[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/, ... - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/, ...
Date:	Mon, 07 Feb 2022 02:15:02
Message-Id:	`1644199717.006bc33c0ddb00e9f9c628a4ea17fe029a51964f.perfinion@gentoo`

1

commit:     006bc33c0ddb00e9f9c628a4ea17fe029a51964f

2

Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>

3

AuthorDate: Mon Jan  3 20:12:14 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  7 02:08:37 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=006bc33c

7

8

systemd: Add systemd-homed and systemd-userdbd.

9

10

Systemd-homed does not completely work since the code does not label

11

the filesystems it creates.

12

13

systemd-userdbd partially derived from the Fedora policy.

14

15

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>

16

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

17

18

 policy/modules/kernel/files.if      |  18 ++++

19

 policy/modules/services/mta.if      |   1 +

20

 policy/modules/services/ssh.if      |   1 +

21

 policy/modules/system/fstools.if    |   1 +

22

 policy/modules/system/init.if       |  18 ++++

23

 policy/modules/system/init.te       |   1 +

24

 policy/modules/system/lvm.te        |   4 +

25

 policy/modules/system/systemd.fc    |   9 +-

26

 policy/modules/system/systemd.if    |  38 +++++--

27

 policy/modules/system/systemd.te    | 194 +++++++++++++++++++++++++++++++++++-

28

 policy/modules/system/userdomain.if |   4 +

29

 policy/support/misc_patterns.spt    |  28 ++++++

30

 12 files changed, 304 insertions(+), 13 deletions(-)

31

32

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if

33

index f772bfe8..ea29fef3 100644

34

--- a/policy/modules/kernel/files.if

35

+++ b/policy/modules/kernel/files.if

36

@@ -3851,6 +3851,24 @@ interface(`files_relabelfrom_home',`

37

 	allow $1 home_root_t:dir relabelfrom;

38

')

39

40

+########################################

41

+## <summary>

42

+##	Watch the user home root (/home).

43

+## </summary>

44

+## <param name="domain">

45

+##	<summary>

46

+##	Domain allowed access.

47

+##	</summary>

48

+## </param>

49

+#

50

+interface(`files_watch_home',`

51

+	gen_require(`

52

+		type home_root_t;

53

+	')

54

+

55

+	allow $1 home_root_t:dir watch;

56

+')

57

+

58

 ########################################

59

 ## <summary>

60

 ##	Create objects in /home.

61

62

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if

63

index 434fa9c2..38c8cdb5 100644

64

--- a/policy/modules/services/mta.if

65

+++ b/policy/modules/services/mta.if

66

@@ -820,6 +820,7 @@ interface(`mta_list_spool',`

67

')

68

69

 	allow $1 mail_spool_t:dir list_dir_perms;

70

+	files_search_spool($1)

71

')

72

73

 #######################################

74

75

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if

76

index ae23e199..b9ed26bc 100644

77

--- a/policy/modules/services/ssh.if

78

+++ b/policy/modules/services/ssh.if

79

@@ -277,6 +277,7 @@ template(`ssh_server_template', `

80

81

 	optional_policy(`

82

 		systemd_read_logind_sessions_files($1_t)

83

+		systemd_stream_connect_userdb($1_t)

84

')

85

')

86

87

88

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if

89

index 6ebe3800..f994965a 100644

90

--- a/policy/modules/system/fstools.if

91

+++ b/policy/modules/system/fstools.if

92

@@ -61,6 +61,7 @@ interface(`fstools_exec',`

93

')

94

95

 	can_exec($1, fsadm_exec_t)

96

+	corecmd_search_bin($1)

97

')

98

99

 ########################################

100

101

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if

102

index dacb8a93..1af2c62f 100644

103

--- a/policy/modules/system/init.if

104

+++ b/policy/modules/system/init.if

105

@@ -1114,6 +1114,24 @@ interface(`init_rw_stream_sockets',`

106

 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;

107

')

108

109

+########################################

110

+## <summary>

111

+##	Do not audit attempts to search init keys.

112

+## </summary>

113

+## <param name="domain">

114

+##	<summary>

115

+##	Domain allowed access.

