # for systemd-journal |
1410 |
+ allow syslogd_t self:netlink_audit_socket connected_socket_perms; |
1411 |
+ allow syslogd_t self:capability2 audit_read; |
1412 |
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; |
1413 |
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; |
1414 |
+ allow syslogd_t init_var_run_t:file { read write create open }; |
1415 |
+ allow syslogd_t var_run_t:dir create; |
1416 |
|
1417 |
- kernel_use_fds(syslogd_t) |
1418 |
kernel_getattr_dgram_sockets(syslogd_t) |
1419 |
- kernel_rw_unix_dgram_sockets(syslogd_t) |
1420 |
+ kernel_read_ring_buffer(syslogd_t) |
1421 |
kernel_rw_stream_sockets(syslogd_t) |
1422 |
+ kernel_rw_unix_dgram_sockets(syslogd_t) |
1423 |
+ kernel_use_fds(syslogd_t) |
1424 |
+ |
1425 |
+ dev_read_kmsg(syslogd_t) |
1426 |
+ dev_read_urand(syslogd_t) |
1427 |
+ dev_write_kmsg(syslogd_t) |
1428 |
|
1429 |
+ domain_read_all_domains_state(syslogd_t) |
1430 |
+ |
1431 |
+ init_create_pid_dirs(syslogd_t) |
1432 |
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") |
1433 |
+ init_rename_pid_files(syslogd_t) |
1434 |
+ init_delete_pid_files(syslogd_t) |
1435 |
init_dgram_send(syslogd_t) |
1436 |
+ init_read_pid_pipes(syslogd_t) |
1437 |
+ init_read_state(syslogd_t) |
1438 |
+ |
1439 |
+ systemd_manage_journal_files(syslogd_t) |
1440 |
|
1441 |
udev_read_pid_files(syslogd_t) |
1442 |
') |
1443 |
|
1444 |
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if |
1445 |
index 5774034f..88fa9442 100644 |
1446 |
--- a/policy/modules/system/lvm.if |
1447 |
+++ b/policy/modules/system/lvm.if |
1448 |
@@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',` |
1449 |
files_add_entry_lock_dirs($1) |
1450 |
') |
1451 |
|
1452 |
+######################################## |
1453 |
+## <summary> |
1454 |
+## Read and write a lvm unnamed pipe. |
1455 |
+## </summary> |
1456 |
+## <param name="domain"> |
1457 |
+## <summary> |
1458 |
+## Domain allowed access. |
1459 |
+## </summary> |
1460 |
+## </param> |
1461 |
+# |
1462 |
+interface(`lvm_rw_inherited_pid_pipes',` |
1463 |
+ gen_require(` |
1464 |
+ type lvm_var_run_t; |
1465 |
+ ') |
1466 |
+ |
1467 |
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; |
1468 |
+') |
1469 |
+ |
1470 |
###################################### |
1471 |
## <summary> |
1472 |
## Execute a domain transition to run clvmd. |
1473 |
|
1474 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
1475 |
index 58e03ff2..f8fed91d 100644 |
1476 |
--- a/policy/modules/system/lvm.te |
1477 |
+++ b/policy/modules/system/lvm.te |
1478 |
@@ -1,4 +1,4 @@ |
1479 |
-policy_module(lvm, 1.19.2) |
1480 |
+policy_module(lvm, 1.19.3) |
1481 |
|
1482 |
######################################## |
1483 |
# |
1484 |
|
1485 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
1486 |
index 85a29e3d..ec4d8dc0 100644 |
1487 |
--- a/policy/modules/system/miscfiles.te |
1488 |
+++ b/policy/modules/system/miscfiles.te |
1489 |
@@ -1,4 +1,4 @@ |
1490 |
-policy_module(miscfiles, 1.12.0) |
1491 |
+policy_module(miscfiles, 1.12.1) |
1492 |
|
1493 |
######################################## |
1494 |
# |
1495 |
@@ -41,6 +41,10 @@ files_type(locale_t) |
1496 |
type man_t alias catman_t; |
1497 |
files_type(man_t) |
1498 |
|
1499 |
+optional_policy(` |
1500 |
+ systemd_tmpfilesd_managed(man_t, dir) |
1501 |
+') |
1502 |
+ |
1503 |
type man_cache_t; |
1504 |
files_type(man_cache_t) |
1505 |
|
1506 |
|
1507 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
1508 |
index 6eb0a5a3..2264336d 100644 |
1509 |
--- a/policy/modules/system/systemd.fc |
1510 |
+++ b/policy/modules/system/systemd.fc |
1511 |
@@ -7,6 +7,7 @@ |
1512 |
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) |
1513 |
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) |
1514 |
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) |
1515 |
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) |
1516 |
|
1517 |
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) |
1518 |
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) |
1519 |
@@ -32,15 +33,21 @@ |
1520 |
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) |
1521 |
|
1522 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
1523 |
+/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) |
1524 |
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
1525 |
|
1526 |
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1527 |
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1528 |
|
1529 |
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) |
1530 |
-/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1531 |
-/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1532 |
+/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1533 |
+/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1534 |
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) |
1535 |
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1536 |
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1537 |
+/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) |
1538 |
+/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) |
1539 |
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0) |
1540 |
+ |
1541 |
+/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) |
1542 |
+/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) |
1543 |
|
1544 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
1545 |
index b07d2c5b..69ee084f 100644 |
1546 |
--- a/policy/modules/system/systemd.if |
1547 |
+++ b/policy/modules/system/systemd.if |
1548 |
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',` |
1549 |
') |
1550 |
|
1551 |
files_search_pids($1) |
1552 |
- read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) |
1553 |
+ allow $1 systemd_logind_var_run_t:dir list_dir_perms; |
1554 |
+ allow $1 systemd_logind_var_run_t:file read_file_perms; |
1555 |
') |
1556 |
|
1557 |
###################################### |
1558 |
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',` |
1559 |
allow $1 systemd_logind_t:fd use; |
1560 |
') |
1561 |
|
1562 |
+###################################### |
1563 |
+## <summary> |
1564 |
+## Write inherited logind sessions pipes. |
1565 |
+## </summary> |
1566 |
+## <param name="domain"> |
1567 |
+## <summary> |
1568 |
+## Domain allowed access. |
1569 |
+## </summary> |
1570 |
+## </param> |
1571 |
+# |
1572 |
+interface(`systemd_write_inherited_logind_sessions_pipes',` |
1573 |
+ gen_require(` |
1574 |
+ type systemd_logind_t, systemd_sessions_var_run_t; |
1575 |
+ ') |
1576 |
+ |
1577 |
+ allow $1 systemd_logind_t:fd use; |
1578 |
+ allow $1 systemd_sessions_var_run_t:fifo_file write; |
1579 |
+ allow systemd_logind_t $1:process signal; |
1580 |
+') |
1581 |
+ |
1582 |
######################################## |
1583 |
## <summary> |
1584 |
## Send and receive messages from |
1585 |
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',` |
1586 |
write_files_pattern($1, var_run_t, systemd_kmod_conf_t) |
1587 |
') |
1588 |
|
1589 |
+####################################### |
1590 |
+## <summary> |
1591 |
+## Allow systemd_tmpfiles_t to manage filesystem objects |
1592 |
+## </summary> |
1593 |
+## <param name="type"> |
1594 |
+## <summary> |
1595 |
+## type of object to manage |
1596 |
+## </summary> |
1597 |
+## </param> |
1598 |
+## <param name="class"> |
1599 |
+## <summary> |
1600 |
+## object class to manage |
1601 |
+## </summary> |
1602 |
+## </param> |
1603 |
+# |
1604 |
+interface(`systemd_tmpfilesd_managed',` |
1605 |
+ gen_require(` |
1606 |
+ type systemd_tmpfiles_t; |
1607 |
+ ') |
1608 |
+ |
1609 |
+ allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; |
1610 |
+') |
1611 |
+ |
1612 |
######################################## |
1613 |
## <summary> |
1614 |
## Allow process to relabel to systemd_kmod_conf_t. |
1615 |
@@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',` |
1616 |
|
1617 |
######################################## |
1618 |
## <summary> |
1619 |
+## allow systemd_passwd_agent to inherit fds |
1620 |
+## </summary> |
1621 |
+## <param name="domain"> |
1622 |
+## <summary> |
1623 |
+## Domain that owns the fds |
1624 |
+## </summary> |
1625 |
+## </param> |
1626 |
+# |
1627 |
+interface(`systemd_use_passwd_agent_fds',` |
1628 |
+ gen_require(` |
1629 |
+ type systemd_passwd_agent_t; |
1630 |
+ ') |
1631 |
+ |
1632 |
+ allow systemd_passwd_agent_t $1:fd use; |
1633 |
+') |
1634 |
+ |
1635 |
+######################################## |
1636 |
+## <summary> |
1637 |
+## Transition to systemd_passwd_var_run_t when creating dirs |
1638 |
+## </summary> |
1639 |
+## <param name="domain"> |
1640 |
+## <summary> |
1641 |
+## Domain allowed access. |
1642 |
+## </summary> |
1643 |
+## </param> |
1644 |
+# |
1645 |
+interface(`systemd_filetrans_passwd_runtime_dirs',` |
1646 |
+ gen_require(` |
1647 |
+ type systemd_passwd_var_run_t; |
1648 |
+ ') |
1649 |
+ |
1650 |
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") |
1651 |
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") |
1652 |
+') |
1653 |
+ |
1654 |
+######################################## |
1655 |
+## <summary> |
1656 |
+## manage systemd unit dirs and the files in them |
1657 |
+## </summary> |
1658 |
+## <param name="domain"> |
1659 |
+## <summary> |
1660 |
+## Domain allowed access. |
1661 |
+## </summary> |
1662 |
+## </param> |
1663 |
+# |
1664 |
+interface(`systemd_manage_all_units',` |
1665 |
+ gen_require(` |
1666 |
+ attribute systemdunit; |
1667 |
+ ') |
1668 |
+ |
1669 |
+ manage_dirs_pattern($1, systemdunit, systemdunit) |
1670 |
+ manage_files_pattern($1, systemdunit, systemdunit) |
1671 |
+ manage_lnk_files_pattern($1, systemdunit, systemdunit) |
1672 |
+') |
1673 |
+ |
1674 |
+######################################## |
1675 |
+## <summary> |
1676 |
+## Allow domain to create/manage systemd_journal_t files |
1677 |
+## </summary> |
1678 |
+## <param name="domain"> |
1679 |
+## <summary> |
1680 |
+## Domain allowed access. |
1681 |
+## </summary> |
1682 |
+## </param> |
1683 |
+# |
1684 |
+interface(`systemd_manage_journal_files',` |
1685 |
+ gen_require(` |
1686 |
+ type systemd_logind_t; |
1687 |
+ ') |
1688 |
+ |
1689 |
+ manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) |
1690 |
+ manage_files_pattern($1, systemd_journal_t, systemd_journal_t) |
1691 |
+') |
1692 |
+ |
1693 |
+######################################## |
1694 |
+## <summary> |
1695 |
## Allow systemd_logind_t to read process state for cgroup file |
1696 |
## </summary> |
1697 |
## <param name="domain"> |
1698 |
|
1699 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
1700 |
index 904c777a..19e6947a 100644 |
1701 |
--- a/policy/modules/system/systemd.te |
1702 |
+++ b/policy/modules/system/systemd.te |
1703 |
@@ -1,4 +1,4 @@ |
1704 |
-policy_module(systemd, 1.3.5) |
1705 |
+policy_module(systemd, 1.3.6) |
1706 |
|
1707 |
######################################### |
1708 |
# |
1709 |
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5) |
1710 |
## </desc> |
1711 |
gen_tunable(systemd_tmpfiles_manage_all, false) |
1712 |
|
1713 |
+## <desc> |
1714 |
+## <p> |
1715 |
+## Allow systemd-nspawn to create a labelled namespace with the same types |
1716 |
+## as parent environment |
1717 |
+## </p> |
