1 |
commit: d92bdf260887935367802afbbaf25d399c020cd5 |
2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
3 |
AuthorDate: Fri Oct 23 14:16:59 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 26 03:52:47 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26 |
7 |
|
8 |
Implement core systemd policy. |
9 |
|
10 |
Significant contributions from the Tresys CLIP team. |
11 |
|
12 |
Other changes from Laurent Bigonville. |
13 |
|
14 |
policy/modules/kernel/corecommands.fc | 2 + |
15 |
policy/modules/kernel/domain.te | 6 + |
16 |
policy/modules/kernel/files.if | 172 ++++++++++ |
17 |
policy/modules/kernel/filesystem.if | 73 ++++ |
18 |
policy/modules/kernel/kernel.if | 60 +++- |
19 |
policy/modules/kernel/terminal.if | 19 ++ |
20 |
policy/modules/system/authlogin.if | 19 ++ |
21 |
policy/modules/system/init.fc | 4 + |
22 |
policy/modules/system/init.if | 608 +++++++++++++++++++++++++++++++++- |
23 |
policy/modules/system/init.te | 176 +++++++++- |
24 |
policy/modules/system/locallogin.if | 21 ++ |
25 |
policy/modules/system/logging.if | 38 +++ |
26 |
policy/modules/system/lvm.if | 20 ++ |
27 |
policy/modules/system/systemd.fc | 39 +++ |
28 |
policy/modules/system/systemd.if | 195 +++++++++++ |
29 |
policy/modules/system/systemd.te | 264 +++++++++++++++ |
30 |
policy/modules/system/udev.if | 19 ++ |
31 |
17 files changed, 1711 insertions(+), 24 deletions(-) |
32 |
|
33 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
34 |
index f465e43..b4e192a 100644 |
35 |
--- a/policy/modules/kernel/corecommands.fc |
36 |
+++ b/policy/modules/kernel/corecommands.fc |
37 |
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',` |
38 |
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) |
39 |
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) |
40 |
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
41 |
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) |
42 |
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) |
43 |
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) |
44 |
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) |
45 |
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) |
46 |
|
47 |
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te |
48 |
index 451a1be..6c3ef60 100644 |
49 |
--- a/policy/modules/kernel/domain.te |
50 |
+++ b/policy/modules/kernel/domain.te |
51 |
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',` |
52 |
dontaudit domain self:udp_socket listen; |
53 |
') |
54 |
|
55 |
+ifdef(`init_systemd',` |
56 |
+ optional_policy(` |
57 |
+ shutdown_sigchld(domain) |
58 |
+ ') |
59 |
+') |
60 |
+ |
61 |
tunable_policy(`global_ssp',` |
62 |
# enable reading of urandom for all domains: |
63 |
# this should be enabled when all programs |
64 |
|
65 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
66 |
index dd16f74..cbb8afe 100644 |
67 |
--- a/policy/modules/kernel/files.if |
68 |
+++ b/policy/modules/kernel/files.if |
69 |
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',` |
70 |
|
71 |
######################################## |
72 |
## <summary> |
73 |
+## Relabel from/to non-security directories. |
74 |
+## </summary> |
75 |
+## <param name="domain"> |
76 |
+## <summary> |
77 |
+## Domain allowed access. |
78 |
+## </summary> |
79 |
+## </param> |
80 |
+# |
81 |
+interface(`files_relabel_non_security_dirs',` |
82 |
+ gen_require(` |
83 |
+ attribute non_security_file_type; |
84 |
+ ') |
85 |
+ |
86 |
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) |
87 |
+') |
88 |
+ |
89 |
+######################################## |
90 |
+## <summary> |
91 |
## Get the attributes of all files. |
92 |
## </summary> |
93 |
## <param name="domain"> |
94 |
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',` |
95 |
|
96 |
######################################## |
97 |
## <summary> |
98 |
+## Create, read, write, and delete all non-security files. |
99 |
+## </summary> |
100 |
+## <param name="domain"> |
101 |
+## <summary> |
102 |
+## Domain allowed access. |
103 |
+## </summary> |
104 |
+## </param> |
105 |
+## <rolecap/> |
106 |
+# |
107 |
+interface(`files_manage_non_security_files',` |
108 |
+ gen_require(` |
109 |
+ attribute non_security_file_type; |
110 |
+ ') |
111 |
+ |
112 |
+ manage_files_pattern($1, non_security_file_type, non_security_file_type) |
113 |
+') |
114 |
+ |
115 |
+######################################## |
116 |
+## <summary> |
117 |
+## Relabel from/to all non-security files. |
118 |
+## </summary> |
119 |
+## <param name="domain"> |
120 |
+## <summary> |
121 |
+## Domain allowed access. |
122 |
+## </summary> |
123 |
+## </param> |
124 |
+## <rolecap/> |
125 |
+# |
126 |
+interface(`files_relabel_non_security_files',` |
127 |
+ gen_require(` |
128 |
+ attribute non_security_file_type; |
129 |
+ ') |
130 |
+ |
131 |
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type) |
132 |
+') |
133 |
+ |
134 |
+######################################## |
135 |
+## <summary> |
136 |
## Read all files. |
137 |
## </summary> |
138 |
## <param name="domain"> |
139 |
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',` |
140 |
|
141 |
######################################## |
142 |
## <summary> |
143 |
+## Mount on the root directory (/) |
144 |
+## </summary> |
145 |
+## <param name="domain"> |
146 |
+## <summary> |
147 |
+## Domain allowed access. |
148 |
+## </summary> |
149 |
+## </param> |
150 |
+# |
151 |
+interface(`files_mounton_root',` |
152 |
+ gen_require(` |
153 |
+ type root_t; |
154 |
+ ') |
155 |
+ |
156 |
+ allow $1 root_t:dir mounton; |
157 |
+') |
158 |
+ |
159 |
+######################################## |
160 |
+## <summary> |
161 |
## Get attributes of the /boot directory. |
162 |
## </summary> |
163 |
## <param name="domain"> |
164 |
@@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',` |
165 |
|
166 |
######################################## |
167 |
## <summary> |
168 |
+## Mount filesystems in the tmp directory (/tmp) |
169 |
+## </summary> |
170 |
+## <param name="domain"> |
171 |
+## <summary> |
172 |
+## Domain allowed access. |
173 |
+## </summary> |
174 |
+## </param> |
175 |
+# |
176 |
+interface(`files_mounton_tmp',` |
177 |
+ gen_require(` |
178 |
+ type tmp_t; |
179 |
+ ') |
180 |
+ |
181 |
+ allow $1 tmp_t:dir mounton; |
182 |
+') |
183 |
+ |
184 |
+######################################## |
185 |
+## <summary> |
186 |
## Set the attributes of all tmp directories. |
187 |
## </summary> |
188 |
## <param name="domain"> |
189 |
@@ -5678,6 +5770,25 @@ interface(`files_list_locks',` |
190 |
|
191 |
######################################## |
192 |
## <summary> |
193 |
+## Add entries in the /var/lock directories. |
194 |
+## </summary> |
195 |
+## <param name="domain"> |
196 |
+## <summary> |
197 |
+## Domain allowed access. |
198 |
+## </summary> |
199 |
+## </param> |
200 |
+# |
201 |
+interface(`files_add_entry_lock_dirs',` |
202 |
+ gen_require(` |
203 |
+ type var_t, var_lock_t; |
204 |
+ ') |
205 |
+ |
206 |
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; |
207 |
+ add_entry_dirs_pattern($1, var_t, var_lock_t) |
208 |
+') |
209 |
+ |
210 |
+######################################## |
211 |
+## <summary> |
212 |
## Add and remove entries in the /var/lock |
213 |
## directories. |
214 |
## </summary> |
215 |
@@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',` |
216 |
|
217 |
######################################## |
218 |
## <summary> |
219 |
+## Relabel from/to all lock files. |
220 |
+## </summary> |
221 |
+## <param name="domain"> |
222 |
+## <summary> |
223 |
+## Domain allowed access. |
224 |
+## </summary> |
225 |
+## </param> |
226 |
+# |
227 |
+interface(`files_relabel_all_locks',` |
228 |
+ gen_require(` |
229 |
+ attribute lockfile; |
230 |
+ type var_t, var_lock_t; |
231 |
+ ') |
232 |
+ |
233 |
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; |
234 |
+ allow $1 { var_t var_lock_t }:dir search_dir_perms; |
235 |
+ relabel_dirs_pattern($1, lockfile, lockfile) |
236 |
+ relabel_files_pattern($1, lockfile, lockfile) |
237 |
+ relabel_lnk_files_pattern($1, lockfile, lockfile) |
238 |
+') |
239 |
+ |
240 |
+######################################## |
241 |
+## <summary> |
242 |
## Create an object in the locks directory, with a private |
243 |
## type using a type transition. |
244 |
## </summary> |
245 |
@@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',` |
246 |
|
247 |
######################################## |
248 |
## <summary> |
249 |
+## Relabel to/from all var_run (pid) directories |
250 |
+## </summary> |
251 |
+## <param name="domain"> |
252 |
+## <summary> |
253 |
+## Domain alloed access. |
254 |
+## </summary> |
255 |
+## </param> |
256 |
+# |
257 |
+interface(`files_relabel_all_pid_dirs',` |
258 |
+ gen_require(` |
259 |