116

+##	</summary>

117

+## </param>

118

+#

119

+interface(`init_dontaudit_search_keys',`

120

+	gen_require(`

121

+		type init_t;

122

+	')

123

+

124

+	dontaudit $1 init_t:key search;

125

+')

126

+

127

 ########################################

128

 ## <summary>

129

 ##	start service (systemd).

130

131

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

132

index 2dfc3ca0..8e7919c1 100644

133

--- a/policy/modules/system/init.te

134

+++ b/policy/modules/system/init.te

135

@@ -514,6 +514,7 @@ ifdef(`init_systemd',`

136

 	systemd_filetrans_userdb_runtime_dirs(init_t)

137

 	systemd_relabelto_journal_dirs(init_t)

138

 	systemd_relabelto_journal_files(init_t)

139

+	systemd_stream_connect_userdb(init_t)

140

141

 	term_create_devpts_dirs(init_t)

142

 	term_create_ptmx(init_t)

143

144

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te

145

index cfc4ed10..4d8380c3 100644

146

--- a/policy/modules/system/lvm.te

147

+++ b/policy/modules/system/lvm.te

148

@@ -251,6 +251,10 @@ optional_policy(`

149

 	rpm_manage_script_tmp_files(lvm_t)

150

')

151

152

+optional_policy(`

153

+	systemd_rw_homework_semaphores(lvm_t)

154

+')

155

+

156

 optional_policy(`

157

 	udev_read_runtime_files(lvm_t)

158

')

159

160

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc

161

index 6505951d..5cb24230 100644

162

--- a/policy/modules/system/systemd.fc

163

+++ b/policy/modules/system/systemd.fc

164

@@ -31,6 +31,8 @@

165

 /usr/lib/systemd/systemd-binfmt		--	gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)

166

 /usr/lib/systemd/systemd-cgroups-agent	--	gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)

167

 /usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)

168

+/usr/lib/systemd/systemd-homed  	--	gen_context(system_u:object_r:systemd_homed_exec_t,s0)

169

+/usr/lib/systemd/systemd-homework       --      gen_context(system_u:object_r:systemd_homework_exec_t,s0)

170

 /usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)

171

 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)

172

 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)

173

@@ -45,6 +47,8 @@

174

 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)

175

 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)

176

 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)

177

+/usr/lib/systemd/systemd-userdbd	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)

178

+/usr/lib/systemd/systemd-userwork	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)

179

180

 # Systemd unit files

181

 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)

182

@@ -64,6 +68,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data

183

 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)

184

 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)

185

 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)

186

+/usr/lib/systemd/system/systemd-userdbd\.(service|socket)		--	gen_context(system_u:object_r:systemd_userdbd_unit_t,s0)

187

 /usr/lib/systemd/system/user@\.service	--	gen_context(system_u:object_r:systemd_user_manager_unit_t,s0)

188

189

 /usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)

190

@@ -72,6 +77,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data

191

192

 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)

193

 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)

194

+/var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)

195

 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

196

 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)

197

 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)

198

@@ -89,11 +95,12 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data

199

200

 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)

201

 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)

202

+/run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)

203

 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)

204

 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)

205

 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)

206

 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)

207

-/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)

208

+/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)

209

 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)

210

 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)

211

 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)

212

213

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

214

index e5214124..e68a9b44 100644

215

--- a/policy/modules/system/systemd.if

216

+++ b/policy/modules/system/systemd.if

217

@@ -863,6 +863,24 @@ interface(`systemd_PrivateDevices',`

218

 	fs_read_tmpfs_symlinks($1)

219

')

220

221

+######################################

222

+## <summary>

223

+##   Read and write systemd-homework semaphores.

224

+## </summary>

225

+## <param name="domain">

226

+##	<summary>

227

+##	Domain allowed access

228

+##	</summary>

229

+## </param>

230

+#

231

+interface(`systemd_rw_homework_semaphores',`

232

+	gen_require(`

233

+		type systemd_homework_t;

234

+	')

235

+

236

+	allow $1 systemd_homework_t:sem rw_sem_perms;

237

+')

238

+

239

 #######################################

240

 ## <summary>

241

 ##  Allow domain to read udev hwdb file

242

@@ -1191,10 +1209,10 @@ interface(`systemd_signull_logind',`

243

#

244

 interface(`systemd_manage_userdb_runtime_dirs', `

245

 	gen_require(`

246

-		type systemd_userdb_runtime_t;

247

+		type systemd_userdbd_runtime_t;

248

')

