| 1 |
commit: 136d58b22660009b8fba0fbf2a1a160aba8d9735 |
| 2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
| 3 |
AuthorDate: Tue Dec 27 13:44:58 2016 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Jan 1 16:26:28 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=136d58b2 |
| 7 |
|
| 8 |
systemd: add systemd-backlight policy |
| 9 |
|
| 10 |
The documentation page of this service describes well which access are |
| 11 |
needed |
| 12 |
(https://www.freedesktop.org/software/systemd/man/systemd-backlight <AT> .service.html). |
| 13 |
systemd-backlight: |
| 14 |
- is a systemd service |
| 15 |
- manages /var/lib/systemd/backlight/ |
| 16 |
- reads udev device properties to find ID_BACKLIGHT_CLAMP |
| 17 |
|
| 18 |
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org> |
| 19 |
|
| 20 |
policy/modules/system/systemd.fc | 2 ++ |
| 21 |
policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++ |
| 22 |
2 files changed, 26 insertions(+) |
| 23 |
|
| 24 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
| 25 |
index ff0f976..673bb68 100644 |
| 26 |
--- a/policy/modules/system/systemd.fc |
| 27 |
+++ b/policy/modules/system/systemd.fc |
| 28 |
@@ -28,7 +28,9 @@ |
| 29 |
/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 30 |
/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 31 |
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 32 |
+/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) |
| 33 |
|
| 34 |
+/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
| 35 |
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) |
| 36 |
|
| 37 |
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) |
| 38 |
|
| 39 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 40 |
index 196abab..c50e93a 100644 |
| 41 |
--- a/policy/modules/system/systemd.te |
| 42 |
+++ b/policy/modules/system/systemd.te |
| 43 |
@@ -26,6 +26,12 @@ type systemd_backlight_t; |
| 44 |
type systemd_backlight_exec_t; |
| 45 |
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) |
| 46 |
|
| 47 |
+type systemd_backlight_unit_t; |
| 48 |
+init_unit_file(systemd_backlight_unit_t) |
| 49 |
+ |
| 50 |
+type systemd_backlight_var_lib_t; |
| 51 |
+files_type(systemd_backlight_var_lib_t) |
| 52 |
+ |
| 53 |
type systemd_binfmt_t; |
| 54 |
type systemd_binfmt_exec_t; |
| 55 |
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) |
| 56 |
@@ -140,6 +146,24 @@ logging_send_syslog_msg(systemd_log_parse_env_type) |
| 57 |
|
| 58 |
###################################### |
| 59 |
# |
| 60 |
+# Backlight local policy |
| 61 |
+# |
| 62 |
+ |
| 63 |
+allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms; |
| 64 |
+init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) |
| 65 |
+manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) |
| 66 |
+ |
| 67 |
+systemd_log_parse_environment(systemd_backlight_t) |
| 68 |
+ |
| 69 |
+# Allow systemd-backlight to write to /sys/class/backlight/*/brightness |
| 70 |
+dev_rw_sysfs(systemd_backlight_t) |
| 71 |
+ |
| 72 |
+files_read_etc_files(systemd_backlight_t) |
| 73 |
+ |
| 74 |
+udev_read_pid_files(systemd_backlight_t) |
| 75 |
+ |
| 76 |
+###################################### |
| 77 |
+# |
| 78 |
# Cgroups local policy |
| 79 |
# |
Archives