* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
@ 2014-11-28 10:23 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:23 UTC (permalink / raw
To: gentoo-commits
commit: 39547652cd07ae3611419261d255128aa1f436e8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 10:22:30 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 32 ++++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
')
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
@ 2014-11-28 11:16 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-28 11:16 UTC (permalink / raw
To: gentoo-commits
commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:15:23 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/sysnetwork.te | 46 +++++++++++++++++++++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
/var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
/var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
@ 2014-11-28 11:25 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-28 11:25 UTC (permalink / raw
To: gentoo-commits
commit: c1d8aae88e48692c2777032706464c7a2be256cd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:24:08 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/sysnetwork.if | 29 ++++++++++++++++++
policy/modules/system/sysnetwork.te | 58 +++++++++++++++++++++++++++++++++++
4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
/var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
/var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
')
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692..86313b6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
+
+# This should be after an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+## Make the specified program domain
+## accessable from the DHCP hooks/scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`sysnet_dhcpc_script_entry',`
+ gen_require(`
+ type dhcpc_script_t;
+ attribute_role dhcpc_roles;
+ ')
+
+ role dhcpc_roles types $1;
+
+ domtrans_pattern(dhcpc_script_t, $2, $1)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..1dd0817 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+ kernel_read_network_state(dhcpc_script_t)
+ kernel_read_system_state(dhcpc_script_t)
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ files_read_etc_files(dhcpc_script_t)
+
+ init_use_script_fds(dhcpc_script_t)
+ init_use_script_ptys(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ hostname_run(dhcpc_script_t, dhcpc_roles)
+ ')
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
@ 2015-10-26 5:36 ` Jason Zaman
0 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: d92bdf260887935367802afbbaf25d399c020cd5
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 14:16:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:47 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26
Implement core systemd policy.
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
policy/modules/kernel/corecommands.fc | 2 +
policy/modules/kernel/domain.te | 6 +
policy/modules/kernel/files.if | 172 ++++++++++
policy/modules/kernel/filesystem.if | 73 ++++
policy/modules/kernel/kernel.if | 60 +++-
policy/modules/kernel/terminal.if | 19 ++
policy/modules/system/authlogin.if | 19 ++
policy/modules/system/init.fc | 4 +
policy/modules/system/init.if | 608 +++++++++++++++++++++++++++++++++-
policy/modules/system/init.te | 176 +++++++++-
policy/modules/system/locallogin.if | 21 ++
policy/modules/system/logging.if | 38 +++
policy/modules/system/lvm.if | 20 ++
policy/modules/system/systemd.fc | 39 +++
policy/modules/system/systemd.if | 195 +++++++++++
policy/modules/system/systemd.te | 264 +++++++++++++++
policy/modules/system/udev.if | 19 ++
17 files changed, 1711 insertions(+), 24 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
dontaudit domain self:udp_socket listen;
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ shutdown_sigchld(domain)
+ ')
+')
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
########################################
## <summary>
+## Relabel from/to non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
## Get the attributes of all files.
## </summary>
## <param name="domain">
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
+## Create, read, write, and delete all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel from/to all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
## Read all files.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
+## Mount on the root directory (/)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
@@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+## Mount filesystems in the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -5678,6 +5770,25 @@ interface(`files_list_locks',`
########################################
## <summary>
+## Add entries in the /var/lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_add_entry_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ add_entry_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Add and remove entries in the /var/lock
## directories.
## </summary>
@@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',`
########################################
## <summary>
+## Relabel from/to all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
+ relabel_files_pattern($1, lockfile, lockfile)
+ relabel_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
@@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',`
########################################
## <summary>
+## Relabel to/from all var_run (pid) directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Relabel to/from all var_run (pid) files and directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+ relabel_files_pattern($1, pidfile, pidfile)
+ relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Mount filesystems on all polyinstantiation
## member directories.
## </summary>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4ddef7c..0db8233 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',`
########################################
## <summary>
+## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
dev_search_sysfs($1)
')
@@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
+## Getattr on pstore dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ getattr_files_pattern($1, pstore_t, pstore_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
########################################
## <summary>
+## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
## </summary>
@@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
+## Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Read tmpfs link files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index faa19d7..df42fa3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -8,6 +8,27 @@
########################################
## <summary>
+## Allows the kernel to start userland processes
+## by dynamic transitions to the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by the kernel.
+## </summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ domain_dyntrans_type(kernel_t)
+ allow kernel_t self:process setcurrent;
+ allow kernel_t $1:process dyntransition;
+')
+
+########################################
+## <summary>
## Allows to start userland processes
## by transitioning to the specified domain.
## </summary>
@@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',`
########################################
## <summary>
+## Read/write to kernel using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_stream_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Connect to kernel using a unix
## domain stream socket.
## </summary>
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
########################################
## <summary>
-## Read and write kernel unix datagram sockets.
+## Getattr on kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_dgram_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Read and write kernel unix datagram sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..2e6a376 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
########################################
## <summary>
+## Relabel from and to pty directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of generic pty devices.
## </summary>
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 6aac59c..7bb4ecb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -773,6 +773,25 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Manage the login failure logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ allow $1 faillog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
#######################################
## <summary>
## Read the last logins log.
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 02ec851..b4bdf65 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 211d434..192508f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -44,6 +44,26 @@ interface(`init_script_file',`
########################################
## <summary>
+## Make the specified type usable for
+## systemd unit files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for systemd unit files.
+## </summary>
+## </param>
+#
+interface(`init_unit_file',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
## Create a domain used for init scripts.
## </summary>
## <desc>
@@ -108,6 +128,10 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
')
########################################
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
userdom_dontaudit_use_user_terminals($1)
')
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ # this may be because of late labelling
+ kernel_dgram_send($1)
+ ')
+
optional_policy(`
nscd_use($1)
')
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
type initrc_t;
')
- init_daemon_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_daemon_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
+')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+#########################################
+## <summary>
+## Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ ')
+')
+
+#########################################
+## <summary>
+## Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+## <param name="sock_file">
+## <summary>
+## The domain socket file type.
+## </summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $2:dir manage_dir_perms;
+ allow init_t $2:fifo_file manage_fifo_file_perms;
+ allow init_t $2:sock_file manage_sock_file_perms;
')
')
@@ -324,6 +407,10 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ ')
')
########################################
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
type initrc_t;
')
- init_system_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_system_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
- ')
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
')
@@ -579,10 +670,11 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
- type init_t;
+ type init_t, init_var_run_t;
')
- allow $1 init_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
')
########################################
@@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',`
########################################
## <summary>
+## Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
## Send UDP network traffic to init. (Deprecated)
## </summary>
## <param name="domain">
@@ -678,6 +809,276 @@ interface(`init_udp_send',`
########################################
## <summary>
+## Get all service status (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_system_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_enable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+## Disable all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_disable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+## Reload all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+## Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reboot_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+## Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+ gen_require(`
+ type init_t;
+ class service status;
+ ')
+
+ allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+ gen_require(`
+ type init_t;
+ class service start;
+ ')
+
+ allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create files in /var/lib/systemd
+## with an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## The type of object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
## Get the attributes of initctl.
## </summary>
## <param name="domain">
@@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',`
typeattribute $1 init_script_readable;
')
+
+######################################
+## <summary>
+## Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_units',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+ files_search_etc($1)
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+ gen_require(`
+ type systemd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+## Start generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+## Stop generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+## Reload generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+## Get status of all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+ gen_require(`
+ attribute systemdunit;
+ class service status;
+ ')
+
+ allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+## Start all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service start;
+ ')
+
+ allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+## Stop all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service stop;
+ ')
+
+ allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+## Reload all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service reload;
+ ')
+
+ allow $1 systemdunit:service reload;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 95db0d0..d5d7b10 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute systemdunit;
# Mark process types as daemons
attribute daemon;
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
+init_named_socket_activation(initrc_t, init_var_run_t)
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -74,6 +76,9 @@ type initrc_devpts_t;
term_pty(initrc_devpts_t)
files_type(initrc_devpts_t)
+type initrc_lock_t;
+files_lock_file(initrc_lock_t)
+
type initrc_state_t;
files_type(initrc_state_t)
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
+type systemd_unit_t;
+init_unit_file(systemd_unit_t)
+
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
@@ -182,6 +190,115 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+ifdef(`init_systemd',`
+ # handle instances where an old labeled init script is encountered.
