* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/
@ 2015-10-26 5:48 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:33:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:54:24 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1
Add systemd units for core refpolicy services.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/services/postgresql.if | 4 ++--
policy/modules/services/postgresql.te | 3 +++
policy/modules/system/init.if | 17 +++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/ipsec.if | 3 ++-
policy/modules/system/ipsec.te | 3 +++
policy/modules/system/iptables.fc | 5 +++++
policy/modules/system/iptables.if | 4 ++--
policy/modules/system/iptables.te | 3 +++
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.if | 8 ++++----
policy/modules/system/logging.te | 6 ++++++
policy/modules/system/lvm.fc | 6 ++++++
policy/modules/system/lvm.if | 4 ++--
policy/modules/system/lvm.te | 3 +++
policy/modules/system/setrans.if | 4 ++--
policy/modules/system/setrans.te | 3 +++
18 files changed, 86 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe..20acc0e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
')
+########################################
+## <summary>
+## Get etc_t service status.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service status;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 11526b6..32e5d06 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
- type postgresql_initrc_exec_t;
+ type postgresql_initrc_exec_t, postgresql_unit_t;
')
typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
- init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+ init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
admin_pattern($1, postgresql_var_run_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b4ba0f1..6844c35 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508f..cfe4bd4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
## Labeled init script file.
## </summary>
## </param>
+## <param name="unit" optional="true">
+## <summary>
+## Systemd unit file type.
+## </summary>
+## </param>
#
interface(`init_startstop_service',`
gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
role_transition $2 $4 system_r;
allow $2 system_r;
')
+
+ ifdef(`init_systemd',`
+ # This ifelse condition is temporary, until
+ # all callers are updated to provide unit files.
+ ifelse(`$5',`',`',`
+ gen_require(`
+ class service { start stop };
+ ')
+
+ allow $1 $5:service { start stop };
+ ')
+ ')
')
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895..79400f2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
corecmd_shell_domtrans(init_t, initrc_t)
files_read_boot_files(initrc_t)
+ # Allow initrc_t to check /etc/fstab "service." It appears that
+ # systemd is conflating files and services.
+ files_get_etc_unit_status(initrc_t)
files_setattr_pid_dirs(initrc_t)
selinux_set_enforce_mode(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 3d64054..eec93e6 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
type ipsec_var_run_t, ipsec_mgmt_lock_t;
type ipsec_mgmt_var_run_t, racoon_tmp_t;
+ type ipsec_unit_t;
')
allow $1 ipsec_t:process { ptrace signal_perms };
ps_process_pattern($1, ipsec_t)
- init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
ipsec_exec_mgmt($1)
ipsec_stream_connect($1)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3dd5c8b..f08fd01 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
type ipsec_tmp_t;
files_tmp_file(ipsec_tmp_t)
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e..b3eda3e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,11 @@
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 26ce647..5d2b406 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
- type iptables_tmp_t, iptables_var_run_t;
+ type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
')
allow $1 iptables_t:process { ptrace signal_perms };
ps_process_pattern($1, iptables_t)
- init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
files_list_etc($1)
admin_pattern($1, iptables_conf_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 8840633..aa999fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index fb319d4..e504aec 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6a279f3..9ededbf 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
- type auditd_initrc_exec_t;
+ type auditd_initrc_exec_t, auditd_unit_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`
logging_run_auditctl($1, $2)
- init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
')
########################################
@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
- type syslogd_initrc_exec_t;
+ type syslogd_initrc_exec_t, syslogd_unit_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`
logging_manage_all_logs($1)
- init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6f7335e..fd941ab 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index ea5ba34..83782b0 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`
#
# /usr
#
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 6561474..5774034 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
#
interface(`lvm_admin',`
gen_require(`
- type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+ type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
')
@@ -170,7 +170,7 @@ interface(`lvm_admin',`
allow $1 clvmd_t:process { ptrace signal_perms };
ps_process_pattern($1, clvmd_t)
- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+ init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
files_search_etc($1)
admin_pattern($1, lvm_etc_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f0bea03..61bd92b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_type(lvm_metadata_t)
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
type lvm_var_lib_t;
files_type(lvm_var_lib_t)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 2a8ecaa..9478dd9 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
interface(`setrans_admin',`
gen_require(`
type setrans_t, setrans_initrc_exec_t;
- type setrans_var_run_t;
+ type setrans_var_run_t, setrans_unit_t;
')
allow $1 setrans_t:process { ptrace signal_perms };
ps_process_pattern($1, setrans_t)
- init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
files_search_pids($1)
admin_pattern($1, setrans_var_run_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2df8b53..e4d4500 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: 398ce42470bed2460950fb6421724912bf8477d6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 01:25:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=398ce424
mls, xserver, systemd, userdomain: Module version bump.
policy/modules/kernel/mls.te | 2 +-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/systemd.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 7c50e75c..4bd4f43e 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,4 +1,4 @@
-policy_module(mls, 1.9.1)
+policy_module(mls, 1.9.2)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 6564c7f4..7a8a2f7a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.7)
+policy_module(xserver, 3.14.8)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f64059b1..eddd6153 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.7)
+policy_module(systemd, 1.4.8)
#########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index a130215b..a3a1802e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.8)
+policy_module(userdomain, 4.14.9)
########################################
#
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/
@ 2021-01-11 1:27 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2021-01-11 1:27 UTC (permalink / raw
To: gentoo-commits
commit: 9d887abe60eb3475a1c9dbd5714a60792a332b7f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 8 20:13:57 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9d887abe
kernel, modutils, userdomain, xserver: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/modutils.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d70f625b..8a7c39df 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.28.1)
+policy_module(kernel, 1.28.2)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f1dcad7d..b380e583 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.20.2)
+policy_module(xserver, 3.20.3)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a7f8e42c..f9055917 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.23.1)
+policy_module(modutils, 1.23.2)
########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 91af760b..6567735a 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.20.3)
+policy_module(userdomain, 4.20.4)
########################################
#
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/
@ 2022-12-13 20:55 Kenton Groombridge
0 siblings, 0 replies; 4+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
To: gentoo-commits
commit: a4fcd5fedd29565480dc2eb87353cde42901eb4d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec 7 16:14:47 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4fcd5fe
various: fixes for libvirtd and systemd-machined
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/dbus.te | 1 +
policy/modules/services/policykit.te | 2 ++
policy/modules/services/virt.te | 15 ++++++++++++++-
policy/modules/system/systemd.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 6 ++++++
6 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7b5a8679f..fb5872878 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
create_chr_files_pattern($1, device_t, urandom_device_t)
')
+########################################
+## <summary>
+## Set attributes on the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_urand_dev',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
########################################
## <summary>
## Getattr generic the USB devices.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 321797ffb..29ada52aa 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -242,6 +242,7 @@ optional_policy(`
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_connect_machined(system_dbusd_t)
# for passing around terminal file handles for machinectl shell
systemd_use_inherited_machined_ptys(system_dbusd_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 85aeb3bd4..82e9d5557 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -134,7 +134,9 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
+ systemd_connect_machined(policykit_t)
systemd_read_machines(policykit_t)
+ systemd_watch_machines_dirs(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index d91df3d50..a6161d739 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
type virtlogd_t;
type virtlogd_exec_t;
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+init_named_socket_activation(virtlogd_t, virt_runtime_t)
type virtlogd_run_t;
files_runtime_file(virtlogd_run_t)
@@ -455,6 +456,8 @@ tunable_policy(`virt_use_evdev',`
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
dontaudit virtd_t self:capability { sys_module sys_ptrace };
+allow virtd_t self:capability2 { bpf perfmon };
+allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -526,7 +529,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
+# relabel needed for qemu guest agent sockets
+allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -695,6 +699,15 @@ sysnet_domtrans_ifconfig(virtd_t)
userdom_read_all_users_state(virtd_t)
+ifdef(`init_systemd',`
+ init_read_utmp(virtd_t)
+
+ systemd_dbus_chat_logind(virtd_t)
+
+ systemd_connect_machined(virtd_t)
+ systemd_dbus_chat_machined(virtd_t)
+')
+
tunable_policy(`virt_use_fusefs',`
fs_manage_fusefs_dirs(virtd_t)
fs_manage_fusefs_files(virtd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index df33315c8..1dd302851 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
+########################################
+## <summary>
+## Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+ gen_require(`
+ type systemd_machined_runtime_t;
+ ')
+
+ allow $1 systemd_machined_runtime_t:dir watch;
+')
+
########################################
## <summary>
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b796b669e..7cd50f1b0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1023,15 +1023,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+kernel_getattr_proc(systemd_machined_t)
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
dev_getattr_fs(systemd_machined_t)
+dev_setattr_urand_dev(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
+fs_getattr_xattr_fs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
@@ -1046,6 +1049,9 @@ init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
+init_get_transient_units_status(systemd_machined_t)
+init_start_transient_units(systemd_machined_t)
+init_stop_transient_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-12-13 20:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-14 5:15 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2022-12-13 20:55 Kenton Groombridge
2021-01-11 1:27 Jason Zaman
2015-10-26 5:48 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox