From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1028753-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B2C96138334
	for <garchives@archives.gentoo.org>; Fri,  8 Jun 2018 10:07:47 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 058D9E0835;
	Fri,  8 Jun 2018 10:07:32 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 5D84EE0835
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:31 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4D32E335CC7
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:29 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 6D7F22D8
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:26 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1528449661.511e0ce6b19693fe93b764828f9d2a4427166981.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/systemd.fc policy/modules/system/systemd.if policy/modules/system/systemd.te policy/modules/system/udev.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 511e0ce6b19693fe93b764828f9d2a4427166981
X-VCS-Branch: master
Date: Fri,  8 Jun 2018 10:07:26 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 31eb3966-4528-4f09-928e-bad5c640f00d
X-Archives-Hash: e0f93175d7746a771bf0dedf4e74c170

commit:     511e0ce6b19693fe93b764828f9d2a4427166981
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jun  7 19:19:40 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=511e0ce6

policy for systemd-hwdb

systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.fc |  3 +++
 policy/modules/system/systemd.if | 19 +++++++++++++++++++
 policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
 policy/modules/system/udev.te    |  1 +
 4 files changed, 47 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5d4857e4..df1a4b2e 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -2,6 +2,7 @@
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/bin/systemd-detect-virt		--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/usr/bin/systemd-hwdb			--	gen_context(system_u:object_r:systemd_hw_exec_t,s0)
 /usr/bin/systemd-nspawn			--	gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
 /usr/bin/systemd-run			--	gen_context(system_u:object_r:systemd_run_exec_t,s0)
 /usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
@@ -38,6 +39,8 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 
+/etc/udev/hwdb.bin				--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
+
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fd501c52..75bbeead 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -772,5 +772,24 @@ interface(`systemd_getattr_updated_runtime',`
 ')
 
 
+#######################################
+## <summary>
+##  Allow domain to read udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+')
+
+
 
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 15fe6e1b..c324d3bf 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -81,6 +81,13 @@ type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
 
+type systemd_hw_t;
+type systemd_hw_exec_t;
+init_system_domain(systemd_hw_t, systemd_hw_exec_t)
+
+type systemd_hwdb_t;
+files_type(systemd_hwdb_t);
+
 type systemd_journal_t;
 files_type(systemd_journal_t)
 logging_log_file(systemd_journal_t)
@@ -322,6 +329,23 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+#########################################
+#
+# hw local policy
+#
+
+allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
+
+files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
+files_search_pids(systemd_hw_t)
+
+init_read_state(systemd_hw_t)
+
+selinux_get_fs_mount(systemd_hw_t)
+
+seutil_read_config(systemd_hw_t)
+seutil_read_file_contexts(systemd_hw_t)
+
 #######################################
 #
 # locale local policy

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 093029aa..c3929f6d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -248,6 +248,7 @@ ifdef(`init_systemd',`
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
 
+	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)