From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
Date: Wed, 2 Dec 2015 15:45:23 +0000 (UTC) [thread overview]
Message-ID: <1445832616.cc84af253feefbacb7155575e1126a7abf0227ca.swift@gentoo> (raw)
commit: cc84af253feefbacb7155575e1126a7abf0227ca
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:33 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
Add systemd unit types.
Primarily contributed by the Tresys CLIP team.
policy/modules/contrib/alsa.fc | 5 +++++
policy/modules/contrib/alsa.te | 3 +++
policy/modules/contrib/bluetooth.fc | 3 +++
policy/modules/contrib/bluetooth.te | 3 +++
policy/modules/contrib/chronyd.fc | 5 +++++
policy/modules/contrib/chronyd.te | 3 +++
policy/modules/contrib/dbus.fc | 3 +++
policy/modules/contrib/dbus.te | 3 +++
policy/modules/contrib/dnsmasq.fc | 3 +++
policy/modules/contrib/dnsmasq.te | 3 +++
policy/modules/contrib/kdump.te | 3 +++
policy/modules/contrib/lircd.fc | 3 +++
policy/modules/contrib/lircd.te | 3 +++
policy/modules/contrib/logrotate.fc | 3 +++
policy/modules/contrib/logrotate.te | 3 +++
policy/modules/contrib/mandb.fc | 3 +++
policy/modules/contrib/mandb.te | 3 +++
policy/modules/contrib/networkmanager.fc | 4 ++++
policy/modules/contrib/networkmanager.te | 3 +++
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.te | 3 +++
policy/modules/contrib/pcscd.fc | 3 +++
policy/modules/contrib/pcscd.te | 3 +++
policy/modules/contrib/plymouthd.fc | 3 +++
policy/modules/contrib/plymouthd.te | 3 +++
policy/modules/contrib/policykit.fc | 3 +++
policy/modules/contrib/policykit.te | 3 +++
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.te | 3 +++
policy/modules/contrib/raid.fc | 4 ++++
policy/modules/contrib/raid.te | 3 +++
policy/modules/contrib/rpm.fc | 4 ++++
policy/modules/contrib/rpm.te | 3 +++
policy/modules/contrib/rtkit.fc | 3 +++
policy/modules/contrib/rtkit.te | 3 +++
policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
policy/modules/contrib/tcsd.fc | 3 +++
policy/modules/contrib/tcsd.te | 3 +++
38 files changed, 135 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 6c3c0ba..a8c8a64 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -14,6 +14,11 @@ ifdef(`distro_debian',`
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 46d12e8..24d5287 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index a28101f..bcce998 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -10,6 +10,9 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 08f3c20..d69c283 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index fd5fbbb..a4a42ea 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,11 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+# Systend unit files
+/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 7a16731..3167bae 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_t;
+init_unit_file(chronyd_unit_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index dda905b..309a462 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6f2b890..e79a81a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -22,6 +22,9 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
+type dbusd_unit_t;
+init_unit_file(dbusd_unit_t)
+
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 8ca133c..89edbaa 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 15b29cb..c71ace8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_unit_t;
+init_unit_file(dnsmasq_unit_t)
+
type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 7c4e3f1..57e24e6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_t;
+init_unit_file(kdump_unit_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index c7a726a..76e497e 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,9 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
+
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 0064b06..26690f2 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
files_type(lircd_etc_t)
+type lircd_unit_t;
+init_unit_file(lircd_unit_t)
+
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index 207ec10..ad21596 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,9 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
+
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 311defd..33f534b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
+type logrotate_unit_t;
+init_unit_file(logrotate_unit_t)
+
mta_base_mail_template(logrotate)
role system_r types logrotate_mail_t;
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 8ae78b5..9f2825e 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,4 @@
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e29882f..46860dd 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -13,6 +13,9 @@ type mandb_exec_t;
application_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 5ffd285..c192c7f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -17,6 +17,10 @@
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 427dfe4..a977b9a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_unit_t;
+init_unit_file(NetworkManager_unit_t)
+
type NetworkManager_var_lib_t;
files_type(NetworkManager_var_lib_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c74d996..c01eb54 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -11,6 +11,9 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7600674..1f24dab 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
+type ntpd_unit_t;
+init_unit_file(ntpd_unit_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 58363c7..5d1beba 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -2,6 +2,9 @@
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
+
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bf5066f..f863ba2 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
type pcscd_initrc_exec_t;
init_script_file(pcscd_initrc_exec_t)
+type pcscd_unit_t;
+init_unit_file(pcscd_unit_t)
+
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 735500f..2d9b956 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -4,6 +4,9 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
+
/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3078ce9..8dadb33 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
+type plymouthd_unit_t;
+init_unit_file(plymouthd_unit_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 1d76c72..774c12b 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -8,6 +8,9 @@
/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee91778..108007e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -34,6 +34,9 @@ files_type(policykit_reload_t)
type policykit_tmp_t;
files_tmp_file(policykit_tmp_t)
+type policykit_unit_t;
+init_unit_file(policykit_unit_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index f1304fb..cfb18ec 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -3,6 +3,8 @@
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 136f6f3..a17ed0c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
virt_domain_template(qemu)
role qemu_roles types qemu_t;
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 5806046..2ea0889 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -11,6 +11,10 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+
/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index dfe62e3..b6aea09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_unit_t;
+init_unit_file(mdadm_unit_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..1ebd4a1 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -13,6 +13,10 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index de5c91f..5cac092 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
+type rpm_unit_t;
+init_unit_file(rpm_unit_t)
+
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
index 75bbf38..a3021da 100644
--- a/policy/modules/contrib/rtkit.fc
+++ b/policy/modules/contrib/rtkit.fc
@@ -3,3 +3,6 @@
/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 906ebb5..1aa52c4 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
type rtkit_daemon_initrc_exec_t;
init_script_file(rtkit_daemon_initrc_exec_t)
+type rtkit_daemon_unit_t;
+init_unit_file(rtkit_daemon_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..819d19b 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -91,6 +91,24 @@ interface(`shutdown_signal',`
########################################
## <summary>
+## Send SIGCHLD signals to shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow $1 shutdown_t:process sigchld;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index c2c2636..0e086e7 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
+
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 272c114..439cf27 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
type tcsd_initrc_exec_t;
init_script_file(tcsd_initrc_exec_t)
+type tcsd_unit_t;
+init_unit_file(tcsd_unit_t)
+
type tcsd_var_lib_t;
files_type(tcsd_var_lib_t)
next reply other threads:[~2015-12-02 15:45 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 15:45 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:02 Sven Vermeulen
2017-05-18 17:02 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-13 17:35 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-07-07 14:12 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-27 15:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-11 16:08 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-11 16:04 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-09 14:25 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-11 16:04 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-09 13:59 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-09 13:34 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-09 13:34 Sven Vermeulen
2015-06-09 13:34 Sven Vermeulen
2015-06-09 13:30 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-05-25 16:15 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-16 11:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-16 11:30 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-16 11:13 Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:27 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:29 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-15 13:47 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:27 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445832616.cc84af253feefbacb7155575e1126a7abf0227ca.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox