Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/
Date: Wed, 02 Dec 2015 15:45:38
Message-Id: 1445831567.d92bdf260887935367802afbbaf25d399c020cd5.swift@gentoo
1 commit: d92bdf260887935367802afbbaf25d399c020cd5
2 Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
3 AuthorDate: Fri Oct 23 14:16:59 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Mon Oct 26 03:52:47 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26
7
8 Implement core systemd policy.
9
10 Significant contributions from the Tresys CLIP team.
11
12 Other changes from Laurent Bigonville.
13
14 policy/modules/kernel/corecommands.fc | 2 +
15 policy/modules/kernel/domain.te | 6 +
16 policy/modules/kernel/files.if | 172 ++++++++++
17 policy/modules/kernel/filesystem.if | 73 ++++
18 policy/modules/kernel/kernel.if | 60 +++-
19 policy/modules/kernel/terminal.if | 19 ++
20 policy/modules/system/authlogin.if | 19 ++
21 policy/modules/system/init.fc | 4 +
22 policy/modules/system/init.if | 608 +++++++++++++++++++++++++++++++++-
23 policy/modules/system/init.te | 176 +++++++++-
24 policy/modules/system/locallogin.if | 21 ++
25 policy/modules/system/logging.if | 38 +++
26 policy/modules/system/lvm.if | 20 ++
27 policy/modules/system/systemd.fc | 39 +++
28 policy/modules/system/systemd.if | 195 +++++++++++
29 policy/modules/system/systemd.te | 264 +++++++++++++++
30 policy/modules/system/udev.if | 19 ++
31 17 files changed, 1711 insertions(+), 24 deletions(-)
32
33 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
34 index f465e43..b4e192a 100644
35 --- a/policy/modules/kernel/corecommands.fc
36 +++ b/policy/modules/kernel/corecommands.fc
37 @@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
38 /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
39 /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
40 /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
41 +/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
42 +/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
43 /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
44 /usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
45 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
46
47 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
48 index 451a1be..6c3ef60 100644
49 --- a/policy/modules/kernel/domain.te
50 +++ b/policy/modules/kernel/domain.te
51 @@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
52 dontaudit domain self:udp_socket listen;
53 ')
54
55 +ifdef(`init_systemd',`
56 + optional_policy(`
57 + shutdown_sigchld(domain)
58 + ')
59 +')
60 +
61 tunable_policy(`global_ssp',`
62 # enable reading of urandom for all domains:
63 # this should be enabled when all programs
64
65 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
66 index dd16f74..cbb8afe 100644
67 --- a/policy/modules/kernel/files.if
68 +++ b/policy/modules/kernel/files.if
69 @@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
70
71 ########################################
72 ## <summary>
73 +## Relabel from/to non-security directories.
74 +## </summary>
75 +## <param name="domain">
76 +## <summary>
77 +## Domain allowed access.
78 +## </summary>
79 +## </param>
80 +#
81 +interface(`files_relabel_non_security_dirs',`
82 + gen_require(`
83 + attribute non_security_file_type;
84 + ')
85 +
86 + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
87 +')
88 +
89 +########################################
90 +## <summary>
91 ## Get the attributes of all files.
92 ## </summary>
93 ## <param name="domain">
94 @@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
95
96 ########################################
97 ## <summary>
98 +## Create, read, write, and delete all non-security files.
99 +## </summary>
100 +## <param name="domain">
101 +## <summary>
102 +## Domain allowed access.
103 +## </summary>
104 +## </param>
105 +## <rolecap/>
106 +#
107 +interface(`files_manage_non_security_files',`
108 + gen_require(`
109 + attribute non_security_file_type;
110 + ')
111 +
112 + manage_files_pattern($1, non_security_file_type, non_security_file_type)
113 +')
114 +
115 +########################################
116 +## <summary>
117 +## Relabel from/to all non-security files.
118 +## </summary>
119 +## <param name="domain">
120 +## <summary>
121 +## Domain allowed access.
122 +## </summary>
123 +## </param>
124 +## <rolecap/>
125 +#
126 +interface(`files_relabel_non_security_files',`
127 + gen_require(`
128 + attribute non_security_file_type;
129 + ')
130 +
131 + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
132 +')
133 +
134 +########################################
135 +## <summary>
136 ## Read all files.
137 ## </summary>
138 ## <param name="domain">
139 @@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
140
141 ########################################
142 ## <summary>
143 +## Mount on the root directory (/)
144 +## </summary>
145 +## <param name="domain">
146 +## <summary>
147 +## Domain allowed access.
148 +## </summary>
149 +## </param>
150 +#
151 +interface(`files_mounton_root',`
152 + gen_require(`
153 + type root_t;
154 + ')
155 +
156 + allow $1 root_t:dir mounton;
157 +')
158 +
159 +########################################
160 +## <summary>
161 ## Get attributes of the /boot directory.
162 ## </summary>
163 ## <param name="domain">
164 @@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',`
165
166 ########################################
167 ## <summary>
168 +## Mount filesystems in the tmp directory (/tmp)
169 +## </summary>
170 +## <param name="domain">
171 +## <summary>
172 +## Domain allowed access.
173 +## </summary>
174 +## </param>
175 +#
176 +interface(`files_mounton_tmp',`
177 + gen_require(`
178 + type tmp_t;
179 + ')
180 +
181 + allow $1 tmp_t:dir mounton;
182 +')
183 +
184 +########################################
185 +## <summary>
186 ## Set the attributes of all tmp directories.
187 ## </summary>
188 ## <param name="domain">
189 @@ -5678,6 +5770,25 @@ interface(`files_list_locks',`
190
191 ########################################
192 ## <summary>
193 +## Add entries in the /var/lock directories.
194 +## </summary>
195 +## <param name="domain">
196 +## <summary>
197 +## Domain allowed access.
198 +## </summary>
199 +## </param>
200 +#
201 +interface(`files_add_entry_lock_dirs',`
202 + gen_require(`
203 + type var_t, var_lock_t;
204 + ')
205 +
206 + allow $1 var_lock_t:lnk_file read_lnk_file_perms;
207 + add_entry_dirs_pattern($1, var_t, var_lock_t)
208 +')
209 +
210 +########################################
211 +## <summary>
212 ## Add and remove entries in the /var/lock
213 ## directories.
214 ## </summary>
215 @@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',`
216
217 ########################################
218 ## <summary>
219 +## Relabel from/to all lock files.
220 +## </summary>
221 +## <param name="domain">
222 +## <summary>
223 +## Domain allowed access.
224 +## </summary>
225 +## </param>
226 +#
227 +interface(`files_relabel_all_locks',`
228 + gen_require(`
229 + attribute lockfile;
230 + type var_t, var_lock_t;
231 + ')
232 +
233 + allow $1 var_lock_t:lnk_file read_lnk_file_perms;
234 + allow $1 { var_t var_lock_t }:dir search_dir_perms;
235 + relabel_dirs_pattern($1, lockfile, lockfile)
236 + relabel_files_pattern($1, lockfile, lockfile)
237 + relabel_lnk_files_pattern($1, lockfile, lockfile)
238 +')
239 +
240 +########################################
241 +## <summary>
242 ## Create an object in the locks directory, with a private
243 ## type using a type transition.
244 ## </summary>
245 @@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',`
246
247 ########################################
248 ## <summary>
249 +## Relabel to/from all var_run (pid) directories
250 +## </summary>
251 +## <param name="domain">
252 +## <summary>
253 +## Domain alloed access.
254 +## </summary>
255 +## </param>
256 +#
257 +interface(`files_relabel_all_pid_dirs',`
258 + gen_require(`
259 + attribute pidfile;
260 + ')
261 +
262 + relabel_dirs_pattern($1, pidfile, pidfile)
263 +')
264 +
265 +########################################
266 +## <summary>
267 +## Relabel to/from all var_run (pid) files and directories
268 +## </summary>
269 +## <param name="domain">
270 +## <summary>
271 +## Domain alloed access.
