From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id AF38F13888F for ; Mon, 26 Oct 2015 05:48:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1B41FE0807; Mon, 26 Oct 2015 05:48:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7BFB9E0817 for ; Mon, 26 Oct 2015 05:48:42 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 34EDE340AF7 for ; Mon, 26 Oct 2015 05:48:41 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0E3FF193A for ; Mon, 26 Oct 2015 05:48:38 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1445832616.cc84af253feefbacb7155575e1126a7abf0227ca.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/alsa.fc policy/modules/contrib/alsa.te policy/modules/contrib/bluetooth.fc policy/modules/contrib/bluetooth.te policy/modules/contrib/chronyd.fc policy/modules/contrib/chronyd.te policy/modules/contrib/dbus.fc policy/modules/contrib/dbus.te policy/modules/contrib/dnsmasq.fc policy/modules/contrib/dnsmasq.te policy/modules/contrib/kdump.te policy/modules/contrib/lircd.fc policy/modules/contrib/lircd.te policy/modules/contrib/logrotate.fc policy/modules/contrib/logrotate.te policy/modules/contrib/mandb.fc policy/modules/contrib/mandb.te policy/modules/contrib/networkmanager.fc policy/modules/contrib/networkmanager.te policy/modules/contrib/ntp.fc policy/modules/contrib/ntp.te policy/modules/contrib/pcscd.fc policy/modules/contrib/pcscd.te policy/modules/contrib/plymouthd.fc policy/modules/contrib/plymouthd.te policy/modules/contrib/policykit.fc policy/modules/contrib/policykit.te policy/modules/contrib/qemu.fc policy/modules/contrib/qemu.te policy/mo dules/contrib/raid.fc policy/modules/contrib/raid.te policy/modules/contrib/rpm.fc policy/modules/contrib/rpm.te policy/modules/contrib/rtkit.fc policy/modules/contrib/rtkit.te policy/modules/contrib/shutdown.if policy/modules/contrib/tcsd.fc policy/modules/contrib/tcsd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: cc84af253feefbacb7155575e1126a7abf0227ca X-VCS-Branch: master Date: Mon, 26 Oct 2015 05:48:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6dd6c531-9f94-4235-8002-210132c4cadc X-Archives-Hash: 5d41c022d9ab0429f16f69275eb872c1 Message-ID: <20151026054838.4H66eB9IdE9Joeup4PMbom1QqWUTraGO6Y2B-xEG3J0@z> commit: cc84af253feefbacb7155575e1126a7abf0227ca Author: Chris PeBenito tresys com> AuthorDate: Fri Oct 23 18:35:33 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 04:10:16 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25 Add systemd unit types. Primarily contributed by the Tresys CLIP team. policy/modules/contrib/alsa.fc | 5 +++++ policy/modules/contrib/alsa.te | 3 +++ policy/modules/contrib/bluetooth.fc | 3 +++ policy/modules/contrib/bluetooth.te | 3 +++ policy/modules/contrib/chronyd.fc | 5 +++++ policy/modules/contrib/chronyd.te | 3 +++ policy/modules/contrib/dbus.fc | 3 +++ policy/modules/contrib/dbus.te | 3 +++ policy/modules/contrib/dnsmasq.fc | 3 +++ policy/modules/contrib/dnsmasq.te | 3 +++ policy/modules/contrib/kdump.te | 3 +++ policy/modules/contrib/lircd.fc | 3 +++ policy/modules/contrib/lircd.te | 3 +++ policy/modules/contrib/logrotate.fc | 3 +++ policy/modules/contrib/logrotate.te | 3 +++ policy/modules/contrib/mandb.fc | 3 +++ policy/modules/contrib/mandb.te | 3 +++ policy/modules/contrib/networkmanager.fc | 4 ++++ policy/modules/contrib/networkmanager.te | 3 +++ policy/modules/contrib/ntp.fc | 3 +++ policy/modules/contrib/ntp.te | 3 +++ policy/modules/contrib/pcscd.fc | 3 +++ policy/modules/contrib/pcscd.te | 3 +++ policy/modules/contrib/plymouthd.fc | 3 +++ policy/modules/contrib/plymouthd.te | 3 +++ policy/modules/contrib/policykit.fc | 3 +++ policy/modules/contrib/policykit.te | 3 +++ policy/modules/contrib/qemu.fc | 2 ++ policy/modules/contrib/qemu.te | 3 +++ policy/modules/contrib/raid.fc | 4 ++++ policy/modules/contrib/raid.te | 3 +++ policy/modules/contrib/rpm.fc | 4 ++++ policy/modules/contrib/rpm.te | 3 +++ policy/modules/contrib/rtkit.fc | 3 +++ policy/modules/contrib/rtkit.te | 3 +++ policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++ policy/modules/contrib/tcsd.fc | 3 +++ policy/modules/contrib/tcsd.te | 3 +++ 38 files changed, 135 insertions(+) diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc index 6c3c0ba..a8c8a64 100644 --- a/policy/modules/contrib/alsa.fc +++ b/policy/modules/contrib/alsa.fc @@ -14,6 +14,11 @@ ifdef(`distro_debian',` /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +# Systemd unit files +/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0) + /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te index 46d12e8..24d5287 100644 --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t) type alsa_tmpfs_t; files_tmpfs_file(alsa_tmpfs_t) +type alsa_unit_t; +init_unit_file(alsa_unit_t) + type alsa_var_lib_t; files_type(alsa_var_lib_t) diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc index a28101f..bcce998 100644 --- a/policy/modules/contrib/bluetooth.fc +++ b/policy/modules/contrib/bluetooth.fc @@ -10,6 +10,9 @@ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0) + /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te index 08f3c20..d69c283 100644 --- a/policy/modules/contrib/bluetooth.te +++ b/policy/modules/contrib/bluetooth.te @@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t) type bluetooth_tmp_t; files_tmp_file(bluetooth_tmp_t) +type bluetooth_unit_t; +init_unit_file(bluetooth_unit_t) + type bluetooth_var_lib_t; files_type(bluetooth_var_lib_t) diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc index fd5fbbb..a4a42ea 100644 --- a/policy/modules/contrib/chronyd.fc +++ b/policy/modules/contrib/chronyd.fc @@ -2,6 +2,11 @@ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) +# Systend unit files +/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) +/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) + + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 7a16731..3167bae 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) type chronyd_tmpfs_t; files_tmpfs_file(chronyd_tmpfs_t) +type chronyd_unit_t; +init_unit_file(chronyd_unit_t) + type chronyd_var_lib_t; files_type(chronyd_var_lib_t) diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc index dda905b..309a462 100644 --- a/policy/modules/contrib/dbus.fc +++ b/policy/modules/contrib/dbus.fc @@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) /usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0) + /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 6f2b890..e79a81a 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -22,6 +22,9 @@ type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) typealias dbusd_exec_t alias system_dbusd_exec_t; +type dbusd_unit_t; +init_unit_file(dbusd_unit_t) + type session_dbusd_home_t; userdom_user_home_content(session_dbusd_home_t) diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc index 8ca133c..89edbaa 100644 --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -3,6 +3,9 @@ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0) + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te index 15b29cb..c71ace8 100644 --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t) type dnsmasq_lease_t; files_type(dnsmasq_lease_t) +type dnsmasq_unit_t; +init_unit_file(dnsmasq_unit_t) + type dnsmasq_var_log_t; logging_log_file(dnsmasq_var_log_t) diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te index 7c4e3f1..57e24e6 100644 --- a/policy/modules/contrib/kdump.te +++ b/policy/modules/contrib/kdump.te @@ -15,6 +15,9 @@ files_config_file(kdump_etc_t) type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) +type kdump_unit_t; +init_unit_file(kdump_unit_t) + type kdumpctl_t; type kdumpctl_exec_t; init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc index c7a726a..76e497e 100644 --- a/policy/modules/contrib/lircd.fc +++ b/policy/modules/contrib/lircd.fc @@ -5,6 +5,9 @@ /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0) + /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) /var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te index 0064b06..26690f2 100644 --- a/policy/modules/contrib/lircd.te +++ b/policy/modules/contrib/lircd.te @@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t) type lircd_etc_t; files_type(lircd_etc_t) +type lircd_unit_t; +init_unit_file(lircd_unit_t) + type lircd_var_run_t alias lircd_sock_t; files_pid_file(lircd_var_run_t) diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc index 207ec10..ad21596 100644 --- a/policy/modules/contrib/logrotate.fc +++ b/policy/modules/contrib/logrotate.fc @@ -1,6 +1,9 @@ /etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) + /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index 311defd..33f534b 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) +type logrotate_unit_t; +init_unit_file(logrotate_unit_t) + mta_base_mail_template(logrotate) role system_r types logrotate_mail_t; diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc index 8ae78b5..9f2825e 100644 --- a/policy/modules/contrib/mandb.fc +++ b/policy/modules/contrib/mandb.fc @@ -1 +1,4 @@ /etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0) diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te index e29882f..46860dd 100644 --- a/policy/modules/contrib/mandb.te +++ b/policy/modules/contrib/mandb.te @@ -13,6 +13,9 @@ type mandb_exec_t; application_domain(mandb_t, mandb_exec_t) role mandb_roles types mandb_t; +type mandb_unit_t; +init_unit_file(mandb_unit_t) + ######################################## # # Local policy diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc index 5ffd285..c192c7f 100644 --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -17,6 +17,10 @@ /usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +# Systemd unit files +/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0) +/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0) + /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index 427dfe4..a977b9a 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t) type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) +type NetworkManager_unit_t; +init_unit_file(NetworkManager_unit_t) + type NetworkManager_var_lib_t; files_type(NetworkManager_var_lib_t) diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc index c74d996..c01eb54 100644 --- a/policy/modules/contrib/ntp.fc +++ b/policy/modules/contrib/ntp.fc @@ -11,6 +11,9 @@ /etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te index 7600674..1f24dab 100644 --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t) type ntpd_tmpfs_t; files_tmpfs_file(ntpd_tmpfs_t) +type ntpd_unit_t; +init_unit_file(ntpd_unit_t) + type ntpd_var_run_t; files_pid_file(ntpd_var_run_t) diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc index 58363c7..5d1beba 100644 --- a/policy/modules/contrib/pcscd.fc +++ b/policy/modules/contrib/pcscd.fc @@ -2,6 +2,9 @@ /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0) + /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te index bf5066f..f863ba2 100644 --- a/policy/modules/contrib/pcscd.te +++ b/policy/modules/contrib/pcscd.te @@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t) type pcscd_initrc_exec_t; init_script_file(pcscd_initrc_exec_t) +type pcscd_unit_t; +init_unit_file(pcscd_unit_t) + type pcscd_var_run_t; files_pid_file(pcscd_var_run_t) init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd") diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc index 735500f..2d9b956 100644 --- a/policy/modules/contrib/plymouthd.fc +++ b/policy/modules/contrib/plymouthd.fc @@ -4,6 +4,9 @@ /usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0) + /usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te index 3078ce9..8dadb33 100644 --- a/policy/modules/contrib/plymouthd.te +++ b/policy/modules/contrib/plymouthd.te @@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t) type plymouthd_spool_t; files_type(plymouthd_spool_t) +type plymouthd_unit_t; +init_unit_file(plymouthd_unit_t) + type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc index 1d76c72..774c12b 100644 --- a/policy/modules/contrib/policykit.fc +++ b/policy/modules/contrib/policykit.fc @@ -8,6 +8,9 @@ /usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0) + /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te index ee91778..108007e 100644 --- a/policy/modules/contrib/policykit.te +++ b/policy/modules/contrib/policykit.te @@ -34,6 +34,9 @@ files_type(policykit_reload_t) type policykit_tmp_t; files_tmp_file(policykit_tmp_t) +type policykit_unit_t; +init_unit_file(policykit_unit_t) + type policykit_var_lib_t alias polkit_var_lib_t; files_type(policykit_var_lib_t) diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc index f1304fb..cfb18ec 100644 --- a/policy/modules/contrib/qemu.fc +++ b/policy/modules/contrib/qemu.fc @@ -3,6 +3,8 @@ /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0) + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ifdef(`distro_gentoo',` diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te index 136f6f3..a17ed0c 100644 --- a/policy/modules/contrib/qemu.te +++ b/policy/modules/contrib/qemu.te @@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t) virt_domain_template(qemu) role qemu_roles types qemu_t; +type qemu_unit_t; +init_unit_file(qemu_unit_t) + ######################################## # # Local policy diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc index 5806046..2ea0889 100644 --- a/policy/modules/contrib/raid.fc +++ b/policy/modules/contrib/raid.fc @@ -11,6 +11,10 @@ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) +# Systemd unit files +/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) +/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) + /usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te index dfe62e3..b6aea09 100644 --- a/policy/modules/contrib/raid.te +++ b/policy/modules/contrib/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) +type mdadm_unit_t; +init_unit_file(mdadm_unit_t) + type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc index ebe91fc..1ebd4a1 100644 --- a/policy/modules/contrib/rpm.fc +++ b/policy/modules/contrib/rpm.fc @@ -13,6 +13,10 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0) +/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0) + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index de5c91f..5cac092 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t) type rpm_log_t; logging_log_file(rpm_log_t) +type rpm_unit_t; +init_unit_file(rpm_unit_t) + type rpm_var_lib_t; files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc index 75bbf38..a3021da 100644 --- a/policy/modules/contrib/rtkit.fc +++ b/policy/modules/contrib/rtkit.fc @@ -3,3 +3,6 @@ /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) /usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0) diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te index 906ebb5..1aa52c4 100644 --- a/policy/modules/contrib/rtkit.te +++ b/policy/modules/contrib/rtkit.te @@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) type rtkit_daemon_initrc_exec_t; init_script_file(rtkit_daemon_initrc_exec_t) +type rtkit_daemon_unit_t; +init_unit_file(rtkit_daemon_unit_t) + ######################################## # # Local policy diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if index d1706bf..819d19b 100644 --- a/policy/modules/contrib/shutdown.if +++ b/policy/modules/contrib/shutdown.if @@ -91,6 +91,24 @@ interface(`shutdown_signal',` ######################################## ## +## Send SIGCHLD signals to shutdown. +## +## +## +## Domain allowed access. +## +## +# +interface(`shutdown_sigchld',` + gen_require(` + type shutdown_t; + ') + + allow $1 shutdown_t:process sigchld; +') + +######################################## +## ## Get attributes of shutdown executable files. ## ## diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc index c2c2636..0e086e7 100644 --- a/policy/modules/contrib/tcsd.fc +++ b/policy/modules/contrib/tcsd.fc @@ -1,5 +1,8 @@ /etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) +# Systemd unit file +/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0) + /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te index 272c114..439cf27 100644 --- a/policy/modules/contrib/tcsd.te +++ b/policy/modules/contrib/tcsd.te @@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t) type tcsd_initrc_exec_t; init_script_file(tcsd_initrc_exec_t) +type tcsd_unit_t; +init_unit_file(tcsd_unit_t) + type tcsd_var_lib_t; files_type(tcsd_var_lib_t)