+ typeattribute init_t init_run_all_scripts_domain;
+
+ allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t self:netlink_selinux_socket create_socket_perms;
+
+ manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+
+ manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+ manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ allow init_t systemd_unit_t:dir relabel_dir_perms;
+
+ kernel_dyntrans_to(init_t)
+ kernel_read_network_state(init_t)
+ kernel_read_kernel_sysctls(init_t)
+ kernel_read_vm_sysctls(init_t)
+ kernel_dgram_send(init_t)
+ kernel_stream_connect(init_t)
+ kernel_getattr_proc(init_t)
+ kernel_read_fs_sysctls(init_t)
+
+ dev_rw_autofs(init_t)
+ dev_create_generic_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_read_urand(init_t)
+ dev_write_kmsg(init_t)
+
+ domain_read_all_domains_state(init_t)
+
+ files_read_all_pids(init_t)
+ files_list_usr(init_t)
+ files_list_var(init_t)
+ files_list_var_lib(init_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_mounton_root(init_t)
+ files_search_pids(init_t)
+ files_relabel_all_pids(init_t)
+ files_read_all_locks(init_t)
+ files_search_kernel_modules(init_t)
+ # for privatetmp functions
+ files_manage_generic_tmp_dirs(init_t)
+ files_mounton_tmp(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_rw_cgroup_files(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_mount_autofs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_getattr_tmpfs(init_t)
+ fs_read_tmpfs_files(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_dontaudit_getattr_xattr_fs(init_t)
+ # for privatetmp functions
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ # mount-setup
+ fs_unmount_autofs(init_t)
+ fs_getattr_pstore_dirs(init_t)
+
+ # systemd_socket_activated policy
+ mls_socket_write_all_levels(init_t)
+
+ selinux_compute_create_context(init_t)
+ selinux_compute_access_vector(init_t)
+
+ term_relabel_pty_dirs(init_t)
+
+ clock_read_adjtime(init_t)
+
+ logging_manage_pid_sockets(init_t)
+ logging_send_audit_msgs(init_t)
+ logging_relabelto_devlog_sock_files(init_t)
+
+ seutil_read_file_contexts(init_t)
+
+ systemd_relabelto_kmod_files(init_t)
+ systemd_dbus_chat_logind(init_t)
+
+ # udevd is a "systemd kobject uevent socket activated daemon"
+ udev_create_kobject_uevent_sockets(init_t)
+
+ optional_policy(`
+ dbus_system_bus_client(init_t)
+ dbus_connect_system_bus(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ ')
+',`
+ tunable_policy(`init_upstart',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ sysadm_shell_domtrans(init_t)
+ ')
+')
+
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
@@ -201,14 +318,6 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-tunable_policy(`init_upstart',`
- corecmd_shell_domtrans(init_t, initrc_t)
-',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- sysadm_shell_domtrans(init_t)
-')
-
optional_policy(`
auth_rw_login_records(init_t)
')
@@ -609,6 +718,57 @@ ifdef(`distro_suse',`
')
')
+ifdef(`init_systemd',`
+ manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
+ files_lock_filetrans(initrc_t, initrc_lock_t, file)
+
+ manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
+
+ create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+
+ manage_files_pattern(initrc_t, systemdunit, systemdunit)
+ manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+
+ kernel_dgram_send(initrc_t)
+
+ # run systemd misc initializations
+ # in the initrc_t domain, as would be
+ # done in traditional sysvinit/upstart.
+ corecmd_bin_entry_type(initrc_t)
+ corecmd_shell_entry_type(initrc_t)
+ corecmd_bin_domtrans(init_t, initrc_t)
+ corecmd_shell_domtrans(init_t, initrc_t)
+
+ files_read_boot_files(initrc_t)
+ files_setattr_pid_dirs(initrc_t)
+
+ selinux_set_enforce_mode(initrc_t)
+
+ init_stream_connect(initrc_t)
+ init_manage_var_lib_files(initrc_t)
+ init_rw_stream_sockets(initrc_t)
+ init_get_all_units_status(initrc_t)
+ init_stop_all_units(initrc_t)
+
+ # Create /etc/audit.rules.prev after firstboot remediation
+ logging_manage_audit_config(initrc_t)
+
+ # lvm2-activation-generator checks file labels
+ seutil_read_file_contexts(initrc_t)
+
+ systemd_start_power_units(initrc_t)
+
+ optional_policy(`
+ # create /var/lock/lvm/
+ lvm_create_lock_dirs(initrc_t)
+ ')
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 0e3c2a9..4305a86 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -24,6 +24,27 @@ interface(`locallogin_domtrans',`
########################################
## <summary>
+## Allow calling domain to read locallogin state.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed permission.
+## </summary>
+## </param>
+#
+interface(`locallogin_read_state',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 local_login_t:file read_file_perms;
+ allow $1 local_login_t:lnk_file read_lnk_file_perms;
+ allow $1 local_login_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow processes to inherit local login file descriptors.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9fa0f5d..6a279f3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
+## Allow domain to relabelto devlog sock_files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabelto_devlog_sock_files',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',`
########################################
## <summary>
+## Create, read, write, and delete syslog PID sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 86b223c..6561474 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
')
+########################################
+## <summary>
+## Create lvm_lock_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_create_lock_dirs',`
+ gen_require(`
+ type lvm_lock_t;
+ ')
+
+ create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+ files_add_entry_lock_dirs($1)
+')
+
######################################
## <summary>
## Execute a domain transition to run clvmd.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..864979d
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,39 @@
+/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
+/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
+/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
+/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
+/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
+
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+
+/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..8bca3a3
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,195 @@
+## <summary>Systemd components (not PID 1)</summary>
+
+######################################
+## <summary>
+## Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_pids',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Manage systemd_login PID pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Use inherited systemd
+## logind file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_logind_fds',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd logind over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow process to write to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_write_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
+')
+
+########################################
+## <summary>
+## Allow process to relabel to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_relabelto_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+## Read systemd homedir content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_home_content',`
+ gen_require(`
+ type systemd_home_t;
+ ')
+
+ optional_policy(`
+ gnome_search_gconf_data_dir($1)
+ ')
+ read_files_pattern($1, systemd_home_t, systemd_home_t)
+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
+
+########################################
+## <summary>
+## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class service status;
+ ')
+
+ allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+## Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow specified domain to start power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_start_power_units',`
+ gen_require(`
+ type power_unit_t;
+ class service start;
+ ')
+
+ allow $1 power_unit_t:service start;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..597d4aa
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,264 @@
+policy_module(systemd, 1.0.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for systemd-tmpfiles to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfiles_manage_all, false)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_analyze_t;
+type systemd_analyze_exec_t;
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_cgroups_t;
+type systemd_cgroups_exec_t;
+domain_type(systemd_cgroups_t)
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
+role system_r types systemd_cgroups_t;
+
+type systemd_cgroups_var_run_t;
+files_pid_file(systemd_cgroups_var_run_t)
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
+
+type systemd_cgtop_t;
+type systemd_cgtop_exec_t;
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_detect_virt_t;
+type systemd_detect_virt_exec_t;
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
+type systemd_hostnamed_t;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
+type systemd_locale_t;
+type systemd_locale_exec_t;