+ attribute pidfile; |
260 |
+ ') |
261 |
+ |
262 |
+ relabel_dirs_pattern($1, pidfile, pidfile) |
263 |
+') |
264 |
+ |
265 |
+######################################## |
266 |
+## <summary> |
267 |
+## Relabel to/from all var_run (pid) files and directories |
268 |
+## </summary> |
269 |
+## <param name="domain"> |
270 |
+## <summary> |
271 |
+## Domain alloed access. |
272 |
+## </summary> |
273 |
+## </param> |
274 |
+# |
275 |
+interface(`files_relabel_all_pids',` |
276 |
+ gen_require(` |
277 |
+ attribute pidfile; |
278 |
+ ') |
279 |
+ |
280 |
+ relabel_dirs_pattern($1, pidfile, pidfile) |
281 |
+ relabel_files_pattern($1, pidfile, pidfile) |
282 |
+ relabel_lnk_files_pattern($1, pidfile, pidfile) |
283 |
+') |
284 |
+ |
285 |
+######################################## |
286 |
+## <summary> |
287 |
## Mount filesystems on all polyinstantiation |
288 |
## member directories. |
289 |
## </summary> |
290 |
|
291 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
292 |
index 4ddef7c..0db8233 100644 |
293 |
--- a/policy/modules/kernel/filesystem.if |
294 |
+++ b/policy/modules/kernel/filesystem.if |
295 |
@@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',` |
296 |
|
297 |
######################################## |
298 |
## <summary> |
299 |
+## Relabel cgroup directories. |
300 |
+## </summary> |
301 |
+## <param name="domain"> |
302 |
+## <summary> |
303 |
+## Domain allowed access. |
304 |
+## </summary> |
305 |
+## </param> |
306 |
+# |
307 |
+interface(`fs_relabel_cgroup_dirs',` |
308 |
+ gen_require(` |
309 |
+ type cgroup_t; |
310 |
+ ') |
311 |
+ |
312 |
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t) |
313 |
+') |
314 |
+ |
315 |
+######################################## |
316 |
+## <summary> |
317 |
## Read cgroup files. |
318 |
## </summary> |
319 |
## <param name="domain"> |
320 |
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',` |
321 |
') |
322 |
|
323 |
read_files_pattern($1, cgroup_t, cgroup_t) |
324 |
+ read_lnk_files_pattern($1, cgroup_t, cgroup_t) |
325 |
dev_search_sysfs($1) |
326 |
') |
327 |
|
328 |
@@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',` |
329 |
|
330 |
######################################## |
331 |
## <summary> |
332 |
+## Getattr on pstore dirs. |
333 |
+## </summary> |
334 |
+## <param name="domain"> |
335 |
+## <summary> |
336 |
+## Domain allowed access. |
337 |
+## </summary> |
338 |
+## </param> |
339 |
+# |
340 |
+interface(`fs_getattr_pstore_dirs',` |
341 |
+ gen_require(` |
342 |
+ type pstore_t; |
343 |
+ ') |
344 |
+ |
345 |
+ getattr_files_pattern($1, pstore_t, pstore_t) |
346 |
+ dev_search_sysfs($1) |
347 |
+') |
348 |
+ |
349 |
+######################################## |
350 |
+## <summary> |
351 |
## Allow the type to associate to ramfs filesystems. |
352 |
## </summary> |
353 |
## <param name="type"> |
354 |
@@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` |
355 |
|
356 |
######################################## |
357 |
## <summary> |
358 |
+## Relabel directory on tmpfs filesystems. |
359 |
+## </summary> |
360 |
+## <param name="domain"> |
361 |
+## <summary> |
362 |
+## Domain allowed access. |
363 |
+## </summary> |
364 |
+## </param> |
365 |
+# |
366 |
+interface(`fs_relabel_tmpfs_dirs',` |
367 |
+ gen_require(` |
368 |
+ type tmpfs_t; |
369 |
+ ') |
370 |
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) |
371 |
+') |
372 |
+ |
373 |
+######################################## |
374 |
+## <summary> |
375 |
## Create an object in a tmpfs filesystem, with a private |
376 |
## type using a type transition. |
377 |
## </summary> |
378 |
@@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',` |
379 |
|
380 |
######################################## |
381 |
## <summary> |
382 |
+## Relabel files on tmpfs filesystems. |
383 |
+## </summary> |
384 |
+## <param name="domain"> |
385 |
+## <summary> |
386 |
+## Domain allowed access. |
387 |
+## </summary> |
388 |
+## </param> |
389 |
+# |
390 |
+interface(`fs_relabel_tmpfs_files',` |
391 |
+ gen_require(` |
392 |
+ type tmpfs_t; |
393 |
+ ') |
394 |
+ |
395 |
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t) |
396 |
+') |
397 |
+ |
398 |
+######################################## |
399 |
+## <summary> |
400 |
## Read tmpfs link files. |
401 |
## </summary> |
402 |
## <param name="domain"> |
403 |
|
404 |
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
405 |
index faa19d7..df42fa3 100644 |
406 |
--- a/policy/modules/kernel/kernel.if |
407 |
+++ b/policy/modules/kernel/kernel.if |
408 |
@@ -8,6 +8,27 @@ |
409 |
|
410 |
######################################## |
411 |
## <summary> |
412 |
+## Allows the kernel to start userland processes |
413 |
+## by dynamic transitions to the specified domain. |
414 |
+## </summary> |
415 |
+## <param name="domain"> |
416 |
+## <summary> |
417 |
+## The process type entered by the kernel. |
418 |
+## </summary> |
419 |
+## </param> |
420 |
+# |
421 |
+interface(`kernel_dyntrans_to',` |
422 |
+ gen_require(` |
423 |
+ type kernel_t; |
424 |
+ ') |
425 |
+ |
426 |
+ domain_dyntrans_type(kernel_t) |
427 |
+ allow kernel_t self:process setcurrent; |
428 |
+ allow kernel_t $1:process dyntransition; |
429 |
+') |
430 |
+ |
431 |
+######################################## |
432 |
+## <summary> |
433 |
## Allows to start userland processes |
434 |
## by transitioning to the specified domain. |
435 |
## </summary> |
436 |
@@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',` |
437 |
|
438 |
######################################## |
439 |
## <summary> |
440 |
+## Read/write to kernel using a unix |
441 |
+## domain stream socket. |
442 |
+## </summary> |
443 |
+## <param name="domain"> |
444 |
+## <summary> |
445 |
+## Domain allowed access. |
446 |
+## </summary> |
447 |
+## </param> |
448 |
+# |
449 |
+interface(`kernel_rw_stream_sockets',` |
450 |
+ gen_require(` |
451 |
+ type kernel_t; |
452 |
+ ') |
453 |
+ |
454 |
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms; |
455 |
+') |
456 |
+ |
457 |
+######################################## |
458 |
+## <summary> |
459 |
## Connect to kernel using a unix |
460 |
## domain stream socket. |
461 |
## </summary> |
462 |
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',` |
463 |
|
464 |
######################################## |
465 |
## <summary> |
466 |
-## Read and write kernel unix datagram sockets. |
467 |
+## Getattr on kernel unix datagram sockets. |
468 |
+## </summary> |
469 |
+## <param name="domain"> |
470 |
+## <summary> |
471 |
+## Domain allowed access. |
472 |
+## </summary> |
473 |
+## </param> |
474 |
+# |
475 |
+interface(`kernel_getattr_dgram_sockets',` |
476 |
+ gen_require(` |
477 |
+ type kernel_t; |
478 |
+ ') |
479 |
+ |
480 |
+ allow $1 kernel_t:unix_dgram_socket getattr; |
481 |
+') |
482 |
+ |
483 |
+######################################## |
484 |
+## <summary> |
485 |
+## Read and write kernel unix datagram sockets. (Deprecated) |
486 |
## </summary> |
487 |
## <param name="domain"> |
488 |
## <summary> |
489 |
|
490 |
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if |
491 |
index cbb729b..2e6a376 100644 |
492 |
--- a/policy/modules/kernel/terminal.if |
493 |
+++ b/policy/modules/kernel/terminal.if |
494 |
@@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',` |
495 |
|
496 |
######################################## |
497 |
## <summary> |
498 |
+## Relabel from and to pty directories. |
499 |
+## </summary> |
500 |
+## <param name="domain"> |
501 |
+## <summary> |
502 |
+## Domain allowed access. |
503 |
+## </summary> |
504 |
+## </param> |
505 |
+# |
506 |
+interface(`term_relabel_pty_dirs',` |
507 |
+ gen_require(` |
508 |
+ type devpts_t; |
509 |
+ ') |
510 |
+ |
511 |
+ dev_list_all_dev_nodes($1) |
512 |
+ allow $1 devpts_t:dir relabel_dir_perms; |
513 |
+') |
514 |
+ |
515 |
+######################################## |
516 |
+## <summary> |
517 |
## Do not audit attempts to get the attributes |
518 |
## of generic pty devices. |
519 |
## </summary> |
520 |
|
521 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
522 |
index 6aac59c..7bb4ecb 100644 |
523 |
--- a/policy/modules/system/authlogin.if |
524 |
+++ b/policy/modules/system/authlogin.if |
525 |
@@ -773,6 +773,25 @@ interface(`auth_rw_faillog',` |
526 |
allow $1 faillog_t:file rw_file_perms; |
527 |
') |
528 |
|
529 |
+######################################## |
530 |
+## <summary> |
531 |
+## Manage the login failure logs. |
532 |
+## </summary> |
533 |
+## <param name="domain"> |
534 |
+## <summary> |
535 |
+## Domain allowed access. |
536 |
+## </summary> |
537 |
+## </param> |
538 |
+# |
539 |
+interface(`auth_manage_faillog',` |
540 |
+ gen_require(` |
541 |
+ type faillog_t; |
542 |
+ ') |
543 |
+ |
544 |
+ allow $1 faillog_t:file manage_file_perms; |