272 +## </summary>
273 +## </param>
274 +#
275 +interface(`files_relabel_all_pids',`
276 + gen_require(`
277 + attribute pidfile;
278 + ')
279 +
280 + relabel_dirs_pattern($1, pidfile, pidfile)
281 + relabel_files_pattern($1, pidfile, pidfile)
282 + relabel_lnk_files_pattern($1, pidfile, pidfile)
283 +')
284 +
285 +########################################
286 +## <summary>
287 ## Mount filesystems on all polyinstantiation
288 ## member directories.
289 ## </summary>
290
291 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
292 index 4ddef7c..0db8233 100644
293 --- a/policy/modules/kernel/filesystem.if
294 +++ b/policy/modules/kernel/filesystem.if
295 @@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',`
296
297 ########################################
298 ## <summary>
299 +## Relabel cgroup directories.
300 +## </summary>
301 +## <param name="domain">
302 +## <summary>
303 +## Domain allowed access.
304 +## </summary>
305 +## </param>
306 +#
307 +interface(`fs_relabel_cgroup_dirs',`
308 + gen_require(`
309 + type cgroup_t;
310 + ')
311 +
312 + relabel_dirs_pattern($1, cgroup_t, cgroup_t)
313 +')
314 +
315 +########################################
316 +## <summary>
317 ## Read cgroup files.
318 ## </summary>
319 ## <param name="domain">
320 @@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
321 ')
322
323 read_files_pattern($1, cgroup_t, cgroup_t)
324 + read_lnk_files_pattern($1, cgroup_t, cgroup_t)
325 dev_search_sysfs($1)
326 ')
327
328 @@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',`
329
330 ########################################
331 ## <summary>
332 +## Getattr on pstore dirs.
333 +## </summary>
334 +## <param name="domain">
335 +## <summary>
336 +## Domain allowed access.
337 +## </summary>
338 +## </param>
339 +#
340 +interface(`fs_getattr_pstore_dirs',`
341 + gen_require(`
342 + type pstore_t;
343 + ')
344 +
345 + getattr_files_pattern($1, pstore_t, pstore_t)
346 + dev_search_sysfs($1)
347 +')
348 +
349 +########################################
350 +## <summary>
351 ## Allow the type to associate to ramfs filesystems.
352 ## </summary>
353 ## <param name="type">
354 @@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
355
356 ########################################
357 ## <summary>
358 +## Relabel directory on tmpfs filesystems.
359 +## </summary>
360 +## <param name="domain">
361 +## <summary>
362 +## Domain allowed access.
363 +## </summary>
364 +## </param>
365 +#
366 +interface(`fs_relabel_tmpfs_dirs',`
367 + gen_require(`
368 + type tmpfs_t;
369 + ')
370 + relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
371 +')
372 +
373 +########################################
374 +## <summary>
375 ## Create an object in a tmpfs filesystem, with a private
376 ## type using a type transition.
377 ## </summary>
378 @@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',`
379
380 ########################################
381 ## <summary>
382 +## Relabel files on tmpfs filesystems.
383 +## </summary>
384 +## <param name="domain">
385 +## <summary>
386 +## Domain allowed access.
387 +## </summary>
388 +## </param>
389 +#
390 +interface(`fs_relabel_tmpfs_files',`
391 + gen_require(`
392 + type tmpfs_t;
393 + ')
394 +
395 + relabel_files_pattern($1, tmpfs_t, tmpfs_t)
396 +')
397 +
398 +########################################
399 +## <summary>
400 ## Read tmpfs link files.
401 ## </summary>
402 ## <param name="domain">
403
404 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
405 index faa19d7..df42fa3 100644
406 --- a/policy/modules/kernel/kernel.if
407 +++ b/policy/modules/kernel/kernel.if
408 @@ -8,6 +8,27 @@
409
410 ########################################
411 ## <summary>
412 +## Allows the kernel to start userland processes
413 +## by dynamic transitions to the specified domain.
414 +## </summary>
415 +## <param name="domain">
416 +## <summary>
417 +## The process type entered by the kernel.
418 +## </summary>
419 +## </param>
420 +#
421 +interface(`kernel_dyntrans_to',`
422 + gen_require(`
423 + type kernel_t;
424 + ')
425 +
426 + domain_dyntrans_type(kernel_t)
427 + allow kernel_t self:process setcurrent;
428 + allow kernel_t $1:process dyntransition;
429 +')
430 +
431 +########################################
432 +## <summary>
433 ## Allows to start userland processes
434 ## by transitioning to the specified domain.
435 ## </summary>
436 @@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',`
437
438 ########################################
439 ## <summary>
440 +## Read/write to kernel using a unix
441 +## domain stream socket.
442 +## </summary>
443 +## <param name="domain">
444 +## <summary>
445 +## Domain allowed access.
446 +## </summary>
447 +## </param>
448 +#
449 +interface(`kernel_rw_stream_sockets',`
450 + gen_require(`
451 + type kernel_t;
452 + ')
453 +
454 + allow $1 kernel_t:unix_stream_socket rw_socket_perms;
455 +')
456 +
457 +########################################
458 +## <summary>
459 ## Connect to kernel using a unix
460 ## domain stream socket.
461 ## </summary>
462 @@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
463
464 ########################################
465 ## <summary>
466 -## Read and write kernel unix datagram sockets.
467 +## Getattr on kernel unix datagram sockets.
468 +## </summary>
469 +## <param name="domain">
470 +## <summary>
471 +## Domain allowed access.
472 +## </summary>
473 +## </param>
474 +#
475 +interface(`kernel_getattr_dgram_sockets',`
476 + gen_require(`
477 + type kernel_t;
478 + ')
479 +
480 + allow $1 kernel_t:unix_dgram_socket getattr;
481 +')
482 +
483 +########################################
484 +## <summary>
485 +## Read and write kernel unix datagram sockets. (Deprecated)
486 ## </summary>
487 ## <param name="domain">
488 ## <summary>
489
490 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
491 index cbb729b..2e6a376 100644
492 --- a/policy/modules/kernel/terminal.if
493 +++ b/policy/modules/kernel/terminal.if
494 @@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
495
496 ########################################
497 ## <summary>
498 +## Relabel from and to pty directories.
499 +## </summary>
500 +## <param name="domain">
501 +## <summary>
502 +## Domain allowed access.
503 +## </summary>
504 +## </param>
505 +#
506 +interface(`term_relabel_pty_dirs',`
507 + gen_require(`
508 + type devpts_t;
509 + ')
510 +
511 + dev_list_all_dev_nodes($1)
512 + allow $1 devpts_t:dir relabel_dir_perms;
513 +')
514 +
515 +########################################
516 +## <summary>
517 ## Do not audit attempts to get the attributes
518 ## of generic pty devices.
519 ## </summary>
520
521 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
522 index 6aac59c..7bb4ecb 100644
523 --- a/policy/modules/system/authlogin.if
524 +++ b/policy/modules/system/authlogin.if
525 @@ -773,6 +773,25 @@ interface(`auth_rw_faillog',`
526 allow $1 faillog_t:file rw_file_perms;
527 ')
528
529 +########################################
530 +## <summary>
531 +## Manage the login failure logs.
532 +## </summary>
533 +## <param name="domain">
534 +## <summary>
535 +## Domain allowed access.
536 +## </summary>
537 +## </param>
538 +#
539 +interface(`auth_manage_faillog',`
540 + gen_require(`
541 + type faillog_t;
542 + ')
543 +
544 + allow $1 faillog_t:file manage_file_perms;
545 + logging_rw_generic_log_dirs($1)
546 +')
547 +
548 #######################################
549 ## <summary>
550 ## Read the last logins log.
