1 |
commit: 33b0d446f0d55311b674932b135b7ce0fe4e7b8b |
2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
3 |
AuthorDate: Thu May 26 12:43:10 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 1 18:20:07 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33b0d446 |
7 |
|
8 |
Add policy for systemd-resolved |
9 |
|
10 |
Initial policy for systemd-resolved, tested with systemd 230 on debian |
11 |
|
12 |
policy/modules/system/systemd.fc | 2 ++ |
13 |
policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 42 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
17 |
index a0b5f0b..a987681 100644 |
18 |
--- a/policy/modules/system/systemd.fc |
19 |
+++ b/policy/modules/system/systemd.fc |
20 |
@@ -17,6 +17,7 @@ |
21 |
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) |
22 |
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) |
23 |
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) |
24 |
+/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) |
25 |
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) |
26 |
|
27 |
# Systemd unit files |
28 |
@@ -33,6 +34,7 @@ |
29 |
/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
30 |
/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
31 |
|
32 |
+/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) |
33 |
/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
34 |
/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
35 |
/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
38 |
index 0bed23c..e42f3ca 100644 |
39 |
--- a/policy/modules/system/systemd.te |
40 |
+++ b/policy/modules/system/systemd.te |
41 |
@@ -80,6 +80,13 @@ type systemd_nspawn_t; |
42 |
type systemd_nspawn_exec_t; |
43 |
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) |
44 |
|
45 |
+type systemd_resolved_t; |
46 |
+type systemd_resolved_exec_t; |
47 |
+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) |
48 |
+ |
49 |
+type systemd_resolved_var_run_t; |
50 |
+files_pid_file(systemd_resolved_var_run_t) |
51 |
+ |
52 |
type systemd_run_t; |
53 |
type systemd_run_exec_t; |
54 |
init_daemon_domain(systemd_run_t, systemd_run_exec_t) |
55 |
@@ -244,6 +251,39 @@ optional_policy(` |
56 |
|
57 |
######################################### |
58 |
# |
59 |
+# Resolved local policy |
60 |
+# |
61 |
+ |
62 |
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; |
63 |
+allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; |
64 |
+ |
65 |
+allow systemd_resolved_t self:tcp_socket { accept listen }; |
66 |
+ |
67 |
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) |
68 |
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) |
69 |
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) |
70 |
+ |
71 |
+kernel_read_crypto_sysctls(systemd_resolved_t) |
72 |
+kernel_read_kernel_sysctls(systemd_resolved_t) |
73 |
+kernel_read_system_state(systemd_resolved_t) |
74 |
+ |
75 |
+corenet_tcp_bind_generic_node(systemd_resolved_t) |
76 |
+corenet_tcp_bind_llmnr_port(systemd_resolved_t) |
77 |
+corenet_udp_bind_generic_node(systemd_resolved_t) |
78 |
+corenet_udp_bind_llmnr_port(systemd_resolved_t) |
79 |
+ |
80 |
+auth_use_nsswitch(systemd_resolved_t) |
81 |
+ |
82 |
+seutil_read_file_contexts(systemd_resolved_t) |
83 |
+ |
84 |
+systemd_log_parse_environment(systemd_resolved_t) |
85 |
+ |
86 |
+optional_policy(` |
87 |
+ dbus_system_bus_client(systemd_resolved_t) |
88 |
+') |
89 |
+ |
90 |
+######################################### |
91 |
+# |
92 |
# Sessions local policy |
93 |
# |