545 |
+ logging_rw_generic_log_dirs($1) |
546 |
+') |
547 |
+ |
548 |
####################################### |
549 |
## <summary> |
550 |
## Read the last logins log. |
551 |
|
552 |
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
553 |
index 02ec851..b4bdf65 100644 |
554 |
--- a/policy/modules/system/init.fc |
555 |
+++ b/policy/modules/system/init.fc |
556 |
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', ` |
557 |
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) |
558 |
|
559 |
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) |
560 |
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) |
561 |
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) |
562 |
+/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0) |
563 |
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) |
564 |
|
565 |
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
566 |
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
567 |
|
568 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
569 |
index 211d434..192508f 100644 |
570 |
--- a/policy/modules/system/init.if |
571 |
+++ b/policy/modules/system/init.if |
572 |
@@ -44,6 +44,26 @@ interface(`init_script_file',` |
573 |
|
574 |
######################################## |
575 |
## <summary> |
576 |
+## Make the specified type usable for |
577 |
+## systemd unit files. |
578 |
+## </summary> |
579 |
+## <param name="type"> |
580 |
+## <summary> |
581 |
+## Type to be used for systemd unit files. |
582 |
+## </summary> |
583 |
+## </param> |
584 |
+# |
585 |
+interface(`init_unit_file',` |
586 |
+ gen_require(` |
587 |
+ attribute systemdunit; |
588 |
+ ') |
589 |
+ |
590 |
+ files_type($1) |
591 |
+ typeattribute $1 systemdunit; |
592 |
+') |
593 |
+ |
594 |
+######################################## |
595 |
+## <summary> |
596 |
## Create a domain used for init scripts. |
597 |
## </summary> |
598 |
## <desc> |
599 |
@@ -108,6 +128,10 @@ interface(`init_domain',` |
600 |
role system_r types $1; |
601 |
|
602 |
domtrans_pattern(init_t, $2, $1) |
603 |
+ |
604 |
+ ifdef(`init_systemd',` |
605 |
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl }; |
606 |
+ ') |
607 |
') |
608 |
|
609 |
######################################## |
610 |
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',` |
611 |
userdom_dontaudit_use_user_terminals($1) |
612 |
') |
613 |
|
614 |
+ ifdef(`init_systemd',` |
615 |
+ init_domain($1, $2) |
616 |
+ # this may be because of late labelling |
617 |
+ kernel_dgram_send($1) |
618 |
+ ') |
619 |
+ |
620 |
optional_policy(` |
621 |
nscd_use($1) |
622 |
') |
623 |
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',` |
624 |
type initrc_t; |
625 |
') |
626 |
|
627 |
- init_daemon_domain($1, $2) |
628 |
+ ifdef(`init_systemd',` |
629 |
+ init_ranged_domain($1, $2, $3) |
630 |
+ ',` |
631 |
+ init_daemon_domain($1, $2) |
632 |
|
633 |
- ifdef(`enable_mcs',` |
634 |
- range_transition initrc_t $2:process $3; |
635 |
+ ifdef(`enable_mcs',` |
636 |
+ range_transition initrc_t $2:process $3; |
637 |
+ ') |
638 |
+ |
639 |
+ ifdef(`enable_mls',` |
640 |
+ range_transition initrc_t $2:process $3; |
641 |
+ mls_rangetrans_target($1) |
642 |
+ ') |
643 |
') |
644 |
+') |
645 |
|
646 |
- ifdef(`enable_mls',` |
647 |
- range_transition initrc_t $2:process $3; |
648 |
- mls_rangetrans_target($1) |
649 |
+######################################### |
650 |
+## <summary> |
651 |
+## Abstract socket service activation (systemd). |
652 |
+## </summary> |
653 |
+## <param name="domain"> |
654 |
+## <summary> |
655 |
+## The domain to be started by systemd socket activation. |
656 |
+## </summary> |
657 |
+## </param> |
658 |
+# |
659 |
+interface(`init_abstract_socket_activation',` |
660 |
+ ifdef(`init_systemd',` |
661 |
+ gen_require(` |
662 |
+ type init_t; |
663 |
+ ') |
664 |
+ |
665 |
+ allow init_t $1:unix_stream_socket create_stream_socket_perms; |
666 |
+ ') |
667 |
+') |
668 |
+ |
669 |
+######################################### |
670 |
+## <summary> |
671 |
+## Named socket service activation (systemd). |
672 |
+## </summary> |
673 |
+## <param name="domain"> |
674 |
+## <summary> |
675 |
+## The domain to be started by systemd socket activation. |
676 |
+## </summary> |
677 |
+## </param> |
678 |
+## <param name="sock_file"> |
679 |
+## <summary> |
680 |
+## The domain socket file type. |
681 |
+## </summary> |
682 |
+## </param> |
683 |
+# |
684 |
+interface(`init_named_socket_activation',` |
685 |
+ ifdef(`init_systemd',` |
686 |
+ gen_require(` |
687 |
+ type init_t; |
688 |
+ ') |
689 |
+ |
690 |
+ allow init_t $1:unix_dgram_socket create_socket_perms; |
691 |
+ allow init_t $1:unix_stream_socket create_stream_socket_perms; |
692 |
+ allow init_t $2:dir manage_dir_perms; |
693 |
+ allow init_t $2:fifo_file manage_fifo_file_perms; |
694 |
+ allow init_t $2:sock_file manage_sock_file_perms; |
695 |
') |
696 |
') |
697 |
|
698 |
@@ -324,6 +407,10 @@ interface(`init_system_domain',` |
699 |
role system_r types $1; |
700 |
|
701 |
domtrans_pattern(initrc_t, $2, $1) |
702 |
+ |
703 |
+ ifdef(`init_systemd',` |
704 |
+ init_domain($1, $2) |
705 |
+ ') |
706 |
') |
707 |
|
708 |
######################################## |
709 |
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',` |
710 |
type initrc_t; |
711 |
') |
712 |
|
713 |
- init_system_domain($1, $2) |
714 |
+ ifdef(`init_systemd',` |
715 |
+ init_ranged_domain($1, $2, $3) |
716 |
+ ',` |
717 |
+ init_system_domain($1, $2) |
718 |
|
719 |
- ifdef(`enable_mcs',` |
720 |
- range_transition initrc_t $2:process $3; |
721 |
- ') |
722 |
+ ifdef(`enable_mcs',` |
723 |
+ range_transition initrc_t $2:process $3; |
724 |
+ ') |
725 |
|
726 |
- ifdef(`enable_mls',` |
727 |
- range_transition initrc_t $2:process $3; |
728 |
- mls_rangetrans_target($1) |
729 |
+ ifdef(`enable_mls',` |
730 |
+ range_transition initrc_t $2:process $3; |
731 |
+ mls_rangetrans_target($1) |
732 |
+ ') |
733 |
') |
734 |
') |
735 |
|
736 |
@@ -579,10 +670,11 @@ interface(`init_sigchld',` |
737 |
# |
738 |
interface(`init_stream_connect',` |
739 |
gen_require(` |
740 |
- type init_t; |
741 |
+ type init_t, init_var_run_t; |
742 |
') |
743 |
|
744 |
- allow $1 init_t:unix_stream_socket connectto; |
745 |
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) |
746 |
+ files_search_pids($1) |
747 |
') |
748 |
|
749 |
######################################## |
750 |
@@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',` |
751 |
|
752 |
######################################## |
753 |
## <summary> |
754 |
+## Send messages to init unix datagram sockets. |
755 |
+## </summary> |
756 |
+## <param name="domain"> |
757 |
+## <summary> |
758 |
+## Domain allowed access. |
759 |
+## </summary> |
760 |
+## </param> |
761 |
+## <rolecap/> |
762 |
+# |
763 |
+interface(`init_dgram_send',` |
764 |
+ gen_require(` |
765 |
+ type init_t, init_var_run_t; |
766 |
+ ') |
767 |
+ |
768 |
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) |
769 |
+ files_search_pids($1) |
770 |
+') |
771 |
+ |
772 |
+######################################## |
773 |
+## <summary> |
774 |
+## Allow the specified domain to read/write to |
775 |
+## init with unix domain stream sockets. |
776 |
+## </summary> |
777 |
+## <param name="domain"> |
778 |
+## <summary> |
779 |
+## Domain allowed access. |
780 |
+## </summary> |
781 |
+## </param> |
782 |
+# |
783 |
+interface(`init_rw_stream_sockets',` |
784 |
+ gen_require(` |
785 |
+ type init_t; |
786 |
+ ') |
787 |
+ |
788 |
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms; |
789 |
+') |
790 |
+ |
791 |
+######################################## |
792 |
+## <summary> |
793 |
## Send UDP network traffic to init. (Deprecated) |
794 |
## </summary> |
795 |
## <param name="domain"> |
796 |
@@ -678,6 +809,276 @@ interface(`init_udp_send',` |
797 |
|
798 |
######################################## |
799 |
## <summary> |
800 |
+## Get all service status (systemd). |
801 |
+## </summary> |
802 |
+## <param name="domain"> |
803 |
+## <summary> |
804 |
+## Domain allowed access. |
805 |
+## </summary> |
806 |
+## </param> |
807 |
+# |
808 |
+interface(`init_get_system_status',` |
809 |
+ gen_require(` |
810 |
+ type init_t; |
811 |
+ ') |
812 |
+ |
813 |
+ allow $1 init_t:system status; |
814 |
+') |
815 |
+ |
816 |
+######################################## |
817 |
+## <summary> |
818 |
+## Enable all systemd services (systemd). |
819 |
+## </summary> |
820 |
+## <param name="domain"> |
821 |
+## <summary> |
822 |
+## Domain allowed access. |
823 |
+## </summary> |
824 |
+## </param> |
825 |
+# |
826 |
+interface(`init_enable',` |
827 |
+ gen_require(` |
828 |
+ type init_t; |
829 |
+ ') |
830 |
+ |
831 |
+ allow $1 init_t:system enable; |
832 |
