From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1466809-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id BE963158020
	for <garchives@archives.gentoo.org>; Tue, 13 Dec 2022 20:55:16 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D7705E090F;
	Tue, 13 Dec 2022 20:55:14 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AE60DE090F
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:14 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id CBCE0340DED
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:13 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 246517D0
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:11 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1670958458.fef16712de5ef8682ec086c0679fb60cc3b85389.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/roles/sysadm.te policy/modules/system/init.if
X-VCS-Directories: policy/modules/system/ policy/modules/roles/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: fef16712de5ef8682ec086c0679fb60cc3b85389
X-VCS-Branch: master
Date: Tue, 13 Dec 2022 20:55:11 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 292b78a3-1245-4b7f-8c0a-be3e41e7811d
X-Archives-Hash: 892db3b5f4ce250a49c58c4acfab63e4

commit:     fef16712de5ef8682ec086c0679fb60cc3b85389
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:35:24 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:38 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fef16712

init, sysadm: allow sysadm to manage systemd runtime units

On systemd 252, mount units generated from /etc/fstab result in services
labeled init_runtime_t. Allow sysadm to manage these services.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/roles/sysadm.te |  6 +++++
 policy/modules/system/init.if  | 57 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 002987387..eccfd5171 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -82,6 +82,12 @@ ifndef(`enable_mls',`
 ')
 
 ifdef(`init_systemd',`
+	# Allow managing runtime units, for example mount units generated
+	# from /etc/fstab.
+	init_get_runtime_units_status(sysadm_t)
+	init_start_runtime_units(sysadm_t)
+	init_stop_runtime_units(sysadm_t)
+
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1186e6d2c..a091a6bef 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3516,6 +3516,63 @@ interface(`init_reload_generic_units',`
 	allow $1 systemd_unit_t:service reload;
 ')
 
+########################################
+## <summary>
+##	Get the status of runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_runtime_units_status',`
+	gen_require(`
+		type init_runtime_t;
+		class service status;
+	')
+
+	allow $1 init_runtime_t:service status;
+')
+
+########################################
+## <summary>
+##	Start runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service start;
+	')
+
+	allow $1 init_runtime_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stop_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service stop;
+	')
+
+	allow $1 init_runtime_t:service stop;
+')
+
 ########################################
 ## <summary>
 ##	Get status of transient systemd units.