551
552 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
553 index 02ec851..b4bdf65 100644
554 --- a/policy/modules/system/init.fc
555 +++ b/policy/modules/system/init.fc
556 @@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
557 /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
558
559 /usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
560 +/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
561 +/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
562 +/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
563 +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
564
565 /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
566 /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
567
568 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
569 index 211d434..192508f 100644
570 --- a/policy/modules/system/init.if
571 +++ b/policy/modules/system/init.if
572 @@ -44,6 +44,26 @@ interface(`init_script_file',`
573
574 ########################################
575 ## <summary>
576 +## Make the specified type usable for
577 +## systemd unit files.
578 +## </summary>
579 +## <param name="type">
580 +## <summary>
581 +## Type to be used for systemd unit files.
582 +## </summary>
583 +## </param>
584 +#
585 +interface(`init_unit_file',`
586 + gen_require(`
587 + attribute systemdunit;
588 + ')
589 +
590 + files_type($1)
591 + typeattribute $1 systemdunit;
592 +')
593 +
594 +########################################
595 +## <summary>
596 ## Create a domain used for init scripts.
597 ## </summary>
598 ## <desc>
599 @@ -108,6 +128,10 @@ interface(`init_domain',`
600 role system_r types $1;
601
602 domtrans_pattern(init_t, $2, $1)
603 +
604 + ifdef(`init_systemd',`
605 + allow $1 init_t:unix_stream_socket { getattr read write ioctl };
606 + ')
607 ')
608
609 ########################################
610 @@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
611 userdom_dontaudit_use_user_terminals($1)
612 ')
613
614 + ifdef(`init_systemd',`
615 + init_domain($1, $2)
616 + # this may be because of late labelling
617 + kernel_dgram_send($1)
618 + ')
619 +
620 optional_policy(`
621 nscd_use($1)
622 ')
623 @@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
624 type initrc_t;
625 ')
626
627 - init_daemon_domain($1, $2)
628 + ifdef(`init_systemd',`
629 + init_ranged_domain($1, $2, $3)
630 + ',`
631 + init_daemon_domain($1, $2)
632
633 - ifdef(`enable_mcs',`
634 - range_transition initrc_t $2:process $3;
635 + ifdef(`enable_mcs',`
636 + range_transition initrc_t $2:process $3;
637 + ')
638 +
639 + ifdef(`enable_mls',`
640 + range_transition initrc_t $2:process $3;
641 + mls_rangetrans_target($1)
642 + ')
643 ')
644 +')
645
646 - ifdef(`enable_mls',`
647 - range_transition initrc_t $2:process $3;
648 - mls_rangetrans_target($1)
649 +#########################################
650 +## <summary>
651 +## Abstract socket service activation (systemd).
652 +## </summary>
653 +## <param name="domain">
654 +## <summary>
655 +## The domain to be started by systemd socket activation.
656 +## </summary>
657 +## </param>
658 +#
659 +interface(`init_abstract_socket_activation',`
660 + ifdef(`init_systemd',`
661 + gen_require(`
662 + type init_t;
663 + ')
664 +
665 + allow init_t $1:unix_stream_socket create_stream_socket_perms;
666 + ')
667 +')
668 +
669 +#########################################
670 +## <summary>
671 +## Named socket service activation (systemd).
672 +## </summary>
673 +## <param name="domain">
674 +## <summary>
675 +## The domain to be started by systemd socket activation.
676 +## </summary>
677 +## </param>
678 +## <param name="sock_file">
679 +## <summary>
680 +## The domain socket file type.
681 +## </summary>
682 +## </param>
683 +#
684 +interface(`init_named_socket_activation',`
685 + ifdef(`init_systemd',`
686 + gen_require(`
687 + type init_t;
688 + ')
689 +
690 + allow init_t $1:unix_dgram_socket create_socket_perms;
691 + allow init_t $1:unix_stream_socket create_stream_socket_perms;
692 + allow init_t $2:dir manage_dir_perms;
693 + allow init_t $2:fifo_file manage_fifo_file_perms;
694 + allow init_t $2:sock_file manage_sock_file_perms;
695 ')
696 ')
697
698 @@ -324,6 +407,10 @@ interface(`init_system_domain',`
699 role system_r types $1;
700
701 domtrans_pattern(initrc_t, $2, $1)
702 +
703 + ifdef(`init_systemd',`
704 + init_domain($1, $2)
705 + ')
706 ')
707
708 ########################################
709 @@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
710 type initrc_t;
711 ')
712
713 - init_system_domain($1, $2)
714 + ifdef(`init_systemd',`
715 + init_ranged_domain($1, $2, $3)
716 + ',`
717 + init_system_domain($1, $2)
718
719 - ifdef(`enable_mcs',`
720 - range_transition initrc_t $2:process $3;
721 - ')
722 + ifdef(`enable_mcs',`
723 + range_transition initrc_t $2:process $3;
724 + ')
725
726 - ifdef(`enable_mls',`
727 - range_transition initrc_t $2:process $3;
728 - mls_rangetrans_target($1)
729 + ifdef(`enable_mls',`
730 + range_transition initrc_t $2:process $3;
731 + mls_rangetrans_target($1)
732 + ')
733 ')
734 ')
735
736 @@ -579,10 +670,11 @@ interface(`init_sigchld',`
737 #
738 interface(`init_stream_connect',`
739 gen_require(`
740 - type init_t;
741 + type init_t, init_var_run_t;
742 ')
743
744 - allow $1 init_t:unix_stream_socket connectto;
745 + stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
746 + files_search_pids($1)
747 ')
748
749 ########################################
750 @@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',`
751
752 ########################################
753 ## <summary>
754 +## Send messages to init unix datagram sockets.
755 +## </summary>
756 +## <param name="domain">
757 +## <summary>
758 +## Domain allowed access.
759 +## </summary>
760 +## </param>
761 +## <rolecap/>
762 +#
763 +interface(`init_dgram_send',`
764 + gen_require(`
765 + type init_t, init_var_run_t;
766 + ')
767 +
768 + dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
769 + files_search_pids($1)
770 +')
771 +
772 +########################################
773 +## <summary>
774 +## Allow the specified domain to read/write to
775 +## init with unix domain stream sockets.
776 +## </summary>
777 +## <param name="domain">
778 +## <summary>
779 +## Domain allowed access.
780 +## </summary>
781 +## </param>
782 +#
783 +interface(`init_rw_stream_sockets',`
784 + gen_require(`
785 + type init_t;
786 + ')
787 +
788 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
789 +')
790 +
791 +########################################
792 +## <summary>
793 ## Send UDP network traffic to init. (Deprecated)
794 ## </summary>
795 ## <param name="domain">
796 @@ -678,6 +809,276 @@ interface(`init_udp_send',`
797
798 ########################################
799 ## <summary>
800 +## Get all service status (systemd).
801 +## </summary>
802 +## <param name="domain">
803 +## <summary>
804 +## Domain allowed access.
805 +## </summary>
806 +## </param>
807 +#
808 +interface(`init_get_system_status',`
809 + gen_require(`
810 + type init_t;
811 + ')
812 +
813 + allow $1 init_t:system status;
814 +')
815 +
816 +########################################
817 +## <summary>
818 +## Enable all systemd services (systemd).
819 +## </summary>
820 +## <param name="domain">
821 +## <summary>
822 +## Domain allowed access.
823 +## </summary>
824 +## </param>
825 +#
826 +interface(`init_enable',`
827 + gen_require(`
828 + type init_t;
829 + ')
830 +
831 + allow $1 init_t:system enable;
832 +')
833 +
834 +########################################
835 +## <summary>
836 +## Disable all services (systemd).
837 +## </summary>
838 +## <param name="domain">
839 +## <summary>
840 +## Domain allowed access.
841 +## </summary>
842 +## </param>
843 +#
844 +interface(`init_disable',`
845 + gen_require(`
846 + type init_t;
847 + ')
848 +
849 + allow $1 init_t:system disable;
850 +')
851 +
852 +########################################
853 +## <summary>
854 +## Reload all services (systemd).
855 +## </summary>
856 +## <param name="domain">
857 +## <summary>
858 +## Domain allowed access.
859 +## </summary>
860 +## </param>
861 +#
862 +interface(`init_reload',`
863 + gen_require(`
864 + type init_t;
865 + ')
866 +
867 + allow $1 init_t:system reload;
868 +')
869 +
870 +########################################
871 +## <summary>
872 +## Reboot the system (systemd).
873 +## </summary>
874 +## <param name="domain">
875 +## <summary>
876 +## Domain allowed access.
877 +## </summary>
878 +## </param>
879 +#
880 +interface(`init_reboot_system',`
881 + gen_require(`
882 + type init_t;
883 + ')
884 +
885 + allow $1 init_t:system reboot;
886 +')
887 +
888 +########################################
889 +## <summary>
890 +## Shutdown (halt) the system (systemd).
891 +## </summary>
892 +## <param name="domain">
893 +## <summary>
894 +## Domain allowed access.
895 +## </summary>
896 +## </param>
897 +#
898 +interface(`init_shutdown_system',`
899 + gen_require(`
900 + type init_t;
901 + ')
902 +
903 + allow $1 init_t:system halt;
904 +')
905 +
906 +########################################
907 +## <summary>
908 +## Allow specified domain to get init status
909 +## </summary>
910 +## <param name="domain">
911 +## <summary>
912 +## Domain to allow access.
913 +## </summary>
914 +## </param>
915 +#
916 +interface(`init_service_status',`
917 + gen_require(`
918 + type init_t;
919 + class service status;
920 + ')
921 +
922 + allow $1 init_t:service status;
923 +')
924 +
925 +########################################
926 +## <summary>
927 +## Allow specified domain to get init start
928 +## </summary>
929 +## <param name="domain">
930 +## <summary>
931 +## Domain to allow access.
932 +## </summary>
933 +## </param>
934 +#
935 +interface(`init_service_start',`
936 + gen_require(`
937 + type init_t;
938 + class service start;
939 + ')
940 +
941 + allow $1 init_t:service start;
942 +')
943 +
944 +########################################
945 +## <summary>
946 +## Send and receive messages from
947 +## systemd over dbus.
948 +## </summary>
949 +## <param name="domain">
950 +## <summary>
951 +## Domain allowed access.
952 +## </summary>
953 +## </param>
954 +#
955 +interface(`init_dbus_chat',`
956 + gen_require(`
957 + type initrc_t;
958 + class dbus send_msg;
959 + ')
960 +
961 + allow $1 init_t:dbus send_msg;
962 + allow init_t $1:dbus send_msg;
963 +')
964 +
965 +########################################
966 +## <summary>
967 +## Manage files in /var/lib/systemd/.
968 +## </summary>
969 +## <param name="domain">
970 +## <summary>
971 +## Domain allowed access.
972 +## </summary>
973 +## </param>
974 +## <param name="file_type">
975 +## <summary>
976 +## The type of the object to be created
977 +## </summary>
978 +## </param>
979 +## <param name="object_class">
980 +## <summary>
981 +## The object class.
982 +## </summary>
983 +## </param>
984 +## <param name="name" optional="true">
985 +## <summary>
986 +## The name of the object being created.
987 +## </summary>
988 +## </param>
989 +#
990 +interface(`init_manage_var_lib_files',`
991 + gen_require(`
992 + type init_var_lib_t;
993 + ')
994 +
995 + manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
996 + files_search_var_lib($1)
997 +')
998 +
999 +########################################
1000 +## <summary>
1001 +## Create files in /var/lib/systemd
1002 +## with an automatic type transition.
1003 +## </summary>
1004 +## <param name="domain">
1005 +## <summary>
1006 +## Domain allowed access.
1007 +## </summary>
1008 +## </param>
1009 +## <param name="type">
1010 +## <summary>
1011 +## The type of object to be created
1012 +## </summary>
1013 +## </param>
1014 +## <param name="object_class">
1015 +## <summary>
1016 +## The object class.
1017 +## </summary>
1018 +## </param>
1019 +## <param name="name" optional="true">
1020 +## <summary>
1021 +## The name of the object being created.
1022 +## </summary>
1023 +## </param>
1024 +#
1025 +interface(`init_var_lib_filetrans',`
1026 + gen_require(`
1027 + type init_var_lib_t;
1028 + ')
1029 +
1030 + files_search_var_lib($1)
1031 + filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
1032 +')
1033 +
1034 +########################################
1035 +## <summary>
1036 +## Create files in an init PID directory.
1037 +## </summary>
1038 +## <param name="domain">
1039 +## <summary>
1040 +## Domain allowed access.
1041 +## </summary>
1042 +## </param>
1043 +## <param name="file_type">
1044 +## <summary>
1045 +## The type of the object to be created
1046 +## </summary>
1047 +## </param>
1048 +## <param name="object_class">
1049 +## <summary>
1050 +## The object class.
1051 +## </summary>
1052 +## </param>
1053 +## <param name="name" optional="true">
1054 +## <summary>
1055 +## The name of the object being created.
1056 +## </summary>
1057 +## </param>
1058 +#
1059 +interface(`init_pid_filetrans',`
1060 + gen_require(`
1061 + type init_var_run_t;
1062 + ')
1063 +
1064 + files_search_pids($1)
1065 + filetrans_pattern($1, init_var_run_t, $2, $3, $4)
1066 +')
1067 +
1068 +########################################
1069 +## <summary>
1070 ## Get the attributes of initctl.
1071 ## </summary>
1072 ## <param name="domain">
1073 @@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',`
1074
1075 typeattribute $1 init_script_readable;
1076 ')
1077 +
1078 +######################################
1079 +## <summary>
1080 +## Search systemd unit dirs.
1081 +## </summary>
1082 +## <param name="domain">
1083 +## <summary>
1084 +## Domain allowed access.
1085 +## </summary>
1086 +## </param>
1087 +#
1088 +interface(`init_search_units',`
1089 + gen_require(`
1090 + type init_var_run_t, systemd_unit_t;
1091 + ')
1092 +
1093 + search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
1094 +
1095 + # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
1096 + files_search_etc($1)
1097 + files_search_usr($1)
1098 + libs_search_lib($1)
1099 +
1100 + fs_search_tmpfs($1)
1101 +')
1102 +
1103 +########################################
1104 +## <summary>
1105 +## Get status of generic systemd units.
1106 +## </summary>
1107 +## <param name="domain">
1108 +## <summary>
1109 +## Domain allowed access.
1110 +## </summary>
1111 +## </param>
1112 +#
1113 +interface(`init_get_generic_units_status',`
1114 + gen_require(`
1115 + type systemd_unit_t;
1116 + class service status;
1117 + ')
1118 +
1119 + allow $1 systemd_unit_t:service status;
1120 +')
1121 +
1122 +########################################
1123 +## <summary>
1124 +## Start generic systemd units.
1125 +## </summary>
1126 +## <param name="domain">
1127 +## <summary>
1128 +## Domain allowed access.
1129 +## </summary>
1130 +## </param>
1131 +#
1132 +interface(`init_start_generic_units',`
1133 + gen_require(`
1134 + type systemd_unit_t;
1135 + class service start;
1136 + ')
1137 +
1138 + allow $1 systemd_unit_t:service start;
1139 +')
1140 +
1141 +########################################
1142 +## <summary>
1143 +## Stop generic systemd units.
1144 +## </summary>
1145 +## <param name="domain">
1146 +## <summary>
1147 +## Domain to not audit.
1148 +## </summary>
1149 +## </param>
1150 +#
1151 +interface(`init_stop_generic_units',`
1152 + gen_require(`
1153 + type systemd_unit_t;
1154 + class service stop;
1155 + ')
1156 +
1157 + allow $1 systemd_unit_t:service stop;
1158 +')
1159 +
1160 +#######################################
1161 +## <summary>
1162 +## Reload generic systemd units.
1163 +## </summary>
1164 +## <param name="domain">
1165 +## <summary>
1166 +## Domain allowed access.
1167 +## </summary>
1168 +## </param>
1169 +#
1170 +interface(`init_reload_generic_units',`
1171 + gen_require(`
1172 + type systemd_unit_t;
1173 + class service reload;
1174 + ')
1175 +
1176 + allow $1 systemd_unit_t:service reload;
1177 +')
1178 +
1179 +########################################
1180 +## <summary>
1181 +## Get status of all systemd units.
1182 +## </summary>
1183 +## <param name="domain">
1184 +## <summary>
1185 +## Domain allowed access.
1186 +## </summary>
1187 +## </param>
1188 +#
1189 +interface(`init_get_all_units_status',`
1190 + gen_require(`
1191 + attribute systemdunit;
1192 + class service status;
1193 + ')
1194 +
1195 + allow $1 systemdunit:service status;
1196 +')
1197 +
1198 +########################################
1199 +## <summary>
1200 +## Start all systemd units.
1201 +## </summary>
1202 +## <param name="domain">
1203 +## <summary>
1204 +## Domain allowed access.
1205 +## </summary>
1206 +## </param>
1207 +#
1208 +interface(`init_start_all_units',`
1209 + gen_require(`
1210 + attribute systemdunit;
1211 + class service start;
1212 + ')
1213 +
1214 + allow $1 systemdunit:service start;
1215 +')
1216 +
1217 +########################################
1218 +## <summary>
1219 +## Stop all systemd units.
1220 +## </summary>
1221 +## <param name="domain">
1222 +## <summary>
1223 +## Domain to not audit.
1224 +## </summary>
1225 +## </param>
1226 +#
1227 +interface(`init_stop_all_units',`
1228 + gen_require(`
1229 + attribute systemdunit;
1230 + class service stop;
1231 + ')
1232 +
1233 + allow $1 systemdunit:service stop;
1234 +')
1235 +
1236 +#######################################
1237 +## <summary>
1238 +## Reload all systemd units.
1239 +## </summary>
1240 +## <param name="domain">
1241 +## <summary>
1242 +## Domain allowed access.
1243 +## </summary>
1244 +## </param>
1245 +#
1246 +interface(`init_reload_all_units',`
1247 + gen_require(`
1248 + attribute systemdunit;
1249 + class service reload;
1250 + ')
1251 +
1252 + allow $1 systemdunit:service reload;
1253 +')
1254
1255 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
1256 index 95db0d0..d5d7b10 100644
1257 --- a/policy/modules/system/init.te
1258 +++ b/policy/modules/system/init.te
1259 @@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
1260 attribute init_script_domain_type;
1261 attribute init_script_file_type;
1262 attribute init_run_all_scripts_domain;
1263 +attribute systemdunit;
1264
1265 # Mark process types as daemons
1266 attribute daemon;
1267 @@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
1268 type initrc_exec_t, init_script_file_type;
1269 domain_type(initrc_t)
1270 domain_entry_file(initrc_t, initrc_exec_t)
1271 +init_named_socket_activation(initrc_t, init_var_run_t)
1272 role system_r types initrc_t;
1273 # should be part of the true block
1274 # of the below init_upstart tunable
1275 @@ -74,6 +76,9 @@ type initrc_devpts_t;
1276 term_pty(initrc_devpts_t)
1277 files_type(initrc_devpts_t)
1278
1279 +type initrc_lock_t;
1280 +files_lock_file(initrc_lock_t)
1281 +
1282 type initrc_state_t;
1283 files_type(initrc_state_t)
1284
1285 @@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
1286 type initrc_var_run_t;
1287 files_pid_file(initrc_var_run_t)
1288
1289 +type systemd_unit_t;
1290 +init_unit_file(systemd_unit_t)
1291 +
1292 ifdef(`distro_gentoo',`
1293 type rc_exec_t;
1294 domain_entry_file(initrc_t, rc_exec_t)
1295 @@ -182,6 +190,115 @@ seutil_read_config(init_t)
1296
1297 miscfiles_read_localization(init_t)
1298
1299 +ifdef(`init_systemd',`
1300 + # handle instances where an old labeled init script is encountered.
1301 + typeattribute init_t init_run_all_scripts_domain;
1302 +
1303 + allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
1304 + allow init_t self:capability2 block_suspend;
1305 + allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
1306 + allow init_t self:netlink_route_socket create_netlink_socket_perms;
1307 + allow init_t self:netlink_selinux_socket create_socket_perms;
1308 +
1309 + manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
1310 + manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
1311 + manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
1312 + manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
1313 +
1314 + manage_files_pattern(init_t, systemd_unit_t, systemdunit)
1315 +
1316 + manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
1317 + manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
1318 + allow init_t systemd_unit_t:dir relabel_dir_perms;
1319 +
1320 + kernel_dyntrans_to(init_t)
1321 + kernel_read_network_state(init_t)
1322 + kernel_read_kernel_sysctls(init_t)
1323 + kernel_read_vm_sysctls(init_t)
1324 + kernel_dgram_send(init_t)
1325 + kernel_stream_connect(init_t)
1326 + kernel_getattr_proc(init_t)
1327 + kernel_read_fs_sysctls(init_t)
1328 +
1329 + dev_rw_autofs(init_t)
1330 + dev_create_generic_dirs(init_t)
1331 + dev_relabel_all_dev_nodes(init_t)
1332 + dev_read_urand(init_t)
1333 + dev_write_kmsg(init_t)
1334 +
1335 + domain_read_all_domains_state(init_t)
1336 +
1337 + files_read_all_pids(init_t)
1338 + files_list_usr(init_t)
1339 + files_list_var(init_t)
1340 + files_list_var_lib(init_t)
1341 + files_relabel_all_lock_dirs(init_t)
1342 + files_mounton_root(init_t)
1343 + files_search_pids(init_t)
1344 + files_relabel_all_pids(init_t)
1345 + files_read_all_locks(init_t)
1346 + files_search_kernel_modules(init_t)
1347 + # for privatetmp functions
1348 + files_manage_generic_tmp_dirs(init_t)
1349 + files_mounton_tmp(init_t)
1350 +
1351 + fs_manage_cgroup_dirs(init_t)
1352 + fs_relabel_cgroup_dirs(init_t)
1353 + fs_rw_cgroup_files(init_t)
1354 + fs_list_auto_mountpoints(init_t)
1355 + fs_mount_autofs(init_t)
1356 + fs_manage_hugetlbfs_dirs(init_t)
1357 + fs_getattr_tmpfs(init_t)
1358 + fs_read_tmpfs_files(init_t)
1359 + fs_read_cgroup_files(init_t)
1360 + fs_dontaudit_getattr_xattr_fs(init_t)
1361 + # for privatetmp functions
1362 + fs_relabel_tmpfs_dirs(init_t)
1363 + fs_relabel_tmpfs_files(init_t)
1364 + # mount-setup
1365 + fs_unmount_autofs(init_t)
1366 + fs_getattr_pstore_dirs(init_t)
1367 +
1368 + # systemd_socket_activated policy
1369 + mls_socket_write_all_levels(init_t)
1370 +
1371 + selinux_compute_create_context(init_t)
1372 + selinux_compute_access_vector(init_t)
1373 +
1374 + term_relabel_pty_dirs(init_t)
1375 +
1376 + clock_read_adjtime(init_t)
1377 +
1378 + logging_manage_pid_sockets(init_t)
1379 + logging_send_audit_msgs(init_t)
1380 + logging_relabelto_devlog_sock_files(init_t)
1381 +
1382 + seutil_read_file_contexts(init_t)
1383 +
1384 + systemd_relabelto_kmod_files(init_t)
1385 + systemd_dbus_chat_logind(init_t)
1386 +
1387 + # udevd is a "systemd kobject uevent socket activated daemon"
1388 + udev_create_kobject_uevent_sockets(init_t)
1389 +
1390 + optional_policy(`
1391 + dbus_system_bus_client(init_t)
1392 + dbus_connect_system_bus(init_t)
1393 + ')
1394 +
1395 + optional_policy(`
1396 + modutils_domtrans_insmod(init_t)
1397 + ')
1398 +',`
1399 + tunable_policy(`init_upstart',`
1400 + corecmd_shell_domtrans(init_t, initrc_t)
1401 + ',`
1402 + # Run the shell in the sysadm role for single-user mode.