1718 |
+## </desc> |
1719 |
+gen_tunable(systemd_nspawn_labeled_namespace, false) |
1720 |
+ |
1721 |
attribute systemd_log_parse_env_type; |
1722 |
|
1723 |
type systemd_activate_t; |
1724 |
@@ -57,6 +65,9 @@ type systemd_coredump_t; |
1725 |
type systemd_coredump_exec_t; |
1726 |
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t) |
1727 |
|
1728 |
+type systemd_coredump_var_lib_t; |
1729 |
+files_type(systemd_coredump_var_lib_t) |
1730 |
+ |
1731 |
type systemd_detect_virt_t; |
1732 |
type systemd_detect_virt_exec_t; |
1733 |
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) |
1734 |
@@ -65,6 +76,10 @@ type systemd_hostnamed_t; |
1735 |
type systemd_hostnamed_exec_t; |
1736 |
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t) |
1737 |
|
1738 |
+type systemd_journal_t; |
1739 |
+files_type(systemd_journal_t) |
1740 |
+logging_log_file(systemd_journal_t) |
1741 |
+ |
1742 |
type systemd_locale_t; |
1743 |
type systemd_locale_exec_t; |
1744 |
init_system_domain(systemd_locale_t, systemd_locale_exec_t) |
1745 |
@@ -85,10 +100,21 @@ type systemd_machined_t; |
1746 |
type systemd_machined_exec_t; |
1747 |
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) |
1748 |
|
1749 |
+type systemd_machined_var_run_t; |
1750 |
+files_pid_file(systemd_machined_var_run_t) |
1751 |
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") |
1752 |
+ |
1753 |
+type systemd_notify_t; |
1754 |
+type systemd_notify_exec_t; |
1755 |
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) |
1756 |
+ |
1757 |
type systemd_nspawn_t; |
1758 |
type systemd_nspawn_exec_t; |
1759 |
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) |
1760 |
|
1761 |
+type systemd_nspawn_var_run_t; |
1762 |
+files_pid_file(systemd_nspawn_var_run_t) |
1763 |
+ |
1764 |
type systemd_resolved_t; |
1765 |
type systemd_resolved_exec_t; |
1766 |
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) |
1767 |
@@ -108,6 +134,9 @@ type systemd_passwd_agent_t; |
1768 |
type systemd_passwd_agent_exec_t; |
1769 |
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) |
1770 |
|
1771 |
+type systemd_passwd_var_run_t; |
1772 |
+files_pid_file(systemd_passwd_var_run_t) |
1773 |
+ |
1774 |
type systemd_sessions_t; |
1775 |
type systemd_sessions_exec_t; |
1776 |
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) |
1777 |
@@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type) |
1778 |
# Backlight local policy |
1779 |
# |
1780 |
|
1781 |
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms }; |
1782 |
+ |
1783 |
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms; |
1784 |
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) |
1785 |
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) |
1786 |
@@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t) |
1787 |
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness |
1788 |
dev_rw_sysfs(systemd_backlight_t) |
1789 |
|
1790 |
+# for udev.conf |
1791 |
files_read_etc_files(systemd_backlight_t) |
1792 |
|
1793 |
+# for /run/udev/data/+backlight* |
1794 |
udev_read_pid_files(systemd_backlight_t) |
1795 |
|
1796 |
####################################### |
1797 |
@@ -292,6 +325,14 @@ optional_policy(` |
1798 |
dbus_connect_system_bus(systemd_logind_t) |
1799 |
') |
1800 |
|
1801 |
+######################################## |
1802 |
+# |
1803 |
+# Nspawn local policy |
1804 |
+# |
1805 |
+ |
1806 |
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) |
1807 |
+ |
1808 |
+ |
1809 |
######################################### |
1810 |
# |
1811 |
# Resolved local policy |
1812 |
@@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) |
1813 |
|
1814 |
kernel_read_crypto_sysctls(systemd_resolved_t) |
1815 |
kernel_read_kernel_sysctls(systemd_resolved_t) |