+init_system_domain(systemd_locale_t, systemd_locale_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
+
+type systemd_logind_var_lib_t;
+files_type(systemd_logind_var_lib_t)
+
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_nspawn_t;
+type systemd_nspawn_exec_t;
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+
+type systemd_run_t;
+type systemd_run_exec_t;
+init_daemon_domain(systemd_run_t, systemd_run_exec_t)
+
+type systemd_stdio_bridge_t;
+type systemd_stdio_bridge_exec_t;
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_sessions_t;
+type systemd_sessions_exec_t;
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+type systemd_sessions_var_run_t;
+files_pid_file(systemd_sessions_var_run_t)
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
+
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+type systemd_kmod_conf_t;
+files_config_file(systemd_kmod_conf_t)
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+#
+# Unit file types
+#
+
+type power_unit_t;
+init_unit_file(power_unit_t)
+
+######################################
+#
+# Cgroups local policy
+#
+
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+
+init_stream_connect(systemd_cgroups_t)
+
+logging_send_syslog_msg(systemd_cgroups_t)
+
+kernel_dgram_send(systemd_cgroups_t)
+
+#######################################
+#
+# locale local policy
+#
+
+files_read_etc_files(systemd_locale_t)
+
+logging_send_syslog_msg(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_locale_t)
+ dbus_system_bus_client(systemd_locale_t)
+')
+
+#######################################
+#
+# Hostnamed policy
+#
+
+files_read_etc_files(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
+#########################################
+#
+# Logind local policy
+#
+
+allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
+
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+files_search_pids(systemd_logind_t)
+
+auth_manage_faillog(systemd_logind_t)
+
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_tmpfs(systemd_logind_t)
+
+storage_getattr_removable_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+init_get_all_units_status(systemd_logind_t)
+init_start_all_units(systemd_logind_t)
+init_stop_all_units(systemd_logind_t)
+init_service_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+# This is for reading /proc/1/cgroup
+init_read_state(systemd_logind_t)
+
+locallogin_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+systemd_start_power_units(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_read_pid_files(systemd_logind_t)
+
+userdom_use_user_ttys(systemd_logind_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_logind_t)
+ dbus_connect_system_bus(systemd_logind_t)
+')
+
+#########################################
+#
+# Sessions local policy
+#
+
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+
+logging_send_syslog_msg(systemd_sessions_t)
+
+#########################################
+#
+# Tmpfiles local policy
+#
+
+allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:process { setfscreate getcap };
+
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+tunable_policy(`systemd_tmpfiles_manage_all',`
+ # systemd-tmpfiles can be configured to manage anything.
+ # have a last-resort option for users to do this.
+ files_manage_non_security_dirs(systemd_tmpfiles_t)
+ files_manage_non_security_files(systemd_tmpfiles_t)
+ files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ files_relabel_non_security_files(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 06175a7..d4c92cc 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -92,6 +92,25 @@ interface(`udev_read_state',`
allow $1 udev_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## Allow domain to create uevent sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_sockets',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to inherit a
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
2017-01-01 16:36 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
@ 2017-01-01 16:37 ` Jason Zaman
0 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 1cd6b4275bef63da2c4c37ad68574230fad38a3f
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 01:15:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1cd6b427
modutils: update to run in confined mode
Update the modutils module so that it can run in confined
mode instead of unconfined mode.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/kernel/files.if | 1 +
policy/modules/system/modutils.te | 10 ++--------
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 82901bc..3fc0487 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4102,6 +4102,7 @@ interface(`files_manage_kernel_modules',`
type modules_object_t;
')
+ allow $1 modules_object_t:dir rw_dir_perms;
manage_files_pattern($1, modules_object_t, modules_object_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 2448f06..1a138a8 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,8 +89,8 @@ files_read_usr_files(kmod_t)
files_exec_etc_files(kmod_t)
# for nscd:
files_dontaudit_search_pids(kmod_t)
-# for locking: (cjp: ????)
-files_write_kernel_modules(kmod_t)
+# to manage modules.dep
+files_manage_kernel_modules(kmod_t)
fs_getattr_xattr_fs(kmod_t)
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
@@ -166,12 +166,6 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(kmod_t)
- unconfined_dontaudit_rw_pipes(kmod_t)
- unconfined_domtrans_to(kmod_t, kmod_exec_t)
-')
-
-optional_policy(`
# cjp: why is this needed:
dev_rw_xserver_misc(kmod_t)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 4b4fbc24ce430965cce854d871cefa9666be2569
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 14:35:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24
systemd: Further revisions from Russell Coker.
policy/modules/kernel/devices.if | 18 +++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/filesystem.if | 20 ++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/init.if | 18 +++
policy/modules/system/init.te | 2 +-
policy/modules/system/lvm.if | 18 +++
policy/modules/system/lvm.te | 2 +-
policy/modules/system/systemd.te | 221 +++++++++++++++++++++++++++++++-----
9 files changed, 270 insertions(+), 33 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b51a25ac..7e09e6f2 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',`
########################################
## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Create, delete, read, and write device nodes in device directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 470f0f00..571abc30 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.3)
+policy_module(devices, 1.20.4)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bd6084b3..9069b0c2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index be04ea8c..23705cd3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.2)
+policy_module(filesystem, 1.22.3)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 8d65e648..6de0a2d7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',`
########################################
## <summary>
+## List /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 54ca2ceb..c9c1eb6b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.6)
+policy_module(init, 2.2.7)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 88fa9442..49cee54d 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -65,6 +65,24 @@ interface(`lvm_run',`
########################################
## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')
+
+########################################
+## <summary>
## Read LVM configuration files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f8fed91d..e6984249 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.3)
+policy_module(lvm, 1.19.4)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 40719e93..6c8caa8d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.7)
+policy_module(systemd, 1.3.8)
#########################################
#
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
######################################
#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
-######################################
-#
# Backlight local policy
#
@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
-#######################################
+######################################
#
-# locale local policy
+# coredump local policy
#
-kernel_read_kernel_sysctls(systemd_locale_t)
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
-files_read_etc_files(systemd_locale_t)
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
-seutil_read_file_contexts(systemd_locale_t)
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
-systemd_log_parse_environment(systemd_locale_t)
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+
+dev_write_kmsg(systemd_coredump_t)
+
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+
+fs_getattr_xattr_fs(systemd_coredump_t)
+
+selinux_getattr_fs(systemd_coredump_t)
+
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pids(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+
+logging_send_syslog_msg(systemd_coredump_t)
+
+seutil_search_default_contexts(systemd_coredump_t)
-optional_policy(`
- dbus_connect_system_bus(systemd_locale_t)
- dbus_system_bus_client(systemd_locale_t)
-')
#######################################
#
@@ -262,6 +264,42 @@ optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
')
+#######################################
+#
+# locale local policy
+#
+
+kernel_read_kernel_sysctls(systemd_locale_t)
+
+files_read_etc_files(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+systemd_log_parse_environment(systemd_locale_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_locale_t)
+ dbus_system_bus_client(systemd_locale_t)
+')
+
+######################################
+#
+# systemd log parse enviroment
+#
+
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
#########################################
#
# Logind local policy
@@ -325,6 +363,71 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+
+init_read_script_state(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+
+logging_send_syslog_msg(systemd_machined_t)
+
+seutil_search_default_contexts(systemd_machined_t)
+
+optional_policy(`
+ init_dbus_chat(systemd_machined_t)
+ init_dbus_send_script(systemd_machined_t)
+
+ dbus_connect_system_bus(systemd_machined_t)
+ dbus_system_bus_client(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+init_rw_stream_sockets(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
+
########################################
#
# Nspawn local policy
@@ -332,6 +435,66 @@ optional_policy(`
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ getty_use_fds(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
#########################################
#
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: df80c8bf3a5c5e581370d75bf6ea5154a8b02b0b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:00:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:00:36 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df80c8bf
Allow sysadm to map all non auth files
policy/modules/kernel/files.if | 20 ++++++++++++++++++++
policy/modules/system/userdomain.if | 1 +
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f2b76f86..35dcfe7b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1474,6 +1474,26 @@ interface(`files_manage_non_auth_files',`
########################################
## <summary>
+## Mmap non-authentication related
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_map_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ allow $1 non_auth_file_type:file map;
+')
+
+########################################
+## <summary>
## Relabel all non-authentication related
## files.
## </summary>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 84e9c57e..16789a3c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1256,6 +1256,7 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_auth_files($1_t)
+ files_map_non_auth_files($1_t)
# Relabel almost all files
files_relabel_non_auth_files($1_t)
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-09-10 14:03 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-28 11:16 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2017-09-10 14:03 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-01-01 16:36 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2017-01-01 16:37 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2014-11-28 11:25 Sven Vermeulen
2014-11-28 10:23 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox