1 |
commit: 006bc33c0ddb00e9f9c628a4ea17fe029a51964f |
2 |
Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com> |
3 |
AuthorDate: Mon Jan 3 20:12:14 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 7 02:08:37 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=006bc33c |
7 |
|
8 |
systemd: Add systemd-homed and systemd-userdbd. |
9 |
|
10 |
Systemd-homed does not completely work since the code does not label |
11 |
the filesystems it creates. |
12 |
|
13 |
systemd-userdbd partially derived from the Fedora policy. |
14 |
|
15 |
Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com> |
16 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
17 |
|
18 |
policy/modules/kernel/files.if | 18 ++++ |
19 |
policy/modules/services/mta.if | 1 + |
20 |
policy/modules/services/ssh.if | 1 + |
21 |
policy/modules/system/fstools.if | 1 + |
22 |
policy/modules/system/init.if | 18 ++++ |
23 |
policy/modules/system/init.te | 1 + |
24 |
policy/modules/system/lvm.te | 4 + |
25 |
policy/modules/system/systemd.fc | 9 +- |
26 |
policy/modules/system/systemd.if | 38 +++++-- |
27 |
policy/modules/system/systemd.te | 194 +++++++++++++++++++++++++++++++++++- |
28 |
policy/modules/system/userdomain.if | 4 + |
29 |
policy/support/misc_patterns.spt | 28 ++++++ |
30 |
12 files changed, 304 insertions(+), 13 deletions(-) |
31 |
|
32 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
33 |
index f772bfe8..ea29fef3 100644 |
34 |
--- a/policy/modules/kernel/files.if |
35 |
+++ b/policy/modules/kernel/files.if |
36 |
@@ -3851,6 +3851,24 @@ interface(`files_relabelfrom_home',` |
37 |
allow $1 home_root_t:dir relabelfrom; |
38 |
') |
39 |
|
40 |
+######################################## |
41 |
+## <summary> |
42 |
+## Watch the user home root (/home). |
43 |
+## </summary> |
44 |
+## <param name="domain"> |
45 |
+## <summary> |
46 |
+## Domain allowed access. |
47 |
+## </summary> |
48 |
+## </param> |
49 |
+# |
50 |
+interface(`files_watch_home',` |
51 |
+ gen_require(` |
52 |
+ type home_root_t; |
53 |
+ ') |
54 |
+ |
55 |
+ allow $1 home_root_t:dir watch; |
56 |
+') |
57 |
+ |
58 |
######################################## |
59 |
## <summary> |
60 |
## Create objects in /home. |
61 |
|
62 |
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if |
63 |
index 434fa9c2..38c8cdb5 100644 |
64 |
--- a/policy/modules/services/mta.if |
65 |
+++ b/policy/modules/services/mta.if |
66 |
@@ -820,6 +820,7 @@ interface(`mta_list_spool',` |
67 |
') |
68 |
|
69 |
allow $1 mail_spool_t:dir list_dir_perms; |
70 |
+ files_search_spool($1) |
71 |
') |
72 |
|
73 |
####################################### |
74 |
|
75 |
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if |
76 |
index ae23e199..b9ed26bc 100644 |
77 |
--- a/policy/modules/services/ssh.if |
78 |
+++ b/policy/modules/services/ssh.if |
79 |
@@ -277,6 +277,7 @@ template(`ssh_server_template', ` |
80 |
|
81 |
optional_policy(` |
82 |
systemd_read_logind_sessions_files($1_t) |
83 |
+ systemd_stream_connect_userdb($1_t) |
84 |
') |
85 |
') |
86 |
|
87 |
|
88 |
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if |
89 |
index 6ebe3800..f994965a 100644 |
90 |
--- a/policy/modules/system/fstools.if |
91 |
+++ b/policy/modules/system/fstools.if |
92 |
@@ -61,6 +61,7 @@ interface(`fstools_exec',` |
93 |
') |
94 |
|
95 |
can_exec($1, fsadm_exec_t) |
96 |
+ corecmd_search_bin($1) |
97 |
') |
98 |
|
99 |
######################################## |
100 |
|
101 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
102 |
index dacb8a93..1af2c62f 100644 |
103 |
--- a/policy/modules/system/init.if |
104 |
+++ b/policy/modules/system/init.if |
105 |
@@ -1114,6 +1114,24 @@ interface(`init_rw_stream_sockets',` |
106 |
allow $1 init_t:unix_stream_socket rw_stream_socket_perms; |
107 |
') |
108 |
|
109 |
+######################################## |
110 |
+## <summary> |
111 |
+## Do not audit attempts to search init keys. |
112 |
+## </summary> |
113 |
+## <param name="domain"> |
114 |
+## <summary> |