+') |
833 |
+ |
834 |
+######################################## |
835 |
+## <summary> |
836 |
+## Disable all services (systemd). |
837 |
+## </summary> |
838 |
+## <param name="domain"> |
839 |
+## <summary> |
840 |
+## Domain allowed access. |
841 |
+## </summary> |
842 |
+## </param> |
843 |
+# |
844 |
+interface(`init_disable',` |
845 |
+ gen_require(` |
846 |
+ type init_t; |
847 |
+ ') |
848 |
+ |
849 |
+ allow $1 init_t:system disable; |
850 |
+') |
851 |
+ |
852 |
+######################################## |
853 |
+## <summary> |
854 |
+## Reload all services (systemd). |
855 |
+## </summary> |
856 |
+## <param name="domain"> |
857 |
+## <summary> |
858 |
+## Domain allowed access. |
859 |
+## </summary> |
860 |
+## </param> |
861 |
+# |
862 |
+interface(`init_reload',` |
863 |
+ gen_require(` |
864 |
+ type init_t; |
865 |
+ ') |
866 |
+ |
867 |
+ allow $1 init_t:system reload; |
868 |
+') |
869 |
+ |
870 |
+######################################## |
871 |
+## <summary> |
872 |
+## Reboot the system (systemd). |
873 |
+## </summary> |
874 |
+## <param name="domain"> |
875 |
+## <summary> |
876 |
+## Domain allowed access. |
877 |
+## </summary> |
878 |
+## </param> |
879 |
+# |
880 |
+interface(`init_reboot_system',` |
881 |
+ gen_require(` |
882 |
+ type init_t; |
883 |
+ ') |
884 |
+ |
885 |
+ allow $1 init_t:system reboot; |
886 |
+') |
887 |
+ |
888 |
+######################################## |
889 |
+## <summary> |
890 |
+## Shutdown (halt) the system (systemd). |
891 |
+## </summary> |
892 |
+## <param name="domain"> |
893 |
+## <summary> |
894 |
+## Domain allowed access. |
895 |
+## </summary> |
896 |
+## </param> |
897 |
+# |
898 |
+interface(`init_shutdown_system',` |
899 |
+ gen_require(` |
900 |
+ type init_t; |
901 |
+ ') |
902 |
+ |
903 |
+ allow $1 init_t:system halt; |
904 |
+') |
905 |
+ |
906 |
+######################################## |
907 |
+## <summary> |
908 |
+## Allow specified domain to get init status |
909 |
+## </summary> |
910 |
+## <param name="domain"> |
911 |
+## <summary> |
912 |
+## Domain to allow access. |
913 |
+## </summary> |
914 |
+## </param> |
915 |
+# |
916 |
+interface(`init_service_status',` |
917 |
+ gen_require(` |
918 |
+ type init_t; |
919 |
+ class service status; |
920 |
+ ') |
921 |
+ |
922 |
+ allow $1 init_t:service status; |
923 |
+') |
924 |
+ |
925 |
+######################################## |
926 |
+## <summary> |
927 |
+## Allow specified domain to get init start |
928 |
+## </summary> |
929 |
+## <param name="domain"> |
930 |
+## <summary> |
931 |
+## Domain to allow access. |
932 |
+## </summary> |
933 |
+## </param> |
934 |
+# |
935 |
+interface(`init_service_start',` |
936 |
+ gen_require(` |
937 |
+ type init_t; |
938 |
+ class service start; |
939 |
+ ') |
940 |
+ |
941 |
+ allow $1 init_t:service start; |
942 |
+') |
943 |
+ |
944 |
+######################################## |
945 |
+## <summary> |
946 |
+## Send and receive messages from |
947 |
+## systemd over dbus. |
948 |
+## </summary> |
949 |
+## <param name="domain"> |
950 |
+## <summary> |
951 |
+## Domain allowed access. |
952 |
+## </summary> |
953 |
+## </param> |
954 |
+# |
955 |
+interface(`init_dbus_chat',` |
956 |
+ gen_require(` |
957 |
+ type initrc_t; |
958 |
+ class dbus send_msg; |
959 |
+ ') |
960 |
+ |
961 |
+ allow $1 init_t:dbus send_msg; |
962 |
+ allow init_t $1:dbus send_msg; |
963 |
+') |
964 |
+ |
965 |
+######################################## |
966 |
+## <summary> |
967 |
+## Manage files in /var/lib/systemd/. |
968 |
+## </summary> |
969 |
+## <param name="domain"> |
970 |
+## <summary> |
971 |
+## Domain allowed access. |
972 |
+## </summary> |
973 |
+## </param> |
974 |
+## <param name="file_type"> |
975 |
+## <summary> |
976 |
+## The type of the object to be created |
977 |
+## </summary> |
978 |
+## </param> |
979 |
+## <param name="object_class"> |
980 |
+## <summary> |
981 |
+## The object class. |
982 |
+## </summary> |
983 |
+## </param> |
984 |
+## <param name="name" optional="true"> |
985 |
+## <summary> |
986 |
+## The name of the object being created. |
987 |
+## </summary> |
988 |
+## </param> |
989 |
+# |
990 |
+interface(`init_manage_var_lib_files',` |
991 |
+ gen_require(` |
992 |
+ type init_var_lib_t; |
993 |
+ ') |
994 |
+ |
995 |
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t) |
996 |
+ files_search_var_lib($1) |
997 |
+') |
998 |
+ |
999 |
+######################################## |
1000 |
+## <summary> |
1001 |
+## Create files in /var/lib/systemd |
1002 |
+## with an automatic type transition. |
1003 |
+## </summary> |
1004 |
+## <param name="domain"> |
1005 |
+## <summary> |
1006 |
+## Domain allowed access. |
1007 |
+## </summary> |
1008 |
+## </param> |
1009 |
+## <param name="type"> |
1010 |
+## <summary> |
1011 |
+## The type of object to be created |
1012 |
+## </summary> |
1013 |
+## </param> |
1014 |
+## <param name="object_class"> |
1015 |
+## <summary> |
1016 |
+## The object class. |
1017 |
+## </summary> |
1018 |
+## </param> |
1019 |
+## <param name="name" optional="true"> |
1020 |
+## <summary> |
1021 |
+## The name of the object being created. |
1022 |
+## </summary> |
1023 |
+## </param> |
1024 |
+# |
1025 |
+interface(`init_var_lib_filetrans',` |
1026 |
+ gen_require(` |
1027 |
+ type init_var_lib_t; |
1028 |
+ ') |
1029 |
+ |
1030 |
+ files_search_var_lib($1) |
1031 |
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4) |
1032 |
+') |
1033 |
+ |
1034 |
+######################################## |
1035 |
+## <summary> |
1036 |
+## Create files in an init PID directory. |
1037 |
+## </summary> |
1038 |
+## <param name="domain"> |
1039 |
+## <summary> |
1040 |
+## Domain allowed access. |
1041 |
+## </summary> |
1042 |
+## </param> |
1043 |
+## <param name="file_type"> |
1044 |
+## <summary> |
1045 |
+## The type of the object to be created |
1046 |
+## </summary> |
1047 |
+## </param> |
1048 |
+## <param name="object_class"> |
1049 |
+## <summary> |
1050 |
+## The object class. |
1051 |
+## </summary> |
1052 |
+## </param> |
1053 |
+## <param name="name" optional="true"> |
1054 |
+## <summary> |
1055 |
+## The name of the object being created. |
1056 |
+## </summary> |
1057 |
+## </param> |
1058 |
+# |
1059 |
+interface(`init_pid_filetrans',` |
1060 |
+ gen_require(` |
1061 |
+ type init_var_run_t; |
1062 |
+ ') |
1063 |
+ |
1064 |
+ files_search_pids($1) |
1065 |
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4) |
1066 |
+') |
1067 |
+ |
1068 |
+######################################## |
1069 |
+## <summary> |
1070 |
## Get the attributes of initctl. |
1071 |
## </summary> |
1072 |
## <param name="domain"> |
1073 |
@@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',` |
1074 |
|
1075 |
typeattribute $1 init_script_readable; |
1076 |
') |
1077 |
+ |
1078 |
+###################################### |
1079 |
+## <summary> |
1080 |
+## Search systemd unit dirs. |
1081 |
+## </summary> |
1082 |
+## <param name="domain"> |
1083 |
+## <summary> |
1084 |
+## Domain allowed access. |
1085 |
+## </summary> |
1086 |
+## </param> |
1087 |
+# |
1088 |
+interface(`init_search_units',` |
1089 |
+ gen_require(` |
1090 |
+ type init_var_run_t, systemd_unit_t; |
1091 |
+ ') |
1092 |
+ |
1093 |
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t) |
1094 |
+ |
1095 |
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd |
1096 |
+ files_search_etc($1) |
1097 |
+ files_search_usr($1) |
1098 |
+ libs_search_lib($1) |
1099 |
+ |
1100 |
+ fs_search_tmpfs($1) |
1101 |
+') |
1102 |
+ |
1103 |
+######################################## |
1104 |
+## <summary> |
1105 |
+## Get status of generic systemd units. |
1106 |
+## </summary> |
1107 |
+## <param name="domain"> |
1108 |
+## <summary> |
1109 |
+## Domain allowed access. |
1110 |
+## </summary> |
1111 |
+## </param> |
1112 |
+# |
1113 |
+interface(`init_get_generic_units_status',` |
1114 |
+ gen_require(` |
1115 |
+ type systemd_unit_t; |
1116 |
+ class service status; |
1117 |
+ ') |
1118 |
+ |
1119 |
+ allow $1 systemd_unit_t:service status; |
1120 |
+') |
1121 |
+ |
1122 |
+######################################## |
1123 |
+## <summary> |
1124 |
+## Start generic systemd units. |
1125 |
+## </summary> |
1126 |
+## <param name="domain"> |
1127 |
+## <summary> |
1128 |
+## Domain allowed access. |
1129 |
+## </summary> |
1130 |
+## </param> |
1131 |
+# |
1132 |
+interface(`init_start_generic_units',` |
1133 |
+ gen_require(` |
1134 |
+ type systemd_unit_t; |
1135 |
+ class service start; |
1136 |
+ ') |
1137 |
+ |
1138 |
+ allow $1 systemd_unit_t:service start; |
1139 |
+') |
1140 |
+ |
1141 |
+######################################## |
1142 |
+## <summary> |
1143 |
+## Stop generic systemd units. |
1144 |
+## </summary> |
1145 |
+## <param name="domain"> |
1146 |
+## <summary> |
1147 |
+## Domain to not audit. |
1148 |
+## </summary> |
1149 |
+## </param> |
1150 |
+# |
1151 |
+interface(`init_stop_generic_units',` |
1152 |
+ gen_require(` |
1153 |
+ type systemd_unit_t; |
1154 |
+ class service stop; |
1155 |
+ ') |
1156 |
+ |
1157 |
+ allow $1 systemd_unit_t:service stop; |
1158 |
+') |
1159 |
+ |
1160 |
+####################################### |
1161 |
+## <summary> |
1162 |
+## Reload generic systemd units. |
1163 |
+## </summary> |
1164 |
+## <param name="domain"> |
1165 |
+## <summary> |
1166 |
+## Domain allowed access. |
1167 |
+## </summary> |
1168 |
+## </param> |
1169 |
+# |
1170 |
+interface(`init_reload_generic_units',` |
1171 |
+ gen_require(` |
1172 |
+ type systemd_unit_t; |
1173 |
+ class service reload; |
1174 |
+ ') |
1175 |
+ |
1176 |
+ allow $1 systemd_unit_t:service reload; |
1177 |
+') |
1178 |
+ |
1179 |
+######################################## |
1180 |
+## <summary> |
1181 |
+## Get status of all systemd units. |
1182 |
+## </summary> |
1183 |
+## <param name="domain"> |
1184 |
+## <summary> |
1185 |
+## Domain allowed access. |
1186 |
+## </summary> |
1187 |
+## </param> |
1188 |
+# |
1189 |
+interface(`init_get_all_units_status',` |
1190 |
+ gen_require(` |
1191 |
+ attribute systemdunit; |
1192 |
+ class service status; |
1193 |
+ ') |
1194 |
+ |
1195 |
+ allow $1 systemdunit:service status; |
1196 |
+') |
1197 |
+ |
1198 |
+######################################## |
1199 |
+## <summary> |
1200 |
+## Start all systemd units. |
1201 |
+## </summary> |
1202 |
+## <param name="domain"> |
1203 |
+## <summary> |
1204 |
+## Domain allowed access. |
1205 |
+## </summary> |
1206 |
+## </param> |
1207 |
+# |
1208 |
+interface(`init_start_all_units',` |
1209 |
+ gen_require(` |
1210 |
+ attribute systemdunit; |
1211 |
+ class service start; |
1212 |
+ ') |
1213 |
+ |
1214 |
+ allow $1 systemdunit:service start; |
1215 |
+') |
1216 |
+ |
1217 |
+######################################## |
1218 |
+## <summary> |
1219 |
+## Stop all systemd units. |
1220 |
+## </summary> |
1221 |
+## <param name="domain"> |
1222 |
+## <summary> |
1223 |
+## Domain to not audit. |
1224 |
+## </summary> |
1225 |
+## </param> |
1226 |
+# |
1227 |
+interface(`init_stop_all_units',` |
1228 |
+ gen_require(` |
1229 |
+ attribute systemdunit; |
1230 |
+ class service stop; |
1231 |
+ ') |
1232 |
+ |
1233 |
+ allow $1 systemdunit:service stop; |
1234 |
+') |
1235 |
+ |
1236 |
+####################################### |
1237 |
+## <summary> |
1238 |
+## Reload all systemd units. |
1239 |
+## </summary> |
1240 |
+## <param name="domain"> |
1241 |
+## <summary> |
1242 |
+## Domain allowed access. |
1243 |
+## </summary> |
1244 |
+## </param> |
1245 |
+# |
1246 |
+interface(`init_reload_all_units',` |
1247 |
+ gen_require(` |
1248 |
+ attribute systemdunit; |
1249 |
+ class service reload; |
1250 |
+ ') |
1251 |
+ |
1252 |
+ allow $1 systemdunit:service reload; |
1253 |
+') |
1254 |
|
1255 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
1256 |
index 95db0d0..d5d7b10 100644 |
1257 |
--- a/policy/modules/system/init.te |
1258 |
+++ b/policy/modules/system/init.te |
1259 |
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false) |
1260 |
attribute init_script_domain_type; |
1261 |
attribute init_script_file_type; |
1262 |
attribute init_run_all_scripts_domain; |
1263 |
+attribute systemdunit; |
1264 |
|
1265 |
# Mark process types as daemons |
1266 |
attribute daemon; |
1267 |
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain; |
1268 |
type initrc_exec_t, init_script_file_type; |
1269 |
domain_type(initrc_t) |
1270 |
domain_entry_file(initrc_t, initrc_exec_t) |
1271 |
+init_named_socket_activation(initrc_t, init_var_run_t) |
1272 |
role system_r types initrc_t; |
1273 |
# should be part of the true block |
1274 |
# of the below init_upstart tunable |
1275 |
@@ -74,6 +76,9 @@ type initrc_devpts_t; |
1276 |
term_pty(initrc_devpts_t) |
1277 |
files_type(initrc_devpts_t) |
1278 |
|
1279 |
+type initrc_lock_t; |
1280 |
+files_lock_file(initrc_lock_t) |
1281 |
+ |
1282 |
type initrc_state_t; |
1283 |
files_type(initrc_state_t) |
1284 |
|
1285 |
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t) |
1286 |
type initrc_var_run_t; |
1287 |
files_pid_file(initrc_var_run_t) |
1288 |
|
1289 |
+type systemd_unit_t; |
1290 |
+init_unit_file(systemd_unit_t) |
1291 |
+ |
1292 |
ifdef(`distro_gentoo',` |
1293 |
type rc_exec_t; |
1294 |
domain_entry_file(initrc_t, rc_exec_t) |
1295 |
@@ -182,6 +190,115 @@ seutil_read_config(init_t) |
1296 |
|
1297 |
miscfiles_read_localization(init_t) |
1298 |
|
1299 |
+ifdef(`init_systemd',` |
1300 |
+ # handle instances where an old labeled init script is encountered. |
1301 |
+ typeattribute init_t init_run_all_scripts_domain; |
1302 |
+ |
1303 |
+ allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit }; |
1304 |
+ allow init_t self:capability2 block_suspend; |
1305 |
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms; |
1306 |
+ allow init_t self:netlink_route_socket create_netlink_socket_perms; |
1307 |
+ allow init_t self:netlink_selinux_socket create_socket_perms; |
1308 |
+ |
1309 |
+ manage_files_pattern(init_t, init_var_run_t, init_var_run_t) |
1310 |
+ manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) |
1311 |
+ manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) |
1312 |
+ manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) |
1313 |
+ |
1314 |
+ manage_files_pattern(init_t, systemd_unit_t, systemdunit) |
1315 |
+ |
1316 |
+ manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t) |
1317 |
+ manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t) |
1318 |
+ allow init_t systemd_unit_t:dir relabel_dir_perms; |
1319 |
+ |
1320 |
+ kernel_dyntrans_to(init_t) |
1321 |
+ kernel_read_network_state(init_t) |
1322 |
+ kernel_read_kernel_sysctls(init_t) |
1323 |
+ kernel_read_vm_sysctls(init_t) |
1324 |
+ kernel_dgram_send(init_t) |
1325 |
+ kernel_stream_connect(init_t) |
1326 |
+ kernel_getattr_proc(init_t) |
1327 |
+ kernel_read_fs_sysctls(init_t) |
1328 |
+ |
1329 |
+ dev_rw_autofs(init_t) |
1330 |
+ dev_create_generic_dirs(init_t) |
1331 |
+ dev_relabel_all_dev_nodes(init_t) |
1332 |
+ dev_read_urand(init_t) |
1333 |
+ dev_write_kmsg(init_t) |
1334 |
+ |
1335 |
+ domain_read_all_domains_state(init_t) |
1336 |
+ |
1337 |
+ files_read_all_pids(init_t) |
1338 |
+ files_list_usr(init_t) |
1339 |
+ files_list_var(init_t) |
1340 |
+ files_list_var_lib(init_t) |
1341 |
+ files_relabel_all_lock_dirs(init_t) |
1342 |
+ files_mounton_root(init_t) |
1343 |
+ files_search_pids(init_t) |
1344 |
+ files_relabel_all_pids(init_t) |
1345 |
+ files_read_all_locks(init_t) |
1346 |
+ files_search_kernel_modules(init_t) |
1347 |
+ # for privatetmp functions |
1348 |
+ files_manage_generic_tmp_dirs(init_t) |
1349 |
+ files_mounton_tmp(init_t) |
1350 |
+ |
1351 |
+ fs_manage_cgroup_dirs(init_t) |
1352 |
+ fs_relabel_cgroup_dirs(init_t) |
1353 |
+ fs_rw_cgroup_files(init_t) |
1354 |
+ fs_list_auto_mountpoints(init_t) |
1355 |
+ fs_mount_autofs(init_t) |
1356 |
+ fs_manage_hugetlbfs_dirs(init_t) |
1357 |
+ fs_getattr_tmpfs(init_t) |
1358 |
+ fs_read_tmpfs_files(init_t) |
1359 |
+ fs_read_cgroup_files(init_t) |
1360 |
+ fs_dontaudit_getattr_xattr_fs(init_t) |
1361 |
+ # for privatetmp functions |
1362 |
+ fs_relabel_tmpfs_dirs(init_t) |
1363 |
+ fs_relabel_tmpfs_files(init_t) |
1364 |
+ # mount-setup |
1365 |
+ fs_unmount_autofs(init_t) |
1366 |
+ fs_getattr_pstore_dirs(init_t) |
1367 |
+ |
1368 |
+ # systemd_socket_activated policy |
1369 |
+ mls_socket_write_all_levels(init_t) |
1370 |
+ |
1371 |
+ selinux_compute_create_context(init_t) |
1372 |
+ selinux_compute_access_vector(init_t) |
1373 |
+ |
1374 |
+ term_relabel_pty_dirs(init_t) |
1375 |
+ |
1376 |
+ clock_read_adjtime(init_t) |
1377 |
+ |
1378 |
+ logging_manage_pid_sockets(init_t) |
1379 |
+ logging_send_audit_msgs(init_t) |
1380 |
+ logging_relabelto_devlog_sock_files(init_t) |
1381 |
+ |
1382 |
+ seutil_read_file_contexts(init_t) |
1383 |
+ |
1384 |
+ systemd_relabelto_kmod_files(init_t) |
1385 |
+ systemd_dbus_chat_logind(init_t) |
1386 |
+ |
1387 |
+ # udevd is a "systemd kobject uevent socket activated daemon" |
1388 |
+ udev_create_kobject_uevent_sockets(init_t) |
1389 |
+ |
1390 |
+ optional_policy(` |
1391 |
+ dbus_system_bus_client(init_t) |
1392 |
+ dbus_connect_system_bus(init_t) |
1393 |
+ ') |
1394 |
+ |
1395 |
+ optional_policy(` |
1396 |
+ modutils_domtrans_insmod(init_t) |
1397 |
+ ') |
1398 |
+',` |
1399 |
+ tunable_policy(`init_upstart',` |
1400 |
+ corecmd_shell_domtrans(init_t, initrc_t) |
1401 |
+ ',` |
1402 |
+ # Run the shell in the sysadm role for single-user mode. |
1403 |
+ # causes problems with upstart |
1404 |
+ sysadm_shell_domtrans(init_t) |
1405 |
+ ') |
1406 |
+') |
1407 |
+ |
1408 |
ifdef(`distro_debian',` |
1409 |
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") |
1410 |
|
1411 |
@@ -201,14 +318,6 @@ ifdef(`distro_redhat',` |
1412 |
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) |
1413 |
') |
1414 |
|
1415 |
-tunable_policy(`init_upstart',` |
1416 |
- corecmd_shell_domtrans(init_t, initrc_t) |
1417 |
-',` |
1418 |
- # Run the shell in the sysadm role for single-user mode. |
1419 |
- # causes problems with upstart |
1420 |
- sysadm_shell_domtrans(init_t) |
1421 |
-') |
1422 |
- |
1423 |
optional_policy(` |
1424 |
auth_rw_login_records(init_t) |
1425 |
') |
1426 |
@@ -609,6 +718,57 @@ ifdef(`distro_suse',` |
1427 |
') |
1428 |
') |
1429 |
|
1430 |
+ifdef(`init_systemd',` |
1431 |
+ manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) |
1432 |
+ files_lock_filetrans(initrc_t, initrc_lock_t, file) |
1433 |
+ |
1434 |
+ manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) |
1435 |
+ |
1436 |
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
1437 |
+ manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
1438 |
+ manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
1439 |
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set) |
1440 |
+ |
1441 |
+ create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) |
1442 |
+ |
1443 |
+ manage_files_pattern(initrc_t, systemdunit, systemdunit) |
1444 |
+ manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) |
1445 |
+ |
1446 |
+ kernel_dgram_send(initrc_t) |
1447 |
+ |
1448 |
+ # run systemd misc initializations |
1449 |
+ # in the initrc_t domain, as would be |
1450 |
+ # done in traditional sysvinit/upstart. |
1451 |
+ corecmd_bin_entry_type(initrc_t) |
1452 |
+ corecmd_shell_entry_type(initrc_t) |
1453 |
+ corecmd_bin_domtrans(init_t, initrc_t) |
1454 |
+ corecmd_shell_domtrans(init_t, initrc_t) |
1455 |
+ |
1456 |
+ files_read_boot_files(initrc_t) |
1457 |
+ files_setattr_pid_dirs(initrc_t) |
1458 |
+ |
1459 |
+ selinux_set_enforce_mode(initrc_t) |
1460 |
+ |
1461 |
+ init_stream_connect(initrc_t) |
1462 |
+ init_manage_var_lib_files(initrc_t) |
1463 |
+ init_rw_stream_sockets(initrc_t) |
1464 |
+ init_get_all_units_status(initrc_t) |
1465 |
+ init_stop_all_units(initrc_t) |
1466 |
+ |
1467 |
+ # Create /etc/audit.rules.prev after firstboot remediation |
1468 |
+ logging_manage_audit_config(initrc_t) |
1469 |
+ |
1470 |
+ # lvm2-activation-generator checks file labels |
1471 |
+ seutil_read_file_contexts(initrc_t) |
1472 |
+ |
1473 |
+ systemd_start_power_units(initrc_t) |
1474 |
+ |
1475 |
+ optional_policy(` |
1476 |
+ # create /var/lock/lvm/ |
1477 |
+ lvm_create_lock_dirs(initrc_t) |
1478 |
+ ') |
1479 |
+') |
1480 |
+ |
1481 |
optional_policy(` |
1482 |
amavis_search_lib(initrc_t) |
1483 |
amavis_setattr_pid_files(initrc_t) |
1484 |
|
1485 |
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if |
1486 |
index 0e3c2a9..4305a86 100644 |
1487 |
--- a/policy/modules/system/locallogin.if |
1488 |
+++ b/policy/modules/system/locallogin.if |
1489 |
@@ -24,6 +24,27 @@ interface(`locallogin_domtrans',` |
1490 |
|
1491 |
######################################## |
1492 |
## <summary> |
1493 |
+## Allow calling domain to read locallogin state. |
1494 |
+## </summary> |
1495 |
+## <param name="domain"> |
1496 |
+## <summary> |
1497 |
+## Domain allowed permission. |
1498 |
+## </summary> |
1499 |
+## </param> |
1500 |
+# |
1501 |
+interface(`locallogin_read_state',` |
1502 |
+ gen_require(` |
1503 |
+ type local_login_t; |
1504 |
+ ') |
1505 |
+ |
1506 |
+ kernel_search_proc($1) |
1507 |
+ allow $1 local_login_t:file read_file_perms; |
1508 |
+ allow $1 local_login_t:lnk_file read_lnk_file_perms; |
1509 |
+ allow $1 local_login_t:dir list_dir_perms; |
1510 |
+') |
1511 |
+ |
1512 |
+######################################## |
1513 |
+## <summary> |
1514 |
## Allow processes to inherit local login file descriptors. |
1515 |
## </summary> |
1516 |
## <param name="domain"> |
1517 |
|
1518 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
1519 |
index 9fa0f5d..6a279f3 100644 |
1520 |
--- a/policy/modules/system/logging.if |
1521 |
+++ b/policy/modules/system/logging.if |
1522 |
@@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',` |
1523 |
|
1524 |
######################################## |
1525 |
## <summary> |
1526 |
+## Allow domain to relabelto devlog sock_files |
1527 |
+## </summary> |
1528 |
+## <param name="domain"> |
1529 |
+## <summary> |
1530 |
+## Domain allowed access. |
1531 |
+## </summary> |
1532 |
+## </param> |
1533 |
+## <rolecap/> |
1534 |
+# |
1535 |
+interface(`logging_relabelto_devlog_sock_files',` |
1536 |
+ gen_require(` |
1537 |
+ type devlog_t; |
1538 |
+ ') |
1539 |
+ |
1540 |
+ allow $1 devlog_t:sock_file relabelto_sock_file_perms; |
1541 |
+') |
1542 |
+ |
1543 |
+######################################## |
1544 |
+## <summary> |
1545 |
## Read the auditd configuration files. |
1546 |
## </summary> |
1547 |
## <param name="domain"> |
1548 |
@@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',` |
1549 |
|
1550 |
######################################## |
1551 |
## <summary> |
1552 |
+## Create, read, write, and delete syslog PID sockets. |
1553 |
+## </summary> |
1554 |
+## <param name="domain"> |
1555 |
+## <summary> |
1556 |
+## Domain allowed access. |
1557 |
+## </summary> |
1558 |
+## </param> |
1559 |
+# |
1560 |
+interface(`logging_manage_pid_sockets',` |
1561 |
+ gen_require(` |
1562 |
+ type syslogd_var_run_t; |
1563 |
+ ') |
1564 |
+ |
1565 |
+ manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) |
1566 |
+ files_search_pids($1) |
1567 |
+') |
1568 |
+ |
1569 |
+######################################## |
1570 |
+## <summary> |
1571 |
## Allows the domain to open a file in the |
1572 |
## log directory, but does not allow the listing |
1573 |
## of the contents of the log directory. |
1574 |
|
1575 |
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if |
1576 |
index 86b223c..6561474 100644 |
1577 |
--- a/policy/modules/system/lvm.if |
1578 |
+++ b/policy/modules/system/lvm.if |
1579 |
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',` |
1580 |
manage_files_pattern($1, lvm_etc_t, lvm_etc_t) |
1581 |
') |
1582 |
|
1583 |
+######################################## |
1584 |
+## <summary> |
1585 |
+## Create lvm_lock_t directories |
1586 |
+## </summary> |
1587 |
+## <param name="domain"> |
1588 |
+## <summary> |
1589 |
+## Domain allowed access. |
1590 |
+## </summary> |
1591 |
+## </param> |
1592 |
+## <rolecap/> |
1593 |
+# |
1594 |
+interface(`lvm_create_lock_dirs',` |
1595 |
+ gen_require(` |
1596 |
+ type lvm_lock_t; |
1597 |
+ ') |
1598 |
+ |
1599 |
+ create_dirs_pattern($1, lvm_lock_t, lvm_lock_t) |
1600 |
+ files_add_entry_lock_dirs($1) |
1601 |
+') |
1602 |
+ |
1603 |
###################################### |
1604 |
## <summary> |
1605 |
## Execute a domain transition to run clvmd. |
1606 |
|
1607 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
1608 |
new file mode 100644 |
1609 |
index 0000000..864979d |
1610 |
--- /dev/null |
1611 |
+++ b/policy/modules/system/systemd.fc |
1612 |
@@ -0,0 +1,39 @@ |
1613 |
+/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) |
1614 |
+/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) |
1615 |
+/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) |
1616 |
+/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0) |
1617 |
+/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0) |
1618 |
+/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0) |
1619 |
+/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) |
1620 |
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) |
1621 |
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) |
1622 |
+ |
1623 |
+/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) |
1624 |
+/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) |
1625 |
+/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0) |
1626 |
+/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0) |
1627 |
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) |
1628 |
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) |
1629 |
+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) |
1630 |
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) |
1631 |
+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) |
1632 |
+ |
1633 |
+# Systemd unit files |
1634 |
+/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1635 |
+/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1636 |
+/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1637 |
+/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1638 |
+/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1639 |
+/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1640 |
+/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
1641 |
+ |
1642 |
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
1643 |
+ |
1644 |
+/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1645 |
+/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
1646 |
+ |
1647 |
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1648 |
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1649 |
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1650 |
+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
1651 |
+/var/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0) |
1652 |
|
1653 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
1654 |
new file mode 100644 |
1655 |
index 0000000..8bca3a3 |
1656 |
--- /dev/null |
1657 |
+++ b/policy/modules/system/systemd.if |
1658 |
@@ -0,0 +1,195 @@ |
1659 |
+## <summary>Systemd components (not PID 1)</summary> |
1660 |
+ |
1661 |
+###################################### |
1662 |
+## <summary> |
1663 |
+## Read systemd_login PID files. |
1664 |
+## </summary> |
1665 |
+## <param name="domain"> |
1666 |
+## <summary> |
1667 |
+## Domain allowed access. |
1668 |
+## </summary> |
1669 |
+## </param> |
1670 |
+# |
1671 |
+interface(`systemd_read_logind_pids',` |
1672 |
+ gen_require(` |
1673 |
+ type systemd_logind_var_run_t; |
1674 |
+ ') |
1675 |
+ |
1676 |
+ files_search_pids($1) |
1677 |
+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) |
1678 |
+') |
1679 |
+ |
1680 |
+###################################### |
1681 |
+## <summary> |
1682 |
+## Manage systemd_login PID pipes. |
1683 |
+## </summary> |
1684 |
+## <param name="domain"> |
1685 |
+## <summary> |
1686 |
+## Domain allowed access. |
1687 |
+## </summary> |
1688 |
+## </param> |
1689 |
+# |
1690 |
+interface(`systemd_manage_logind_pid_pipes',` |
1691 |
+ gen_require(` |
1692 |
+ type systemd_logind_var_run_t; |
1693 |
+ ') |
1694 |
+ |
1695 |
+ files_search_pids($1) |
1696 |
+ manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) |
1697 |
+') |
1698 |
+ |
1699 |
+###################################### |
1700 |
+## <summary> |
1701 |
+## Use inherited systemd |
1702 |
+## logind file descriptors. |
1703 |
+## </summary> |
1704 |
+## <param name="domain"> |
1705 |
+## <summary> |
1706 |
+## Domain allowed access. |
1707 |
+## </summary> |
1708 |
+## </param> |
1709 |
+# |
1710 |
+interface(`systemd_use_logind_fds',` |
1711 |
+ gen_require(` |
1712 |
+ type systemd_logind_t; |
1713 |
+ ') |
1714 |
+ |
1715 |
+ allow $1 systemd_logind_t:fd use; |
1716 |
+') |
1717 |
+ |
1718 |
+######################################## |
1719 |
+## <summary> |
1720 |
+## Send and receive messages from |
1721 |
+## systemd logind over dbus. |
1722 |
+## </summary> |
1723 |
+## <param name="domain"> |
1724 |
+## <summary> |
1725 |
+## Domain allowed access. |
1726 |
+## </summary> |
1727 |
+## </param> |
1728 |
+# |
1729 |
+interface(`systemd_dbus_chat_logind',` |
1730 |
+ gen_require(` |
1731 |
+ type systemd_logind_t; |
1732 |
+ class dbus send_msg; |
1733 |
+ ') |
1734 |
+ |
1735 |
+ allow $1 systemd_logind_t:dbus send_msg; |
1736 |
+ allow systemd_logind_t $1:dbus send_msg; |
1737 |
+') |
1738 |
+ |
1739 |
+######################################## |
1740 |
+## <summary> |
1741 |
+## Allow process to write to systemd_kmod_conf_t. |
1742 |
+## </summary> |
1743 |
+## <param name="domain"> |
1744 |
+## <summary> |
1745 |
+## Domain allowed access. |
1746 |
+## </summary> |
1747 |
+## </param> |
1748 |
+## <rolecap/> |
1749 |
+# |
1750 |
+interface(`systemd_write_kmod_files',` |
1751 |
+ gen_require(` |
1752 |
+ type systemd_kmod_conf_t; |
1753 |
+ ') |
1754 |
+ |
1755 |
+ write_files_pattern($1, var_run_t, systemd_kmod_conf_t) |
1756 |
+') |
1757 |
+ |
1758 |
+######################################## |
1759 |
+## <summary> |
1760 |
+## Allow process to relabel to systemd_kmod_conf_t. |
1761 |
+## </summary> |
1762 |
+## <param name="domain"> |
1763 |
+## <summary> |
1764 |
+## Domain allowed access. |
1765 |
+## </summary> |
1766 |
+## </param> |
1767 |
+## <rolecap/> |
1768 |
+# |
1769 |
+interface(`systemd_relabelto_kmod_files',` |
1770 |
+ gen_require(` |
1771 |
+ type systemd_kmod_conf_t; |
1772 |
+ ') |
1773 |
+ |
1774 |
+ allow $1 systemd_kmod_conf_t:file relabelto_file_perms; |
1775 |
+') |
1776 |
+ |
1777 |
+######################################## |
1778 |
+## <summary> |
1779 |
+## Read systemd homedir content |
1780 |
+## </summary> |
1781 |
+## <param name="domain"> |
1782 |
+## <summary> |
1783 |
+## Domain allowed access. |
1784 |
+## </summary> |
1785 |
+## </param> |
1786 |
+# |
1787 |
+interface(`systemd_read_home_content',` |
1788 |
+ gen_require(` |
1789 |
+ type systemd_home_t; |
1790 |
+ ') |
1791 |
+ |
1792 |
+ optional_policy(` |
1793 |
+ gnome_search_gconf_data_dir($1) |
1794 |
+ ') |
1795 |
+ read_files_pattern($1, systemd_home_t, systemd_home_t) |
1796 |
+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) |
1797 |
+') |
1798 |
+ |
1799 |
+######################################## |
1800 |
+## <summary> |
1801 |
+## Get the system status information from systemd_login |
1802 |
+## </summary> |
1803 |
+## <param name="domain"> |
1804 |
+## <summary> |
1805 |
+## Domain allowed access. |
1806 |
+## </summary> |
1807 |
+## </param> |
1808 |
+# |
1809 |
+interface(`systemd_status_logind',` |
1810 |
+ gen_require(` |
1811 |
+ type systemd_logind_t; |
1812 |
+ class service status; |
1813 |
+ ') |
1814 |
+ |
1815 |
+ allow $1 systemd_logind_t:service status; |
1816 |
+') |
1817 |
+ |
1818 |
+######################################## |
1819 |
+## <summary> |
1820 |
+## Send systemd_login a null signal. |
1821 |
+## </summary> |
1822 |
+## <param name="domain"> |
1823 |
+## <summary> |
1824 |
+## Domain allowed access. |
1825 |
+## </summary> |
1826 |
+## </param> |
1827 |
+# |
1828 |
+interface(`systemd_signull_logind',` |
1829 |
+ gen_require(` |
1830 |
+ type systemd_logind_t; |
1831 |
+ ') |
1832 |
+ |
1833 |
+ allow $1 systemd_logind_t:process signull; |
1834 |
+') |
1835 |
+ |
1836 |
+######################################## |
1837 |
+## <summary> |
1838 |
+## Allow specified domain to start power units |
1839 |
+## </summary> |
1840 |
+## <param name="domain"> |
1841 |
+## <summary> |
1842 |
+## Domain to not audit. |
1843 |
+## </summary> |
1844 |
+## </param> |
1845 |
+# |
1846 |
+interface(`systemd_start_power_units',` |
1847 |
+ gen_require(` |
1848 |
+ type power_unit_t; |
1849 |
+ class service start; |
1850 |
+ ') |
1851 |
+ |
1852 |
+ allow $1 power_unit_t:service start; |
1853 |
+') |
1854 |
|
1855 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
1856 |
new file mode 100644 |
1857 |
index 0000000..597d4aa |
1858 |
--- /dev/null |
1859 |
+++ b/policy/modules/system/systemd.te |
1860 |
@@ -0,0 +1,264 @@ |
1861 |
+policy_module(systemd, 1.0.0) |
1862 |
+ |
1863 |
+######################################### |
1864 |
+# |
1865 |
+# Declarations |
1866 |
+# |
1867 |
+ |
1868 |
+## <desc> |
1869 |
+## <p> |
1870 |
+## Enable support for systemd-tmpfiles to manage all non-security files. |
1871 |
+## </p> |
1872 |
+## </desc> |
1873 |
+gen_tunable(systemd_tmpfiles_manage_all, false) |
1874 |
+ |
1875 |
+type systemd_activate_t; |
1876 |
+type systemd_activate_exec_t; |
1877 |
+init_system_domain(systemd_activate_t, systemd_activate_exec_t) |
1878 |
+ |
1879 |
+type systemd_analyze_t; |
1880 |
+type systemd_analyze_exec_t; |
1881 |
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) |
1882 |
+ |
1883 |
+type systemd_backlight_t; |
1884 |
+type systemd_backlight_exec_t; |
1885 |
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) |
1886 |
+ |
1887 |
+type systemd_binfmt_t; |
1888 |
+type systemd_binfmt_exec_t; |
1889 |
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) |
1890 |
+ |
1891 |
+type systemd_cgroups_t; |
1892 |
+type systemd_cgroups_exec_t; |
1893 |
+domain_type(systemd_cgroups_t) |
1894 |
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t) |
1895 |
+role system_r types systemd_cgroups_t; |
1896 |
+ |
1897 |
+type systemd_cgroups_var_run_t; |
1898 |
+files_pid_file(systemd_cgroups_var_run_t) |
1899 |
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups") |
1900 |
+ |
1901 |
+type systemd_cgtop_t; |
1902 |
+type systemd_cgtop_exec_t; |
1903 |
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t) |
1904 |
+ |
1905 |
+type systemd_coredump_t; |
1906 |
+type systemd_coredump_exec_t; |
1907 |
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t) |
1908 |
+ |
1909 |
+type systemd_detect_virt_t; |
1910 |
+type systemd_detect_virt_exec_t; |
1911 |
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) |
1912 |
+ |
1913 |
+type systemd_hostnamed_t; |
1914 |
+type systemd_hostnamed_exec_t; |
1915 |
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t) |
1916 |
+ |
1917 |
+type systemd_locale_t; |
1918 |
+type systemd_locale_exec_t; |
1919 |
+init_system_domain(systemd_locale_t, systemd_locale_exec_t) |
1920 |
+ |
1921 |
+type systemd_logind_t; |
1922 |
+type systemd_logind_exec_t; |
1923 |
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) |
1924 |
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t) |
1925 |
+ |
1926 |
+type systemd_logind_var_lib_t; |
1927 |
+files_type(systemd_logind_var_lib_t) |
1928 |
+ |
1929 |
+type systemd_logind_var_run_t; |
1930 |
+files_pid_file(systemd_logind_var_run_t) |
1931 |
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind") |
1932 |
+ |
1933 |
+type systemd_machined_t; |
1934 |
+type systemd_machined_exec_t; |
1935 |
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) |
1936 |
+ |
1937 |
+type systemd_nspawn_t; |
1938 |
+type systemd_nspawn_exec_t; |
1939 |
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) |
1940 |
+ |
1941 |
+type systemd_run_t; |
1942 |
+type systemd_run_exec_t; |
1943 |
+init_daemon_domain(systemd_run_t, systemd_run_exec_t) |
1944 |
+ |
1945 |
+type systemd_stdio_bridge_t; |
1946 |
+type systemd_stdio_bridge_exec_t; |
1947 |
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t) |
1948 |
+ |
1949 |
+type systemd_passwd_agent_t; |
1950 |
+type systemd_passwd_agent_exec_t; |
1951 |
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) |
1952 |
+ |
1953 |
+type systemd_sessions_t; |
1954 |
+type systemd_sessions_exec_t; |
1955 |
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) |
1956 |
+ |
1957 |
+type systemd_sessions_var_run_t; |
1958 |
+files_pid_file(systemd_sessions_var_run_t) |
1959 |
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions") |
1960 |
+ |
1961 |
+type systemd_tmpfiles_t; |
1962 |
+type systemd_tmpfiles_exec_t; |
1963 |
+type systemd_kmod_conf_t; |
1964 |
+files_config_file(systemd_kmod_conf_t) |
1965 |
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) |
1966 |
+ |
1967 |
+# |
1968 |
+# Unit file types |
1969 |
+# |
1970 |
+ |
1971 |
+type power_unit_t; |
1972 |
+init_unit_file(power_unit_t) |
1973 |
+ |
1974 |
+###################################### |
1975 |
+# |
1976 |
+# Cgroups local policy |
1977 |
+# |
1978 |
+ |
1979 |
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) |
1980 |
+ |
1981 |
+init_stream_connect(systemd_cgroups_t) |
1982 |
+ |
1983 |
+logging_send_syslog_msg(systemd_cgroups_t) |
1984 |
+ |
1985 |
+kernel_dgram_send(systemd_cgroups_t) |
1986 |
+ |
1987 |
+####################################### |
1988 |
+# |
1989 |
+# locale local policy |
1990 |
+# |
1991 |
+ |
1992 |
+files_read_etc_files(systemd_locale_t) |
1993 |
+ |
1994 |
+logging_send_syslog_msg(systemd_locale_t) |
1995 |
+ |
1996 |
+seutil_read_file_contexts(systemd_locale_t) |
1997 |
+ |
1998 |
+optional_policy(` |
1999 |
+ dbus_connect_system_bus(systemd_locale_t) |
2000 |
+ dbus_system_bus_client(systemd_locale_t) |
2001 |
+') |
2002 |
+ |
2003 |
+####################################### |
2004 |
+# |
2005 |
+# Hostnamed policy |
2006 |
+# |
2007 |
+ |
2008 |
+files_read_etc_files(systemd_hostnamed_t) |
2009 |
+ |
2010 |
+logging_send_syslog_msg(systemd_hostnamed_t) |
2011 |
+ |
2012 |
+seutil_read_file_contexts(systemd_hostnamed_t) |
2013 |
+ |
2014 |
+optional_policy(` |
2015 |
+ dbus_system_bus_client(systemd_hostnamed_t) |
2016 |
+ dbus_connect_system_bus(systemd_hostnamed_t) |
2017 |
+') |
2018 |
+ |
2019 |
+######################################### |
2020 |
+# |
2021 |
+# Logind local policy |
2022 |
+# |
2023 |
+ |
2024 |
+allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override }; |
2025 |
+allow systemd_logind_t self:process getcap; |
2026 |
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; |
2027 |
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms; |
2028 |
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms; |
2029 |
+ |
2030 |
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; |
2031 |
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) |
2032 |
+ |
2033 |
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
2034 |
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
2035 |
+files_search_pids(systemd_logind_t) |
2036 |
+ |
2037 |
+auth_manage_faillog(systemd_logind_t) |
2038 |
+ |
2039 |
+dev_rw_sysfs(systemd_logind_t) |
2040 |
+dev_rw_input_dev(systemd_logind_t) |
2041 |
+dev_getattr_dri_dev(systemd_logind_t) |
2042 |
+dev_setattr_dri_dev(systemd_logind_t) |
2043 |
+dev_getattr_sound_dev(systemd_logind_t) |
2044 |
+dev_setattr_sound_dev(systemd_logind_t) |
2045 |
+ |
2046 |
+files_read_etc_files(systemd_logind_t) |
2047 |
+ |
2048 |
+fs_getattr_tmpfs(systemd_logind_t) |
2049 |
+ |
2050 |
+storage_getattr_removable_dev(systemd_logind_t) |
2051 |
+storage_setattr_removable_dev(systemd_logind_t) |
2052 |
+storage_getattr_scsi_generic_dev(systemd_logind_t) |
2053 |
+storage_setattr_scsi_generic_dev(systemd_logind_t) |
2054 |
+ |
2055 |
+term_use_unallocated_ttys(systemd_logind_t) |
2056 |
+ |
2057 |
+init_get_all_units_status(systemd_logind_t) |
2058 |
+init_start_all_units(systemd_logind_t) |
2059 |
+init_stop_all_units(systemd_logind_t) |
2060 |
+init_service_status(systemd_logind_t) |
2061 |
+init_service_start(systemd_logind_t) |
2062 |
+# This is for reading /proc/1/cgroup |
2063 |
+init_read_state(systemd_logind_t) |
2064 |
+ |
2065 |
+locallogin_read_state(systemd_logind_t) |
2066 |
+ |
2067 |
+logging_send_syslog_msg(systemd_logind_t) |
2068 |
+ |
2069 |
+systemd_start_power_units(systemd_logind_t) |
2070 |
+ |
2071 |
+udev_read_db(systemd_logind_t) |
2072 |
+udev_read_pid_files(systemd_logind_t) |
2073 |
+ |
2074 |
+userdom_use_user_ttys(systemd_logind_t) |
2075 |
+ |
2076 |
+optional_policy(` |
2077 |
+ dbus_system_bus_client(systemd_logind_t) |
2078 |
+ dbus_connect_system_bus(systemd_logind_t) |
2079 |
+') |
2080 |
+ |
2081 |
+######################################### |
2082 |
+# |
2083 |
+# Sessions local policy |
2084 |
+# |
2085 |
+ |
2086 |
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; |
2087 |
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) |
2088 |
+ |
2089 |
+logging_send_syslog_msg(systemd_sessions_t) |
2090 |
+ |
2091 |
+######################################### |
2092 |
+# |
2093 |
+# Tmpfiles local policy |
2094 |
+# |
2095 |
+ |
2096 |
+allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod }; |
2097 |
+allow systemd_tmpfiles_t self:process { setfscreate getcap }; |
2098 |
+ |
2099 |
+dev_relabel_all_sysfs(systemd_tmpfiles_t) |
2100 |
+dev_read_urand(systemd_tmpfiles_t) |
2101 |
+dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
2102 |
+ |
2103 |
+files_read_etc_files(systemd_tmpfiles_t) |
2104 |
+files_relabel_all_lock_dirs(systemd_tmpfiles_t) |
2105 |
+files_relabel_all_pid_dirs(systemd_tmpfiles_t) |
2106 |
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t) |
2107 |
+ |
2108 |
+auth_manage_var_auth(systemd_tmpfiles_t) |
2109 |
+auth_manage_login_records(systemd_tmpfiles_t) |
2110 |
+auth_relabel_login_records(systemd_tmpfiles_t) |
2111 |
+auth_setattr_login_records(systemd_tmpfiles_t) |
2112 |
+ |
2113 |
+logging_send_syslog_msg(systemd_tmpfiles_t) |
2114 |
+ |
2115 |
+seutil_read_file_contexts(systemd_tmpfiles_t) |
2116 |
+ |
2117 |
+tunable_policy(`systemd_tmpfiles_manage_all',` |
2118 |
+ # systemd-tmpfiles can be configured to manage anything. |
2119 |
+ # have a last-resort option for users to do this. |
2120 |
+ files_manage_non_security_dirs(systemd_tmpfiles_t) |
2121 |
+ files_manage_non_security_files(systemd_tmpfiles_t) |
2122 |
+ files_relabel_non_security_dirs(systemd_tmpfiles_t) |
2123 |
+ files_relabel_non_security_files(systemd_tmpfiles_t) |
2124 |
+') |
2125 |
|
2126 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
2127 |
index 06175a7..d4c92cc 100644 |
2128 |
--- a/policy/modules/system/udev.if |
2129 |
+++ b/policy/modules/system/udev.if |
2130 |
@@ -92,6 +92,25 @@ interface(`udev_read_state',` |
2131 |
allow $1 udev_t:lnk_file read_lnk_file_perms; |
2132 |
') |
2133 |
|
2134 |
+ |
2135 |
+######################################## |
2136 |
+## <summary> |
2137 |
+## Allow domain to create uevent sockets. |
2138 |
+## </summary> |
2139 |
+## <param name="domain"> |
2140 |
+## <summary> |
2141 |
+## Domain allowed access. |
2142 |
+## </summary> |
2143 |
+## </param> |
2144 |
+# |
2145 |
+interface(`udev_create_kobject_uevent_sockets',` |
2146 |
+ gen_require(` |
2147 |
+ type udev_t; |
2148 |
+ ') |
2149 |
+ |
2150 |
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; |
2151 |
+') |
2152 |
+ |
2153 |
######################################## |
2154 |
## <summary> |
2155 |
## Do not audit attempts to inherit a |