1403 + # causes problems with upstart
1404 + sysadm_shell_domtrans(init_t)
1405 + ')
1406 +')
1407 +
1408 ifdef(`distro_debian',`
1409 fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
1410
1411 @@ -201,14 +318,6 @@ ifdef(`distro_redhat',`
1412 fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
1413 ')
1414
1415 -tunable_policy(`init_upstart',`
1416 - corecmd_shell_domtrans(init_t, initrc_t)
1417 -',`
1418 - # Run the shell in the sysadm role for single-user mode.
1419 - # causes problems with upstart
1420 - sysadm_shell_domtrans(init_t)
1421 -')
1422 -
1423 optional_policy(`
1424 auth_rw_login_records(init_t)
1425 ')
1426 @@ -609,6 +718,57 @@ ifdef(`distro_suse',`
1427 ')
1428 ')
1429
1430 +ifdef(`init_systemd',`
1431 + manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
1432 + files_lock_filetrans(initrc_t, initrc_lock_t, file)
1433 +
1434 + manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
1435 +
1436 + manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
1437 + manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
1438 + manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
1439 + files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
1440 +
1441 + create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
1442 +
1443 + manage_files_pattern(initrc_t, systemdunit, systemdunit)
1444 + manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
1445 +
1446 + kernel_dgram_send(initrc_t)
1447 +
1448 + # run systemd misc initializations
1449 + # in the initrc_t domain, as would be
1450 + # done in traditional sysvinit/upstart.
1451 + corecmd_bin_entry_type(initrc_t)
1452 + corecmd_shell_entry_type(initrc_t)
1453 + corecmd_bin_domtrans(init_t, initrc_t)
1454 + corecmd_shell_domtrans(init_t, initrc_t)
1455 +
1456 + files_read_boot_files(initrc_t)
1457 + files_setattr_pid_dirs(initrc_t)
1458 +
1459 + selinux_set_enforce_mode(initrc_t)
1460 +
1461 + init_stream_connect(initrc_t)
1462 + init_manage_var_lib_files(initrc_t)
1463 + init_rw_stream_sockets(initrc_t)
1464 + init_get_all_units_status(initrc_t)
1465 + init_stop_all_units(initrc_t)
1466 +
1467 + # Create /etc/audit.rules.prev after firstboot remediation
1468 + logging_manage_audit_config(initrc_t)
1469 +
1470 + # lvm2-activation-generator checks file labels
1471 + seutil_read_file_contexts(initrc_t)
1472 +
1473 + systemd_start_power_units(initrc_t)
1474 +
1475 + optional_policy(`
1476 + # create /var/lock/lvm/
1477 + lvm_create_lock_dirs(initrc_t)
1478 + ')
1479 +')
1480 +
1481 optional_policy(`
1482 amavis_search_lib(initrc_t)
1483 amavis_setattr_pid_files(initrc_t)
1484
1485 diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
1486 index 0e3c2a9..4305a86 100644
1487 --- a/policy/modules/system/locallogin.if
1488 +++ b/policy/modules/system/locallogin.if
1489 @@ -24,6 +24,27 @@ interface(`locallogin_domtrans',`
1490
1491 ########################################
1492 ## <summary>
1493 +## Allow calling domain to read locallogin state.
1494 +## </summary>
1495 +## <param name="domain">
1496 +## <summary>
1497 +## Domain allowed permission.
1498 +## </summary>
1499 +## </param>
1500 +#
1501 +interface(`locallogin_read_state',`
1502 + gen_require(`
1503 + type local_login_t;
1504 + ')
1505 +
1506 + kernel_search_proc($1)
1507 + allow $1 local_login_t:file read_file_perms;
1508 + allow $1 local_login_t:lnk_file read_lnk_file_perms;
1509 + allow $1 local_login_t:dir list_dir_perms;
1510 +')
1511 +
1512 +########################################
1513 +## <summary>
1514 ## Allow processes to inherit local login file descriptors.
1515 ## </summary>
1516 ## <param name="domain">
1517
1518 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
1519 index 9fa0f5d..6a279f3 100644
1520 --- a/policy/modules/system/logging.if
1521 +++ b/policy/modules/system/logging.if
1522 @@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',`
1523
1524 ########################################
1525 ## <summary>
1526 +## Allow domain to relabelto devlog sock_files
1527 +## </summary>
1528 +## <param name="domain">
1529 +## <summary>
1530 +## Domain allowed access.
1531 +## </summary>
1532 +## </param>
1533 +## <rolecap/>
1534 +#
1535 +interface(`logging_relabelto_devlog_sock_files',`
1536 + gen_require(`
1537 + type devlog_t;
1538 + ')
1539 +
1540 + allow $1 devlog_t:sock_file relabelto_sock_file_perms;
1541 +')
1542 +
1543 +########################################
1544 +## <summary>
1545 ## Read the auditd configuration files.
1546 ## </summary>
1547 ## <param name="domain">
1548 @@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',`
1549
1550 ########################################
1551 ## <summary>
1552 +## Create, read, write, and delete syslog PID sockets.
1553 +## </summary>
1554 +## <param name="domain">
1555 +## <summary>
1556 +## Domain allowed access.
1557 +## </summary>
1558 +## </param>
1559 +#
1560 +interface(`logging_manage_pid_sockets',`
1561 + gen_require(`
1562 + type syslogd_var_run_t;
1563 + ')
1564 +
1565 + manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
1566 + files_search_pids($1)
1567 +')
1568 +
1569 +########################################
1570 +## <summary>
1571 ## Allows the domain to open a file in the
1572 ## log directory, but does not allow the listing
1573 ## of the contents of the log directory.
1574
1575 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
1576 index 86b223c..6561474 100644
1577 --- a/policy/modules/system/lvm.if
1578 +++ b/policy/modules/system/lvm.if
1579 @@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
1580 manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
1581 ')
1582
1583 +########################################
1584 +## <summary>
1585 +## Create lvm_lock_t directories
1586 +## </summary>
1587 +## <param name="domain">
1588 +## <summary>
1589 +## Domain allowed access.
1590 +## </summary>
1591 +## </param>
1592 +## <rolecap/>
1593 +#
1594 +interface(`lvm_create_lock_dirs',`
1595 + gen_require(`
1596 + type lvm_lock_t;
1597 + ')
1598 +
1599 + create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
1600 + files_add_entry_lock_dirs($1)
1601 +')
1602 +
1603 ######################################
1604 ## <summary>
1605 ## Execute a domain transition to run clvmd.
1606
1607 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
1608 new file mode 100644
1609 index 0000000..864979d
1610 --- /dev/null
1611 +++ b/policy/modules/system/systemd.fc
1612 @@ -0,0 +1,39 @@
1613 +/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
1614 +/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
1615 +/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
1616 +/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
1617 +/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
1618 +/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
1619 +/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
1620 +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
1621 +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
1622 +
1623 +/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
1624 +/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
1625 +/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
1626 +/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
1627 +/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
1628 +/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
1629 +/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
1630 +/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
1631 +/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
1632 +
1633 +# Systemd unit files
1634 +/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
1635 +/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
1636 +/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
1637 +/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0)
1638 +/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0)
1639 +/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0)
1640 +/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
1641 +
1642 +/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
1643 +
1644 +/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1645 +/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
1646 +
1647 +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1648 +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1649 +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1650 +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
1651 +/var/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
1652
1653 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
1654 new file mode 100644
1655 index 0000000..8bca3a3
1656 --- /dev/null
1657 +++ b/policy/modules/system/systemd.if
1658 @@ -0,0 +1,195 @@
1659 +## <summary>Systemd components (not PID 1)</summary>
1660 +
1661 +######################################
1662 +## <summary>
1663 +## Read systemd_login PID files.