115 |
+## Domain allowed access. |
116 |
+## </summary> |
117 |
+## </param> |
118 |
+# |
119 |
+interface(`init_dontaudit_search_keys',` |
120 |
+ gen_require(` |
121 |
+ type init_t; |
122 |
+ ') |
123 |
+ |
124 |
+ dontaudit $1 init_t:key search; |
125 |
+') |
126 |
+ |
127 |
######################################## |
128 |
## <summary> |
129 |
## start service (systemd). |
130 |
|
131 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
132 |
index 2dfc3ca0..8e7919c1 100644 |
133 |
--- a/policy/modules/system/init.te |
134 |
+++ b/policy/modules/system/init.te |
135 |
@@ -514,6 +514,7 @@ ifdef(`init_systemd',` |
136 |
systemd_filetrans_userdb_runtime_dirs(init_t) |
137 |
systemd_relabelto_journal_dirs(init_t) |
138 |
systemd_relabelto_journal_files(init_t) |
139 |
+ systemd_stream_connect_userdb(init_t) |
140 |
|
141 |
term_create_devpts_dirs(init_t) |
142 |
term_create_ptmx(init_t) |
143 |
|
144 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
145 |
index cfc4ed10..4d8380c3 100644 |
146 |
--- a/policy/modules/system/lvm.te |
147 |
+++ b/policy/modules/system/lvm.te |
148 |
@@ -251,6 +251,10 @@ optional_policy(` |
149 |
rpm_manage_script_tmp_files(lvm_t) |
150 |
') |
151 |
|
152 |
+optional_policy(` |
153 |
+ systemd_rw_homework_semaphores(lvm_t) |
154 |
+') |
155 |
+ |
156 |
optional_policy(` |
157 |
udev_read_runtime_files(lvm_t) |
158 |
') |
159 |
|
160 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
161 |
index 6505951d..5cb24230 100644 |
162 |
--- a/policy/modules/system/systemd.fc |
163 |
+++ b/policy/modules/system/systemd.fc |
164 |
@@ -31,6 +31,8 @@ |
165 |
/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0) |
166 |
/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0) |
167 |
/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) |
168 |
+/usr/lib/systemd/systemd-homed -- gen_context(system_u:object_r:systemd_homed_exec_t,s0) |
169 |
+/usr/lib/systemd/systemd-homework -- gen_context(system_u:object_r:systemd_homework_exec_t,s0) |
170 |
/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) |
171 |
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) |
172 |
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) |
173 |
@@ -45,6 +47,8 @@ |
174 |
/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0) |
175 |
/usr/lib/systemd/systemd-user-runtime-dir -- gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0) |
176 |
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) |
177 |
+/usr/lib/systemd/systemd-userdbd -- gen_context(system_u:object_r:systemd_userdbd_exec_t,s0) |
178 |
+/usr/lib/systemd/systemd-userwork -- gen_context(system_u:object_r:systemd_userdbd_exec_t,s0) |
179 |
|
180 |
# Systemd unit files |
181 |
HOME_DIR/\.config/systemd(/.*)? gen_context(system_u:object_r:systemd_conf_home_t,s0) |
182 |
@@ -64,6 +68,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data |
183 |
/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0) |
184 |
/usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0) |
185 |
/usr/lib/systemd/system/systemd-socket-proxyd\.service -- gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0) |
186 |
+/usr/lib/systemd/system/systemd-userdbd\.(service|socket) -- gen_context(system_u:object_r:systemd_userdbd_unit_t,s0) |
187 |
/usr/lib/systemd/system/user@\.service -- gen_context(system_u:object_r:systemd_user_manager_unit_t,s0) |
188 |
|
189 |
/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_factory_conf_t,s0) |
190 |
@@ -72,6 +77,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data |
191 |
|
192 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
193 |
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) |
194 |
+/var/lib/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_var_lib_t,s0) |
195 |
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
196 |
/var/lib/systemd/pstore(/.*)? gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0) |
197 |
/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) |
198 |
@@ -89,11 +95,12 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data |
199 |
|
200 |
/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) |
201 |
/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) |
202 |
+/run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) |
203 |
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) |
204 |
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) |
205 |
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) |
206 |
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) |
207 |
-/run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdb_runtime_t,s0) |
208 |
+/run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0) |
209 |
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0) |
210 |
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0) |
211 |
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0) |
212 |
|
213 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
214 |
index e5214124..e68a9b44 100644 |
215 |
--- a/policy/modules/system/systemd.if |
216 |
+++ b/policy/modules/system/systemd.if |
217 |
@@ -863,6 +863,24 @@ interface(`systemd_PrivateDevices',` |
218 |
fs_read_tmpfs_symlinks($1) |
219 |
') |
220 |
|
221 |
+###################################### |
222 |
+## <summary> |
223 |
+## Read and write systemd-homework semaphores. |
224 |
+## </summary> |
225 |
+## <param name="domain"> |
226 |
+## <summary> |
227 |
+## Domain allowed access |
228 |
+## </summary> |
229 |
+## </param> |
230 |
+# |
231 |
+interface(`systemd_rw_homework_semaphores',` |
232 |
+ gen_require(` |
233 |
+ type systemd_homework_t; |
234 |
+ ') |
235 |
+ |
236 |
+ allow $1 systemd_homework_t:sem rw_sem_perms; |
237 |
+') |
238 |
+ |
239 |
####################################### |
240 |
## <summary> |
241 |
## Allow domain to read udev hwdb file |
242 |
@@ -1191,10 +1209,10 @@ interface(`systemd_signull_logind',` |
243 |
# |
244 |
interface(`systemd_manage_userdb_runtime_dirs', ` |
245 |
gen_require(` |
246 |
- type systemd_userdb_runtime_t; |
247 |
+ type systemd_userdbd_runtime_t; |
248 |
') |
249 |
|
250 |
- manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) |
251 |
+ manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
252 |
') |
253 |
|
254 |
######################################## |
255 |
@@ -1209,10 +1227,10 @@ interface(`systemd_manage_userdb_runtime_dirs', ` |
256 |
# |
257 |
interface(`systemd_manage_userdb_runtime_sock_files', ` |
258 |
gen_require(` |
259 |
- type systemd_userdb_runtime_t; |
260 |
+ type systemd_userdbd_runtime_t; |
261 |
') |
262 |
|
263 |
- manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) |
264 |
+ manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
265 |
') |
266 |
|
267 |
######################################## |
268 |
@@ -1227,12 +1245,12 @@ interface(`systemd_manage_userdb_runtime_sock_files', ` |
269 |
# |
270 |
interface(`systemd_stream_connect_userdb', ` |
271 |
gen_require(` |
272 |
- type systemd_userdb_runtime_t; |
273 |
+ type systemd_userdbd_t, systemd_userdbd_runtime_t; |
274 |
') |
275 |
|
276 |
init_search_runtime($1) |
277 |
- allow $1 systemd_userdb_runtime_t:dir list_dir_perms; |
278 |
- allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; |
279 |
+ allow $1 systemd_userdbd_runtime_t:dir list_dir_perms; |
280 |
+ stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t) |
281 |
init_unix_stream_socket_connectto($1) |
282 |
') |
283 |
|
284 |
@@ -1404,7 +1422,7 @@ interface(`systemd_filetrans_passwd_runtime_dirs',` |
285 |
|
286 |
######################################## |
287 |
## <summary> |
288 |
-## Transition to systemd_userdb_runtime_t when |
289 |
+## Transition to systemd_userdbd_runtime_t when |
290 |
## creating the userdb directory inside an init runtime |
291 |
## directory. |
292 |
## </summary> |
293 |
@@ -1416,10 +1434,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',` |
294 |
# |
295 |
interface(`systemd_filetrans_userdb_runtime_dirs', ` |
296 |
gen_require(` |
297 |
- type systemd_userdb_runtime_t; |
298 |
+ type systemd_userdbd_runtime_t; |
299 |
') |
300 |
|
301 |
- init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb") |
302 |
+ init_runtime_filetrans($1, systemd_userdbd_runtime_t, dir, "userdb") |
303 |
') |
304 |
|
305 |
###################################### |
306 |
|
307 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
308 |
index 5aa824b2..db8c9979 100644 |
309 |
--- a/policy/modules/system/systemd.te |
310 |
+++ b/policy/modules/system/systemd.te |
311 |
@@ -115,6 +115,28 @@ typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_gene |
312 |
typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t }; |
313 |
init_system_domain(systemd_generator_t, systemd_generator_exec_t) |
314 |
|
315 |
+type systemd_homed_t; |
316 |
+type systemd_homed_exec_t; |
317 |
+init_daemon_domain(systemd_homed_t, systemd_homed_exec_t) |
318 |
+ |
319 |
+type systemd_homework_t; |
320 |
+type systemd_homework_exec_t; |
321 |
+domain_type(systemd_homework_t) |
322 |
+domain_entry_file(systemd_homework_t, systemd_homework_exec_t) |
323 |
+role system_r types systemd_homework_t; |
324 |
+ |
325 |
+type systemd_homed_runtime_t; |
326 |
+files_runtime_file(systemd_homed_runtime_t) |
327 |
+ |
328 |
+type systemd_homed_storage_t; |
329 |
+files_type(systemd_homed_storage_t) |
330 |
+ |
331 |
+type systemd_homed_tmpfs_t; |
332 |
+files_tmpfs_file(systemd_homed_tmpfs_t) |
333 |
+ |
334 |
+type systemd_homed_var_lib_t; |
335 |
+files_type(systemd_homed_var_lib_t) |
336 |
+ |
337 |
type systemd_hostnamed_t; |
338 |
type systemd_hostnamed_exec_t; |
339 |
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t) |
340 |
@@ -301,8 +323,15 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t) |
341 |
type systemd_user_tmpfs_t; |
342 |
userdom_user_tmpfs_file(systemd_user_tmpfs_t) |
343 |
|
344 |
-type systemd_userdb_runtime_t; |
345 |
-files_runtime_file(systemd_userdb_runtime_t) |
346 |
+type systemd_userdbd_t; |
347 |
+type systemd_userdbd_exec_t; |
348 |
+init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t) |
349 |
+ |
350 |
+type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t; |
351 |
+files_runtime_file(systemd_userdbd_runtime_t) |
352 |
+ |
353 |
+type systemd_userdbd_unit_t; |
354 |
+init_unit_file(systemd_userdbd_unit_t) |
355 |
|
356 |
type systemd_user_unit_t; |
357 |
init_unit_file(systemd_user_unit_t) |
358 |
@@ -473,6 +502,8 @@ kernel_use_fds(systemd_generator_t) |
359 |
kernel_read_system_state(systemd_generator_t) |
360 |
kernel_read_kernel_sysctls(systemd_generator_t) |
361 |
kernel_dontaudit_getattr_proc(systemd_generator_t) |
362 |
+# Where an unlabeled mountpoint is encounted: |
363 |
+kernel_dontaudit_search_unlabeled(systemd_generator_t) |
364 |
|
365 |
storage_raw_read_fixed_disk(systemd_generator_t) |
366 |
|
367 |
@@ -497,6 +528,125 @@ optional_policy(` |
368 |
miscfiles_read_localization(systemd_generator_t) |
369 |
') |
370 |
|
371 |
+####################################### |
372 |
+# |
373 |
+# systemd-homed policy |
374 |
+# |
375 |
+ |
376 |
+dontaudit systemd_homed_t self:capability { sys_resource sys_admin }; |
377 |
+allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms; |
378 |
+ |
379 |
+nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t) |
380 |
+ |
381 |
+allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms; |
382 |
+fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file) |
383 |
+ |
384 |
+manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t) |
385 |
+manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t, systemd_homed_runtime_t) |
386 |
+filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t, sock_file) |
387 |
+init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir) |
388 |
+ |
389 |
+allow systemd_homed_t systemd_homed_storage_t:file read_file_perms; |
390 |
+ |
391 |
+allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms; |
392 |
+allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms; |
393 |
+init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir) |
394 |
+ |
395 |
+# Entries such as /sys/devices/virtual/block/loop1/uevent: |
396 |
+dev_read_sysfs(systemd_homed_t) |
397 |
+ |
398 |
+files_list_home(systemd_homed_t) |
399 |
+files_watch_home(systemd_homed_t) |
400 |
+files_read_etc_files(systemd_homed_t) |
401 |
+files_search_tmp(systemd_homed_t) |
402 |
+ |
403 |
+fs_get_xattr_fs_quotas(systemd_homed_t) |
404 |
+fs_getattr_all_fs(systemd_homed_t) |
405 |
+ |
406 |
+kernel_read_kernel_sysctls(systemd_homed_t) |
407 |
+kernel_read_crypto_sysctls(systemd_homed_t) |
408 |
+kernel_read_system_state(systemd_homed_t) |
409 |
+ |
410 |
+systemd_log_parse_environment(systemd_homed_t) |
411 |
+ |
412 |
+udev_read_runtime_files(systemd_homed_t) |
413 |
+ |
414 |
+optional_policy(` |
415 |
+ dbus_system_bus_client(systemd_homed_t) |
416 |
+ dbus_connect_system_bus(systemd_homed_t) |
417 |
+ |
418 |
+ init_dbus_chat(systemd_homed_t) |
419 |
+') |
420 |
+ |
421 |
+optional_policy(` |
422 |
+ mta_list_spool(systemd_homed_t) |
423 |
+') |
424 |
+ |
425 |
+optional_policy(` |
426 |
+ unconfined_dbus_send(systemd_homed_t) |
427 |
+') |
428 |
+ |
429 |
+####################################### |
430 |
+# |
431 |
+# systemd-homework policy |
432 |
+# |
433 |
+ |
434 |
+allow systemd_homework_t self:capability { chown fowner fsetid sys_admin }; |
435 |
+dontaudit systemd_homework_t self:capability sys_resource; |
436 |
+allow systemd_homework_t self:key { search write }; |
437 |
+allow systemd_homework_t self:process getsched; |
438 |
+allow systemd_homework_t self:sem create_sem_perms; |
439 |
+ |
440 |
+allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms; |
441 |
+allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms; |
442 |
+files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file) |
443 |
+init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir) |
444 |
+ |
445 |
+# mount on /run/systemd/user-home-mount |
446 |
+allow systemd_homework_t systemd_homed_runtime_t:dir mounton; |
447 |
+ |
448 |
+allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms; |
449 |
+files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file) |
450 |
+ |
451 |
+allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms; |
452 |
+ |
453 |
+dev_rw_loop_control(systemd_homework_t) |
454 |
+dev_read_rand(systemd_homework_t) |
455 |
+dev_read_urand(systemd_homework_t) |
456 |
+dev_rw_lvm_control(systemd_homework_t) |
457 |
+# Entries such as /sys/devices/virtual/block/loop1/uevent: |
458 |
+dev_read_sysfs(systemd_homework_t) |
459 |
+ |
460 |
+files_read_etc_files(systemd_homework_t) |
461 |
+files_mounton_runtime_dirs(systemd_homework_t) |
462 |
+ |
463 |
+fs_getattr_all_fs(systemd_homework_t) |
464 |
+fs_search_all(systemd_homework_t) |
465 |
+fs_mount_xattr_fs(systemd_homework_t) |
466 |
+fs_unmount_xattr_fs(systemd_homework_t) |
467 |
+ |
468 |
+fstools_exec(systemd_homework_t) |
469 |
+ |
470 |
+init_rw_inherited_stream_socket(systemd_homework_t) |
471 |
+init_use_fds(systemd_homework_t) |
472 |
+init_dontaudit_search_keys(systemd_homework_t) |
473 |
+ |
474 |
+kernel_write_key(systemd_homework_t) |
475 |
+kernel_get_sysvipc_info(systemd_homework_t) |
476 |
+kernel_request_load_module(systemd_homework_t) |
477 |
+ |
478 |
+kernel_read_kernel_sysctls(systemd_homework_t) |
479 |
+kernel_read_crypto_sysctls(systemd_homework_t) |
480 |
+kernel_read_system_state(systemd_homework_t) |
481 |
+ |
482 |
+# loopback: |
483 |
+storage_raw_read_fixed_disk(systemd_homework_t) |
484 |
+storage_raw_write_fixed_disk(systemd_homework_t) |
485 |
+ |
486 |
+systemd_log_parse_environment(systemd_homework_t) |
487 |
+ |
488 |
+udev_read_runtime_files(systemd_homework_t) |
489 |
+ |
490 |
####################################### |
491 |
# |
492 |
# Hostnamed policy |
493 |
@@ -630,6 +780,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms; |
494 |
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms; |
495 |
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms; |
496 |
|
497 |
+stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t) |
498 |
+ |
499 |
kernel_dontaudit_getattr_proc(systemd_logind_t) |
500 |
kernel_read_kernel_sysctls(systemd_logind_t) |
501 |
|
502 |
@@ -814,6 +966,8 @@ allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perm |
503 |
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) |
504 |
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms; |
505 |
|
506 |
+manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
507 |
+ |
508 |
kernel_read_kernel_sysctls(systemd_machined_t) |
509 |
kernel_read_system_state(systemd_machined_t) |
510 |
|
511 |
@@ -1605,6 +1759,42 @@ udev_list_runtime(systemd_user_session_type) |
512 |
|
513 |
seutil_libselinux_linked(systemd_user_session_type) |
514 |
|
515 |
+######################################## |
516 |
+# |
517 |
+# systemd-userdbd local policy |
518 |
+# |
519 |
+ |
520 |
+allow systemd_userdbd_t self:capability dac_read_search; |
521 |
+allow systemd_userdbd_t self:process signal; |
522 |
+ |
523 |
+stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t) |
524 |
+ |
525 |
+manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
526 |
+manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
527 |
+manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) |
528 |
+init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir) |
529 |
+ |
530 |
+can_exec(systemd_userdbd_t, systemd_userdbd_exec_t) |
531 |
+ |
532 |
+auth_read_shadow(systemd_userdbd_t) |
533 |
+auth_use_nsswitch(systemd_userdbd_t) |
534 |
+ |
535 |
+dev_read_urand(systemd_userdbd_t) |
536 |
+ |
537 |
+files_read_etc_files(systemd_userdbd_t) |
538 |
+files_read_etc_runtime_files(systemd_userdbd_t) |
539 |
+files_read_usr_files(systemd_userdbd_t) |
540 |
+ |
541 |
+fs_read_efivarfs_files(systemd_userdbd_t) |
542 |
+ |
543 |
+init_stream_connect(systemd_userdbd_t) |
544 |
+init_search_runtime(systemd_userdbd_t) |
545 |
+init_read_state(systemd_userdbd_t) |
546 |
+ |
547 |
+kernel_read_kernel_sysctls(systemd_userdbd_t) |
548 |
+ |
549 |
+systemd_log_parse_environment(systemd_userdbd_t) |
550 |
+ |
551 |
######################################### |
552 |
# |
553 |
# systemd-user-runtime-dir local policy |
554 |
|
555 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
556 |
index 6380e869..0f3bff78 100644 |
557 |
--- a/policy/modules/system/userdomain.if |
558 |
+++ b/policy/modules/system/userdomain.if |
559 |
@@ -920,6 +920,10 @@ template(`userdom_common_user_template',` |
560 |
usernetctl_run($1_t, $1_r) |
561 |
') |
562 |
|
563 |
+ optional_policy(` |
564 |
+ systemd_stream_connect_userdb($1_t) |
565 |
+ ') |
566 |
+ |
567 |
optional_policy(` |
568 |
virt_home_filetrans_virt_home($1_t, dir, ".libvirt") |
569 |
virt_home_filetrans_virt_home($1_t, dir, ".virtinst") |
570 |
|
571 |
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt |
572 |
index 4b689be9..fea708f9 100644 |
573 |
--- a/policy/support/misc_patterns.spt |
574 |
+++ b/policy/support/misc_patterns.spt |
575 |
@@ -60,6 +60,34 @@ define(`domtrans_pattern',` |
576 |
allow $3 $1:process sigchld; |
577 |
') |
578 |
|
579 |
+# |
580 |
+# Automatic domain transition patterns |
581 |
+# with NoNewPerms |
582 |
+# |
583 |
+# Parameters: |
584 |
+# 1. source domain |
585 |
+# 2. entry point file type |
586 |
+# 3. target domain |
587 |
+# |
588 |
+define(`nnp_domtrans_pattern',` |
589 |
+ domtrans_pattern($1,$2,$3) |
590 |
+ allow $1 $3:process2 nnp_transition; |
591 |
+') |
592 |
+ |
593 |
+# |
594 |
+# Automatic domain transition patterns |
595 |
+# on nosuid filesystem |
596 |
+# |
597 |
+# Parameters: |
598 |
+# 1. source domain |
599 |
+# 2. entry point file type |
600 |
+# 3. target domain |
601 |
+# |
602 |
+define(`nosuid_domtrans_pattern',` |
603 |
+ domtrans_pattern($1,$2,$3) |
604 |
+ allow $1 $3:process2 nosuid_transition; |
605 |
+') |
606 |
+ |
607 |
# |
608 |
# Dynamic transition pattern |
609 |
# |