1816 |
-kernel_read_system_state(systemd_resolved_t) |
1817 |
|
1818 |
corenet_tcp_bind_generic_node(systemd_resolved_t) |
1819 |
corenet_tcp_bind_llmnr_port(systemd_resolved_t) |
1820 |
@@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t) |
1821 |
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; |
1822 |
allow systemd_tmpfiles_t self:process { setfscreate getcap }; |
1823 |
|
1824 |
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
1825 |
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) |
1826 |
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; |
1827 |
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; |
1828 |
+ |
1829 |
kernel_read_kernel_sysctls(systemd_tmpfiles_t) |
1830 |
|
1831 |
dev_relabel_all_sysfs(systemd_tmpfiles_t) |
1832 |
|
1833 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
1834 |
index d4c92ccb..847b65bf 100644 |
1835 |
--- a/policy/modules/system/udev.if |
1836 |
+++ b/policy/modules/system/udev.if |
1837 |
@@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',` |
1838 |
|
1839 |
######################################## |
1840 |
## <summary> |
1841 |
+## Allow process to relabelto udev database |
1842 |
+## </summary> |
1843 |
+## <param name="domain"> |
1844 |
+## <summary> |
1845 |
+## Domain allowed access. |
1846 |
+## </summary> |
1847 |
+## </param> |
1848 |
+# |
1849 |
+interface(`udev_relabelto_db',` |
1850 |
+ gen_require(` |
1851 |
+ type udev_var_run_t; |
1852 |
+ ') |
1853 |
+ |
1854 |
+ files_search_pids($1) |
1855 |
+ allow $1 udev_var_run_t:file relabelto_file_perms; |
1856 |
+ allow $1 udev_var_run_t:lnk_file relabelto_file_perms; |
1857 |
+') |
1858 |
+ |
1859 |
+######################################## |
1860 |
+## <summary> |
1861 |
## Search through udev pid content |
1862 |
## </summary> |
1863 |
## <param name="domain"> |
1864 |
|
1865 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
1866 |
index d6034f30..08057d3d 100644 |
1867 |
--- a/policy/modules/system/udev.te |
1868 |
+++ b/policy/modules/system/udev.te |
1869 |
@@ -1,4 +1,4 @@ |
1870 |
-policy_module(udev, 1.21.2) |
1871 |
+policy_module(udev, 1.21.3) |
1872 |
|
1873 |
######################################## |
1874 |
# |
1875 |
|
1876 |
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if |
1877 |
index 3bf66058..3f7f66a7 100644 |
1878 |
--- a/policy/modules/system/unconfined.if |
1879 |
+++ b/policy/modules/system/unconfined.if |
1880 |
@@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',` |
1881 |
|
1882 |
######################################## |
1883 |
## <summary> |
1884 |
+## Do not audit attempts to read and write |
1885 |
+## unconfined domain stream. |
1886 |
+## </summary> |
1887 |
+## <param name="domain"> |
1888 |
+## <summary> |
1889 |
+## Domain to not audit. |
1890 |
+## </summary> |
1891 |
+## </param> |
1892 |
+# |
1893 |
+interface(`unconfined_dontaudit_rw_stream_sockets',` |
1894 |
+ gen_require(` |
1895 |
+ type unconfined_t; |
1896 |
+ ') |
1897 |
+ |
1898 |
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; |
1899 |
+') |
1900 |
+ |
1901 |
+######################################## |
1902 |
+## <summary> |
1903 |
## Do not audit attempts to read or write |
1904 |
## unconfined domain tcp sockets. |
1905 |
## </summary> |
1906 |
|
1907 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
1908 |
index dc319d53..c1d4df8e 100644 |
1909 |
--- a/policy/modules/system/unconfined.te |
1910 |
+++ b/policy/modules/system/unconfined.te |
1911 |
@@ -1,4 +1,4 @@ |
1912 |
-policy_module(unconfined, 3.9.0) |
1913 |
+policy_module(unconfined, 3.9.1) |
1914 |
|
1915 |
######################################## |
1916 |
# |
1917 |
|
1918 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
1919 |
index 45c0339f..0799c18c 100644 |
1920 |
--- a/policy/modules/system/userdomain.if |
1921 |
+++ b/policy/modules/system/userdomain.if |
1922 |
@@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', ` |
1923 |
optional_policy(` |
1924 |
setroubleshoot_stream_connect($1_t) |
1925 |
') |
1926 |
+ |
1927 |
+ optional_policy(` |
1928 |
+ systemd_dbus_chat_logind($1_t) |
1929 |
+ ') |
1930 |
') |
1931 |
|
1932 |
####################################### |
1933 |
@@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',` |
1934 |
|
1935 |
######################################## |
1936 |
## <summary> |
1937 |
+## Read and write a inherited user TTYs and PTYs. |
1938 |
+## </summary> |
1939 |
+## <desc> |
1940 |
+## <p> |
1941 |
+## Allow the specified domain to read and write inherited user |
1942 |
+## TTYs and PTYs. This will allow the domain to |
1943 |
+## interact with the user via the terminal. Typically |
1944 |
+## all interactive applications will require this |
1945 |
+## access. |
1946 |
+## </p> |
1947 |
+## </desc> |
1948 |
+## <param name="domain"> |
1949 |
+## <summary> |
1950 |
+## Domain allowed access. |
1951 |
+## </summary> |
1952 |
+## </param> |
1953 |
+## <infoflow type="both" weight="10"/> |
1954 |
+# |
1955 |
+interface(`userdom_use_inherited_user_terminals',` |
1956 |
+ gen_require(` |
1957 |
+ type user_tty_device_t, user_devpts_t; |
1958 |
+ ') |
1959 |
+ |
1960 |
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; |
1961 |
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; |
1962 |
+') |
1963 |
+ |
1964 |
+######################################## |
1965 |
+## <summary> |
1966 |
## Read and write a user TTYs and PTYs. |
1967 |
## </summary> |
1968 |
## <desc> |
1969 |
@@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',` |
1970 |
|
1971 |
######################################## |
1972 |
## <summary> |
1973 |
+## Do not audit attempts to write users |
1974 |
+## temporary files. |
1975 |
+## </summary> |
1976 |
+## <param name="domain"> |
1977 |
+## <summary> |
1978 |
+## Domain to not audit. |
1979 |
+## </summary> |
1980 |
+## </param> |
1981 |
+# |
1982 |
+interface(`userdom_dontaudit_write_user_tmp_files',` |
1983 |
+ gen_require(` |
1984 |
+ type user_tmp_t; |
1985 |
+ ') |
1986 |
+ |
1987 |
+ dontaudit $1 user_tmp_t:file write; |
1988 |
+') |
1989 |
+ |
1990 |
+######################################## |
1991 |
+## <summary> |
1992 |
## Do not audit attempts to use user ttys. |
1993 |
## </summary> |
1994 |
## <param name="domain"> |
1995 |
@@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',` |
1996 |
relabel_sock_files_pattern($1, user_cert_t, user_cert_t) |
1997 |
relabel_fifo_files_pattern($1, user_cert_t, user_cert_t) |
1998 |
') |
1999 |
+ |
2000 |
+######################################## |
2001 |
+## <summary> |
2002 |
+## Do not audit attempts to read and write |
2003 |
+## unserdomain stream. |
2004 |
+## </summary> |
2005 |
+## <param name="domain"> |
2006 |
+## <summary> |
2007 |
+## Domain to not audit. |
2008 |
+## </summary> |
2009 |
+## </param> |
2010 |
+# |
2011 |
+interface(`userdom_dontaudit_rw_all_users_stream_sockets',` |
2012 |
+ gen_require(` |
2013 |
+ attribute userdomain; |
2014 |
+ ') |
2015 |
+ |
2016 |
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; |
2017 |
+') |
2018 |
|
2019 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
2020 |
index df3b9572..3d60070c 100644 |
2021 |
--- a/policy/modules/system/userdomain.te |
2022 |
+++ b/policy/modules/system/userdomain.te |
2023 |
@@ -1,4 +1,4 @@ |
2024 |
-policy_module(userdomain, 4.13.1) |
2025 |
+policy_module(userdomain, 4.13.2) |
2026 |
|
2027 |
######################################## |
2028 |
# |