1664 +## </summary>
1665 +## <param name="domain">
1666 +## <summary>
1667 +## Domain allowed access.
1668 +## </summary>
1669 +## </param>
1670 +#
1671 +interface(`systemd_read_logind_pids',`
1672 + gen_require(`
1673 + type systemd_logind_var_run_t;
1674 + ')
1675 +
1676 + files_search_pids($1)
1677 + read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
1678 +')
1679 +
1680 +######################################
1681 +## <summary>
1682 +## Manage systemd_login PID pipes.
1683 +## </summary>
1684 +## <param name="domain">
1685 +## <summary>
1686 +## Domain allowed access.
1687 +## </summary>
1688 +## </param>
1689 +#
1690 +interface(`systemd_manage_logind_pid_pipes',`
1691 + gen_require(`
1692 + type systemd_logind_var_run_t;
1693 + ')
1694 +
1695 + files_search_pids($1)
1696 + manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
1697 +')
1698 +
1699 +######################################
1700 +## <summary>
1701 +## Use inherited systemd
1702 +## logind file descriptors.
1703 +## </summary>
1704 +## <param name="domain">
1705 +## <summary>
1706 +## Domain allowed access.
1707 +## </summary>
1708 +## </param>
1709 +#
1710 +interface(`systemd_use_logind_fds',`
1711 + gen_require(`
1712 + type systemd_logind_t;
1713 + ')
1714 +
1715 + allow $1 systemd_logind_t:fd use;
1716 +')
1717 +
1718 +########################################
1719 +## <summary>
1720 +## Send and receive messages from
1721 +## systemd logind over dbus.
1722 +## </summary>
1723 +## <param name="domain">
1724 +## <summary>
1725 +## Domain allowed access.
1726 +## </summary>
1727 +## </param>
1728 +#
1729 +interface(`systemd_dbus_chat_logind',`
1730 + gen_require(`
1731 + type systemd_logind_t;
1732 + class dbus send_msg;
1733 + ')
1734 +
1735 + allow $1 systemd_logind_t:dbus send_msg;
1736 + allow systemd_logind_t $1:dbus send_msg;
1737 +')
1738 +
1739 +########################################
1740 +## <summary>
1741 +## Allow process to write to systemd_kmod_conf_t.
1742 +## </summary>
1743 +## <param name="domain">
1744 +## <summary>
1745 +## Domain allowed access.
1746 +## </summary>
1747 +## </param>
1748 +## <rolecap/>
1749 +#
1750 +interface(`systemd_write_kmod_files',`
1751 + gen_require(`
1752 + type systemd_kmod_conf_t;
1753 + ')
1754 +
1755 + write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
1756 +')
1757 +
1758 +########################################
1759 +## <summary>
1760 +## Allow process to relabel to systemd_kmod_conf_t.
1761 +## </summary>
1762 +## <param name="domain">
1763 +## <summary>
1764 +## Domain allowed access.
1765 +## </summary>
1766 +## </param>
1767 +## <rolecap/>
1768 +#
1769 +interface(`systemd_relabelto_kmod_files',`
1770 + gen_require(`
1771 + type systemd_kmod_conf_t;
1772 + ')
1773 +
1774 + allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
1775 +')
1776 +
1777 +########################################
1778 +## <summary>
1779 +## Read systemd homedir content
1780 +## </summary>
1781 +## <param name="domain">
1782 +## <summary>
1783 +## Domain allowed access.
1784 +## </summary>
1785 +## </param>
1786 +#
1787 +interface(`systemd_read_home_content',`
1788 + gen_require(`
1789 + type systemd_home_t;
1790 + ')
1791 +
1792 + optional_policy(`
1793 + gnome_search_gconf_data_dir($1)
1794 + ')
1795 + read_files_pattern($1, systemd_home_t, systemd_home_t)
1796 + read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
1797 +')
1798 +
1799 +########################################
1800 +## <summary>
1801 +## Get the system status information from systemd_login
1802 +## </summary>
1803 +## <param name="domain">
1804 +## <summary>
1805 +## Domain allowed access.
1806 +## </summary>
1807 +## </param>
1808 +#
1809 +interface(`systemd_status_logind',`
1810 + gen_require(`
1811 + type systemd_logind_t;
1812 + class service status;
1813 + ')
1814 +
1815 + allow $1 systemd_logind_t:service status;
1816 +')
1817 +
1818 +########################################
1819 +## <summary>
1820 +## Send systemd_login a null signal.
1821 +## </summary>
1822 +## <param name="domain">
1823 +## <summary>
1824 +## Domain allowed access.
1825 +## </summary>
1826 +## </param>
1827 +#
1828 +interface(`systemd_signull_logind',`
1829 + gen_require(`
1830 + type systemd_logind_t;
1831 + ')
1832 +
1833 + allow $1 systemd_logind_t:process signull;
1834 +')
1835 +
1836 +########################################
1837 +## <summary>
1838 +## Allow specified domain to start power units
1839 +## </summary>
1840 +## <param name="domain">
1841 +## <summary>
1842 +## Domain to not audit.
1843 +## </summary>
1844 +## </param>
1845 +#
1846 +interface(`systemd_start_power_units',`
1847 + gen_require(`
1848 + type power_unit_t;
1849 + class service start;
1850 + ')
1851 +
1852 + allow $1 power_unit_t:service start;
1853 +')
1854
1855 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
1856 new file mode 100644
1857 index 0000000..597d4aa
1858 --- /dev/null
1859 +++ b/policy/modules/system/systemd.te
1860 @@ -0,0 +1,264 @@
1861 +policy_module(systemd, 1.0.0)
1862 +
1863 +#########################################
1864 +#
1865 +# Declarations
1866 +#
1867 +
1868 +## <desc>
1869 +## <p>
1870 +## Enable support for systemd-tmpfiles to manage all non-security files.
1871 +## </p>
1872 +## </desc>
1873 +gen_tunable(systemd_tmpfiles_manage_all, false)
1874 +
1875 +type systemd_activate_t;
1876 +type systemd_activate_exec_t;
1877 +init_system_domain(systemd_activate_t, systemd_activate_exec_t)
1878 +
1879 +type systemd_analyze_t;
1880 +type systemd_analyze_exec_t;
1881 +init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
1882 +
1883 +type systemd_backlight_t;
1884 +type systemd_backlight_exec_t;
1885 +init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
1886 +
1887 +type systemd_binfmt_t;
1888 +type systemd_binfmt_exec_t;
1889 +init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
1890 +
1891 +type systemd_cgroups_t;
1892 +type systemd_cgroups_exec_t;
1893 +domain_type(systemd_cgroups_t)
1894 +domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
1895 +role system_r types systemd_cgroups_t;
1896 +
1897 +type systemd_cgroups_var_run_t;
1898 +files_pid_file(systemd_cgroups_var_run_t)
1899 +init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
1900 +
1901 +type systemd_cgtop_t;
1902 +type systemd_cgtop_exec_t;
1903 +init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
1904 +
1905 +type systemd_coredump_t;
1906 +type systemd_coredump_exec_t;
1907 +init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
1908 +
1909 +type systemd_detect_virt_t;
1910 +type systemd_detect_virt_exec_t;
1911 +init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
1912 +
1913 +type systemd_hostnamed_t;
1914 +type systemd_hostnamed_exec_t;
1915 +init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
1916 +
1917 +type systemd_locale_t;
1918 +type systemd_locale_exec_t;
1919 +init_system_domain(systemd_locale_t, systemd_locale_exec_t)
1920 +
1921 +type systemd_logind_t;
1922 +type systemd_logind_exec_t;
1923 +init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
1924 +init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
1925 +
1926 +type systemd_logind_var_lib_t;
1927 +files_type(systemd_logind_var_lib_t)
1928 +
1929 +type systemd_logind_var_run_t;
1930 +files_pid_file(systemd_logind_var_run_t)
1931 +init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
1932 +
1933 +type systemd_machined_t;
1934 +type systemd_machined_exec_t;
1935 +init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
1936 +
1937 +type systemd_nspawn_t;
1938 +type systemd_nspawn_exec_t;
1939 +init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
1940 +
1941 +type systemd_run_t;
1942 +type systemd_run_exec_t;
1943 +init_daemon_domain(systemd_run_t, systemd_run_exec_t)
1944 +
1945 +type systemd_stdio_bridge_t;
1946 +type systemd_stdio_bridge_exec_t;
1947 +init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
1948 +
1949 +type systemd_passwd_agent_t;
1950 +type systemd_passwd_agent_exec_t;
1951 +init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
1952 +
1953 +type systemd_sessions_t;
1954 +type systemd_sessions_exec_t;
1955 +init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
1956 +
1957 +type systemd_sessions_var_run_t;
1958 +files_pid_file(systemd_sessions_var_run_t)
1959 +init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
1960 +
1961 +type systemd_tmpfiles_t;
1962 +type systemd_tmpfiles_exec_t;
1963 +type systemd_kmod_conf_t;
1964 +files_config_file(systemd_kmod_conf_t)
1965 +init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
1966 +
1967 +#
1968 +# Unit file types
1969 +#
1970 +
1971 +type power_unit_t;
1972 +init_unit_file(power_unit_t)
1973 +
1974 +######################################
1975 +#
1976 +# Cgroups local policy
1977 +#
1978 +
1979 +kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
1980 +
1981 +init_stream_connect(systemd_cgroups_t)
1982 +
1983 +logging_send_syslog_msg(systemd_cgroups_t)
1984 +
1985 +kernel_dgram_send(systemd_cgroups_t)
1986 +
1987 +#######################################
1988 +#
1989 +# locale local policy
1990 +#
1991 +
1992 +files_read_etc_files(systemd_locale_t)
1993 +
1994 +logging_send_syslog_msg(systemd_locale_t)
1995 +
1996 +seutil_read_file_contexts(systemd_locale_t)
1997 +
1998 +optional_policy(`
1999 + dbus_connect_system_bus(systemd_locale_t)
2000 + dbus_system_bus_client(systemd_locale_t)
2001 +')
2002 +
2003 +#######################################
2004 +#
2005 +# Hostnamed policy
2006 +#
2007 +
2008 +files_read_etc_files(systemd_hostnamed_t)
2009 +
2010 +logging_send_syslog_msg(systemd_hostnamed_t)
2011 +
2012 +seutil_read_file_contexts(systemd_hostnamed_t)
2013 +
2014 +optional_policy(`
2015 + dbus_system_bus_client(systemd_hostnamed_t)
2016 + dbus_connect_system_bus(systemd_hostnamed_t)
2017 +')
2018 +
2019 +#########################################
2020 +#
2021 +# Logind local policy
2022 +#
2023 +
2024 +allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
2025 +allow systemd_logind_t self:process getcap;
2026 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
2027 +allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
2028 +allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
2029 +
2030 +allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
2031 +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
2032 +
2033 +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
2034 +manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
2035 +files_search_pids(systemd_logind_t)
2036 +
2037 +auth_manage_faillog(systemd_logind_t)
2038 +
2039 +dev_rw_sysfs(systemd_logind_t)
2040 +dev_rw_input_dev(systemd_logind_t)
2041 +dev_getattr_dri_dev(systemd_logind_t)
2042 +dev_setattr_dri_dev(systemd_logind_t)
2043 +dev_getattr_sound_dev(systemd_logind_t)
2044 +dev_setattr_sound_dev(systemd_logind_t)
2045 +
2046 +files_read_etc_files(systemd_logind_t)
2047 +
2048 +fs_getattr_tmpfs(systemd_logind_t)
2049 +
2050 +storage_getattr_removable_dev(systemd_logind_t)
2051 +storage_setattr_removable_dev(systemd_logind_t)
2052 +storage_getattr_scsi_generic_dev(systemd_logind_t)
2053 +storage_setattr_scsi_generic_dev(systemd_logind_t)
2054 +
2055 +term_use_unallocated_ttys(systemd_logind_t)
2056 +
2057 +init_get_all_units_status(systemd_logind_t)
2058 +init_start_all_units(systemd_logind_t)
2059 +init_stop_all_units(systemd_logind_t)
2060 +init_service_status(systemd_logind_t)
2061 +init_service_start(systemd_logind_t)
2062 +# This is for reading /proc/1/cgroup
2063 +init_read_state(systemd_logind_t)
2064 +
2065 +locallogin_read_state(systemd_logind_t)
2066 +
2067 +logging_send_syslog_msg(systemd_logind_t)
2068 +
2069 +systemd_start_power_units(systemd_logind_t)
2070 +
2071 +udev_read_db(systemd_logind_t)
2072 +udev_read_pid_files(systemd_logind_t)
2073 +
2074 +userdom_use_user_ttys(systemd_logind_t)
2075 +
2076 +optional_policy(`
2077 + dbus_system_bus_client(systemd_logind_t)
2078 + dbus_connect_system_bus(systemd_logind_t)
2079 +')
2080 +
2081 +#########################################
2082 +#
2083 +# Sessions local policy
2084 +#
2085 +
2086 +allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
2087 +files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
2088 +
2089 +logging_send_syslog_msg(systemd_sessions_t)
2090 +
2091 +#########################################
2092 +#
2093 +# Tmpfiles local policy
2094 +#
2095 +
2096 +allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod };
2097 +allow systemd_tmpfiles_t self:process { setfscreate getcap };
2098 +
2099 +dev_relabel_all_sysfs(systemd_tmpfiles_t)
2100 +dev_read_urand(systemd_tmpfiles_t)
2101 +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
2102 +
2103 +files_read_etc_files(systemd_tmpfiles_t)
2104 +files_relabel_all_lock_dirs(systemd_tmpfiles_t)
2105 +files_relabel_all_pid_dirs(systemd_tmpfiles_t)
2106 +files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
2107 +
2108 +auth_manage_var_auth(systemd_tmpfiles_t)
2109 +auth_manage_login_records(systemd_tmpfiles_t)
2110 +auth_relabel_login_records(systemd_tmpfiles_t)
2111 +auth_setattr_login_records(systemd_tmpfiles_t)
2112 +
2113 +logging_send_syslog_msg(systemd_tmpfiles_t)
2114 +
2115 +seutil_read_file_contexts(systemd_tmpfiles_t)
2116 +
2117 +tunable_policy(`systemd_tmpfiles_manage_all',`
2118 + # systemd-tmpfiles can be configured to manage anything.
2119 + # have a last-resort option for users to do this.
2120 + files_manage_non_security_dirs(systemd_tmpfiles_t)
2121 + files_manage_non_security_files(systemd_tmpfiles_t)
2122 + files_relabel_non_security_dirs(systemd_tmpfiles_t)
2123 + files_relabel_non_security_files(systemd_tmpfiles_t)
2124 +')
2125
2126 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
2127 index 06175a7..d4c92cc 100644
2128 --- a/policy/modules/system/udev.if
2129 +++ b/policy/modules/system/udev.if
2130 @@ -92,6 +92,25 @@ interface(`udev_read_state',`
2131 allow $1 udev_t:lnk_file read_lnk_file_perms;
2132 ')
2133
2134 +
2135 +########################################
2136 +## <summary>
2137 +## Allow domain to create uevent sockets.
2138 +## </summary>
2139 +## <param name="domain">
2140 +## <summary>
2141 +## Domain allowed access.
2142 +## </summary>
2143 +## </param>
2144 +#
2145 +interface(`udev_create_kobject_uevent_sockets',`
2146 + gen_require(`
2147 + type udev_t;
2148 + ')
2149 +
2150 + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
2151 +')
2152 +
2153 ########################################
2154 ## <summary>
2155 ## Do not audit attempts to inherit a
Report Message
Find on MARC Find on Google Groups