249

250

-	manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)

251

+	manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

252

')

253

254

 ########################################

255

@@ -1209,10 +1227,10 @@ interface(`systemd_manage_userdb_runtime_dirs', `

256

#

257

 interface(`systemd_manage_userdb_runtime_sock_files', `

258

 	gen_require(`

259

-		type systemd_userdb_runtime_t;

260

+		type systemd_userdbd_runtime_t;

261

')

262

263

-	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)

264

+	manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

265

')

266

267

 ########################################

268

@@ -1227,12 +1245,12 @@ interface(`systemd_manage_userdb_runtime_sock_files', `

269

#

270

 interface(`systemd_stream_connect_userdb', `

271

 	gen_require(`

272

-		type systemd_userdb_runtime_t;

273

+		type systemd_userdbd_t, systemd_userdbd_runtime_t;

274

')

275

276

 	init_search_runtime($1)

277

-	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;

278

-	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;

279

+	allow $1 systemd_userdbd_runtime_t:dir list_dir_perms;

280

+	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)

281

 	init_unix_stream_socket_connectto($1)

282

')

283

284

@@ -1404,7 +1422,7 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`

285

286

 ########################################

287

 ## <summary>

288

-##  Transition to systemd_userdb_runtime_t when

289

+##  Transition to systemd_userdbd_runtime_t when

290

 ##  creating the userdb directory inside an init runtime

291

 ##  directory.

292

 ## </summary>

293

@@ -1416,10 +1434,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`

294

#

295

 interface(`systemd_filetrans_userdb_runtime_dirs', `

296

 	gen_require(`

297

-		type systemd_userdb_runtime_t;

298

+		type systemd_userdbd_runtime_t;

299

')

300

301

-	init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")

302

+	init_runtime_filetrans($1, systemd_userdbd_runtime_t, dir, "userdb")

303

')

304

305

 ######################################

306

307

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

308

index 5aa824b2..db8c9979 100644

309

--- a/policy/modules/system/systemd.te

310

+++ b/policy/modules/system/systemd.te

311

@@ -115,6 +115,28 @@ typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_gene

312

 typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };

313

 init_system_domain(systemd_generator_t, systemd_generator_exec_t)

314

315

+type systemd_homed_t;

316

+type systemd_homed_exec_t;

317

+init_daemon_domain(systemd_homed_t, systemd_homed_exec_t)

318

+

319

+type systemd_homework_t;

320

+type systemd_homework_exec_t;

321

+domain_type(systemd_homework_t)

322

+domain_entry_file(systemd_homework_t, systemd_homework_exec_t)

323

+role system_r types systemd_homework_t;

324

+

325

+type systemd_homed_runtime_t;

326

+files_runtime_file(systemd_homed_runtime_t)

327

+

328

+type systemd_homed_storage_t;

329

+files_type(systemd_homed_storage_t)

330

+

331

+type systemd_homed_tmpfs_t;

332

+files_tmpfs_file(systemd_homed_tmpfs_t)

333

+

334

+type systemd_homed_var_lib_t;

335

+files_type(systemd_homed_var_lib_t)

336

+

337

 type systemd_hostnamed_t;

338

 type systemd_hostnamed_exec_t;

339

 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)

340

@@ -301,8 +323,15 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)

341

 type systemd_user_tmpfs_t;

342

 userdom_user_tmpfs_file(systemd_user_tmpfs_t)

343

344

-type systemd_userdb_runtime_t;

345

-files_runtime_file(systemd_userdb_runtime_t)

346

+type systemd_userdbd_t;

347

+type systemd_userdbd_exec_t;

348

+init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t)

349

+

350

+type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t;

351

+files_runtime_file(systemd_userdbd_runtime_t)

352

+

353

+type systemd_userdbd_unit_t;

354

+init_unit_file(systemd_userdbd_unit_t)

355

356

 type systemd_user_unit_t;

357

 init_unit_file(systemd_user_unit_t)

358

@@ -473,6 +502,8 @@ kernel_use_fds(systemd_generator_t)

359

 kernel_read_system_state(systemd_generator_t)

360

 kernel_read_kernel_sysctls(systemd_generator_t)

361

 kernel_dontaudit_getattr_proc(systemd_generator_t)

362

+# Where an unlabeled mountpoint is encounted:

363

+kernel_dontaudit_search_unlabeled(systemd_generator_t)

364

365

 storage_raw_read_fixed_disk(systemd_generator_t)

366

367

@@ -497,6 +528,125 @@ optional_policy(`

368

 	miscfiles_read_localization(systemd_generator_t)

369

')

370

371

+#######################################

372

+#

373

+# systemd-homed policy

374

+#

375

+

376

+dontaudit systemd_homed_t self:capability { sys_resource sys_admin };

377

+allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;

378

+

379

+nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t)

380

+

381

+allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms;

382

+fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)

383

+

384

+manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t)

385

+manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t, systemd_homed_runtime_t)

386

+filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t, sock_file)

387

+init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir)

388

+

389

+allow systemd_homed_t systemd_homed_storage_t:file read_file_perms;

390

+

391

+allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;

392

+allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;

393

+init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)

394

+

395

+# Entries such as /sys/devices/virtual/block/loop1/uevent:

396

+dev_read_sysfs(systemd_homed_t)

397

+

398

+files_list_home(systemd_homed_t)

399

+files_watch_home(systemd_homed_t)

400

+files_read_etc_files(systemd_homed_t)

401

+files_search_tmp(systemd_homed_t)

402

+

403

+fs_get_xattr_fs_quotas(systemd_homed_t)

404

+fs_getattr_all_fs(systemd_homed_t)

405

+

406

+kernel_read_kernel_sysctls(systemd_homed_t)

407

+kernel_read_crypto_sysctls(systemd_homed_t)

408

+kernel_read_system_state(systemd_homed_t)

409

+

410

+systemd_log_parse_environment(systemd_homed_t)

411

+

412

+udev_read_runtime_files(systemd_homed_t)

413

+

414

+optional_policy(`

415

+	dbus_system_bus_client(systemd_homed_t)

416

+	dbus_connect_system_bus(systemd_homed_t)

417

+

418

+	init_dbus_chat(systemd_homed_t)

419

+')

420

+

421

+optional_policy(`

422

+	mta_list_spool(systemd_homed_t)

423

+')

424

+

425

+optional_policy(`

426

+	unconfined_dbus_send(systemd_homed_t)

427

+')

428

+

429

+#######################################

430

+#

431

+# systemd-homework policy

432

+#

433

+

434

+allow systemd_homework_t self:capability { chown fowner fsetid sys_admin };

435

+dontaudit systemd_homework_t self:capability sys_resource;

436

+allow systemd_homework_t self:key { search write };

437

+allow systemd_homework_t self:process getsched;

438

+allow systemd_homework_t self:sem create_sem_perms;

439

+

440

+allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms;

441

+allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;

442

+files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)

443

+init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)

444

+

445

+# mount on /run/systemd/user-home-mount

446

+allow systemd_homework_t systemd_homed_runtime_t:dir mounton;

447

+

448

+allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;

449

+files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)

450

+

451

+allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;

452

+

453

+dev_rw_loop_control(systemd_homework_t)

454

+dev_read_rand(systemd_homework_t)

455

+dev_read_urand(systemd_homework_t)

456

+dev_rw_lvm_control(systemd_homework_t)

457

+# Entries such as /sys/devices/virtual/block/loop1/uevent:

458

+dev_read_sysfs(systemd_homework_t)

459

+

460

+files_read_etc_files(systemd_homework_t)

461

+files_mounton_runtime_dirs(systemd_homework_t)

462

+

463

+fs_getattr_all_fs(systemd_homework_t)

464

+fs_search_all(systemd_homework_t)

465

+fs_mount_xattr_fs(systemd_homework_t)

466

+fs_unmount_xattr_fs(systemd_homework_t)

467

+

468

+fstools_exec(systemd_homework_t)

469

+

470

+init_rw_inherited_stream_socket(systemd_homework_t)

471

+init_use_fds(systemd_homework_t)

472

+init_dontaudit_search_keys(systemd_homework_t)

473

+

474

+kernel_write_key(systemd_homework_t)

475

+kernel_get_sysvipc_info(systemd_homework_t)

476

+kernel_request_load_module(systemd_homework_t)

477

+

478

+kernel_read_kernel_sysctls(systemd_homework_t)

479

+kernel_read_crypto_sysctls(systemd_homework_t)

480

+kernel_read_system_state(systemd_homework_t)

481

+

482

+# loopback:

483

+storage_raw_read_fixed_disk(systemd_homework_t)

484

+storage_raw_write_fixed_disk(systemd_homework_t)

485

+

486

+systemd_log_parse_environment(systemd_homework_t)

487

+

488

+udev_read_runtime_files(systemd_homework_t)

489

+

490

 #######################################

491

#

492

 # Hostnamed policy

493

@@ -630,6 +780,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;

494

 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;

495

 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;

496

497

+stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)

498

+

499

 kernel_dontaudit_getattr_proc(systemd_logind_t)

500

 kernel_read_kernel_sysctls(systemd_logind_t)

501

502

@@ -814,6 +966,8 @@ allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perm

503

 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)

504

 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;

505

506

+manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

507

+

508

 kernel_read_kernel_sysctls(systemd_machined_t)

509

 kernel_read_system_state(systemd_machined_t)

510

511

@@ -1605,6 +1759,42 @@ udev_list_runtime(systemd_user_session_type)

512

513

 seutil_libselinux_linked(systemd_user_session_type)

514

515

+########################################

516

+#

517

+# systemd-userdbd local policy

518

+#

519

+

520

+allow systemd_userdbd_t self:capability dac_read_search;

521

+allow systemd_userdbd_t self:process signal;

522

+

523

+stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)

524

+

525

+manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

526

+manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

527

+manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

528

+init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir)

529

+

530

+can_exec(systemd_userdbd_t, systemd_userdbd_exec_t)

531

+

532

+auth_read_shadow(systemd_userdbd_t)

533

+auth_use_nsswitch(systemd_userdbd_t)

534

+

535

+dev_read_urand(systemd_userdbd_t)

536

+

537

+files_read_etc_files(systemd_userdbd_t)

538

+files_read_etc_runtime_files(systemd_userdbd_t)

539

+files_read_usr_files(systemd_userdbd_t)

540

+

541

+fs_read_efivarfs_files(systemd_userdbd_t)

542

+

543

+init_stream_connect(systemd_userdbd_t)

544

+init_search_runtime(systemd_userdbd_t)

545

+init_read_state(systemd_userdbd_t)

546

+

547

+kernel_read_kernel_sysctls(systemd_userdbd_t)

548

+

549

+systemd_log_parse_environment(systemd_userdbd_t)

550

+

551

 #########################################

552

#

553

 # systemd-user-runtime-dir local policy

554

555

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if

556

index 6380e869..0f3bff78 100644

557

--- a/policy/modules/system/userdomain.if

558

+++ b/policy/modules/system/userdomain.if

559

@@ -920,6 +920,10 @@ template(`userdom_common_user_template',`

560

 		usernetctl_run($1_t, $1_r)

561

')

562

563

+	optional_policy(`

564

+		systemd_stream_connect_userdb($1_t)

565

+	')

566

+

567

 	optional_policy(`

568

 		virt_home_filetrans_virt_home($1_t, dir, ".libvirt")

569

 		virt_home_filetrans_virt_home($1_t, dir, ".virtinst")

570

571

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt

572

index 4b689be9..fea708f9 100644

573

--- a/policy/support/misc_patterns.spt

574

+++ b/policy/support/misc_patterns.spt

575

@@ -60,6 +60,34 @@ define(`domtrans_pattern',`

576

 	allow $3 $1:process sigchld;

577

')

578

579

+#

580

+# Automatic domain transition patterns

581

+# with NoNewPerms

582

+#

583

+# Parameters:

584

+# 1. source domain

585

+# 2. entry point file type

586

+# 3. target domain

587

+#

588

+define(`nnp_domtrans_pattern',`

589

+	domtrans_pattern($1,$2,$3)

590

+	allow $1 $3:process2 nnp_transition;

591

+')

592

+

593

+#

594

+# Automatic domain transition patterns

595

+# on nosuid filesystem

596

+#

597

+# Parameters:

598

+# 1. source domain

599

+# 2. entry point file type

600

+# 3. target domain

601

+#

602

+define(`nosuid_domtrans_pattern',`

603

+	domtrans_pattern($1,$2,$3)

604

+	allow $1 $3:process2 nosuid_transition;

605

+')

606

+

607

#

608

 # Dynamic transition pattern

609

#

Gentoo Archives: gentoo-commits