[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     d92bdf260887935367802afbbaf25d399c020cd5
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 14:16:59 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:47 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26

Implement core systemd policy.

Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.

 policy/modules/kernel/corecommands.fc |   2 +
 policy/modules/kernel/domain.te       |   6 +
 policy/modules/kernel/files.if        | 172 ++++++++++
 policy/modules/kernel/filesystem.if   |  73 ++++
 policy/modules/kernel/kernel.if       |  60 +++-
 policy/modules/kernel/terminal.if     |  19 ++
 policy/modules/system/authlogin.if    |  19 ++
 policy/modules/system/init.fc         |   4 +
 policy/modules/system/init.if         | 608 +++++++++++++++++++++++++++++++++-
 policy/modules/system/init.te         | 176 +++++++++-
 policy/modules/system/locallogin.if   |  21 ++
 policy/modules/system/logging.if      |  38 +++
 policy/modules/system/lvm.if          |  20 ++
 policy/modules/system/systemd.fc      |  39 +++
 policy/modules/system/systemd.if      | 195 +++++++++++
 policy/modules/system/systemd.te      | 264 +++++++++++++++
 policy/modules/system/udev.if         |  19 ++
 17 files changed, 1711 insertions(+), 24 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
 	dontaudit domain self:udp_socket listen;
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		shutdown_sigchld(domain)
+	')
+')
+
 tunable_policy(`global_ssp',`
 	# enable reading of urandom for all domains:
 	# this should be enabled when all programs

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel from/to non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all files.
 ## </summary>
 ## <param name="domain">
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel from/to all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
 ##	Read all files.
 ## </summary>
 ## <param name="domain">
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
 
 ########################################
 ## <summary>
+##	Mount on the root directory (/)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_root',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get attributes of the /boot directory.
 ## </summary>
 ## <param name="domain">
@@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',`
 
 ########################################
 ## <summary>
+##	Mount filesystems in the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of all tmp directories.
 ## </summary>
 ## <param name="domain">
@@ -5678,6 +5770,25 @@ interface(`files_list_locks',`
 
 ########################################
 ## <summary>
+##	Add entries in the /var/lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_add_entry_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	add_entry_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Add and remove entries in the /var/lock
 ##	directories.
 ## </summary>
@@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',`
 
 ########################################
 ## <summary>
+##	Relabel from/to all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	relabel_dirs_pattern($1, lockfile, lockfile)
+	relabel_files_pattern($1, lockfile, lockfile)
+	relabel_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
 ##	Create an object in the locks directory, with a private
 ##	type using a type transition.
 ## </summary>
@@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',`
 
 ########################################
 ## <summary>
+##	Relabel to/from all var_run (pid) directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain alloed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Relabel to/from all var_run (pid) files and directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain alloed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Mount filesystems on all polyinstantiation
 ##	member directories.
 ## </summary>

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4ddef7c..0db8233 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
 ##	Read cgroup files.
 ## </summary>
 ## <param name="domain">
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
 	')
 
 	read_files_pattern($1, cgroup_t, cgroup_t)
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
 	dev_search_sysfs($1)
 ')
 
@@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',`
 
 ########################################
 ## <summary>
+##	Getattr on pstore dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	getattr_files_pattern($1, pstore_t, pstore_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Allow the type to associate to ramfs filesystems.
 ## </summary>
 ## <param name="type">
@@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
 
 ########################################
 ## <summary>
+##     Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
 ##	Create an object in a tmpfs filesystem, with a private
 ##	type using a type transition.
 ## </summary>
@@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',`
 
 ########################################
 ## <summary>
+##     Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
 ##	Read tmpfs link files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index faa19d7..df42fa3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -8,6 +8,27 @@
 
 ########################################
 ## <summary>
+##	Allows the kernel to start userland processes
+##	by dynamic transitions to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by the kernel.
+##	</summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	domain_dyntrans_type(kernel_t)
+	allow kernel_t self:process setcurrent;
+	allow kernel_t $1:process dyntransition;
+')
+
+########################################
+## <summary>
 ##	Allows to start userland processes
 ##	by transitioning to the specified domain.
 ## </summary>
@@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',`
 
 ########################################
 ## <summary>
+##	Read/write to kernel using a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_stream_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to kernel using a unix
 ##	domain stream socket.
 ## </summary>
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
 
 ########################################
 ## <summary>
-##	Read and write kernel unix datagram sockets.
+##	Getattr on kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_dgram_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+##	Read and write kernel unix datagram sockets. (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..2e6a376 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel from and to pty directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_pty_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of generic pty devices.
 ## </summary>

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 6aac59c..7bb4ecb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -773,6 +773,25 @@ interface(`auth_rw_faillog',`
 	allow $1 faillog_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Manage the login failure logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+	gen_require(`
+		type faillog_t;
+	')
+
+	allow $1 faillog_t:file manage_file_perms;
+	logging_rw_generic_log_dirs($1)
+')
+
 #######################################
 ## <summary>
 ##	Read the last logins log.

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 02ec851..b4bdf65 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 211d434..192508f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -44,6 +44,26 @@ interface(`init_script_file',`
 
 ########################################
 ## <summary>
+##   Make the specified type usable for
+##   systemd unit files.
+## </summary>
+## <param name="type">
+##   <summary>
+##   Type to be used for systemd unit files.
+##   </summary>
+## </param>
+#
+interface(`init_unit_file',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	files_type($1)
+	typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
 ##	Create a domain used for init scripts.
 ## </summary>
 ## <desc>
@@ -108,6 +128,10 @@ interface(`init_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(init_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+	')
 ')
 
 ########################################
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
 		userdom_dontaudit_use_user_terminals($1)
 	')
 
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+		# this may be because of late labelling
+		kernel_dgram_send($1)
+	')
+
 	optional_policy(`
 		nscd_use($1)
 	')
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
 		type initrc_t;
 	')
 
-	init_daemon_domain($1, $2)
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_daemon_domain($1, $2)
 
-	ifdef(`enable_mcs',`
-		range_transition initrc_t $2:process $3;
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
+
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
 	')
+')
 
-	ifdef(`enable_mls',`
-		range_transition initrc_t $2:process $3;
-		mls_rangetrans_target($1)
+#########################################
+## <summary>
+##	Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+	')
+')
+
+#########################################
+## <summary>
+##	Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+## <param name="sock_file">
+##	<summary>
+##	The domain socket file type.
+##	</summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_dgram_socket create_socket_perms;
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow init_t $2:dir manage_dir_perms;
+		allow init_t $2:fifo_file manage_fifo_file_perms;
+		allow init_t $2:sock_file manage_sock_file_perms;
 	')
 ')
 
@@ -324,6 +407,10 @@ interface(`init_system_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+	')
 ')
 
 ########################################
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
 		type initrc_t;
 	')
 
-	init_system_domain($1, $2)
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_system_domain($1, $2)
 
-	ifdef(`enable_mcs',`
-		range_transition initrc_t $2:process $3;
-	')
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
 
-	ifdef(`enable_mls',`
-		range_transition initrc_t $2:process $3;
-		mls_rangetrans_target($1)
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
 	')
 ')
 
@@ -579,10 +670,11 @@ interface(`init_sigchld',`
 #
 interface(`init_stream_connect',`
 	gen_require(`
-		type init_t;
+		type init_t, init_var_run_t;
 	')
 
-	allow $1 init_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
 ')
 
 ########################################
@@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
+##	Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+	gen_require(`
+		type init_t, init_var_run_t;
+	')
+
+	dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init with unix domain stream sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Send UDP network traffic to init.  (Deprecated)
 ## </summary>
 ## <param name="domain">
@@ -678,6 +809,276 @@ interface(`init_udp_send',`
 
 ########################################
 ## <summary>
+##	Get all service status (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_system_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##	Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_enable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+##	Disable all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_disable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+##	Reload all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+##	Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reboot_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+	gen_require(`
+		type init_t;
+		class service status;
+	')
+
+	allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+	gen_require(`
+		type init_t;
+		class service start;
+	')
+
+	allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 init_t:dbus send_msg;
+	allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create files in /var/lib/systemd
+##	with an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	The type of object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of initctl.
 ## </summary>
 ## <param name="domain">
@@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',`
 
 	typeattribute $1 init_script_readable;
 ')
+
+######################################
+## <summary>
+##	Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_units',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+	# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+	files_search_etc($1)
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+	gen_require(`
+		type systemd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service start;
+	')
+
+	allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service stop;
+	')
+
+	allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service reload;
+	')
+
+	allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+##	Get status of all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+	gen_require(`
+		attribute systemdunit;
+		class service status;
+	')
+
+	allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+##	Start all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service start;
+	')
+
+	allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+##	Stop all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service stop;
+	')
+
+	allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service reload;
+	')
+
+	allow $1 systemdunit:service reload;
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 95db0d0..d5d7b10 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute systemdunit;
 
 # Mark process types as daemons
 attribute daemon;
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
 type initrc_exec_t, init_script_file_type;
 domain_type(initrc_t)
 domain_entry_file(initrc_t, initrc_exec_t)
+init_named_socket_activation(initrc_t, init_var_run_t)
 role system_r types initrc_t;
 # should be part of the true block
 # of the below init_upstart tunable
@@ -74,6 +76,9 @@ type initrc_devpts_t;
 term_pty(initrc_devpts_t)
 files_type(initrc_devpts_t)
 
+type initrc_lock_t;
+files_lock_file(initrc_lock_t)
+
 type initrc_state_t;
 files_type(initrc_state_t)
 
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
 
+type systemd_unit_t;
+init_unit_file(systemd_unit_t)
+
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
@@ -182,6 +190,115 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+ifdef(`init_systemd',`
+	# handle instances where an old labeled init script is encountered.
+	typeattribute init_t init_run_all_scripts_domain;
+
+	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+	allow init_t self:capability2 block_suspend;
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t self:netlink_selinux_socket create_socket_perms;
+
+	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+	manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+
+	manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+	manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+	manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
+	allow init_t systemd_unit_t:dir relabel_dir_perms;
+
+	kernel_dyntrans_to(init_t)
+	kernel_read_network_state(init_t)
+	kernel_read_kernel_sysctls(init_t)
+	kernel_read_vm_sysctls(init_t)
+	kernel_dgram_send(init_t)
+	kernel_stream_connect(init_t)
+	kernel_getattr_proc(init_t)
+	kernel_read_fs_sysctls(init_t)
+
+	dev_rw_autofs(init_t)
+	dev_create_generic_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_read_urand(init_t)
+	dev_write_kmsg(init_t)
+
+	domain_read_all_domains_state(init_t)
+
+	files_read_all_pids(init_t)
+	files_list_usr(init_t)
+	files_list_var(init_t)
+	files_list_var_lib(init_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_mounton_root(init_t)
+	files_search_pids(init_t)
+	files_relabel_all_pids(init_t)
+	files_read_all_locks(init_t)
+	files_search_kernel_modules(init_t)
+	# for privatetmp functions
+	files_manage_generic_tmp_dirs(init_t)
+	files_mounton_tmp(init_t)
+
+	fs_manage_cgroup_dirs(init_t)
+	fs_relabel_cgroup_dirs(init_t)
+	fs_rw_cgroup_files(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_mount_autofs(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_getattr_tmpfs(init_t)
+	fs_read_tmpfs_files(init_t)
+	fs_read_cgroup_files(init_t)
+	fs_dontaudit_getattr_xattr_fs(init_t)
+	# for privatetmp functions
+	fs_relabel_tmpfs_dirs(init_t)
+	fs_relabel_tmpfs_files(init_t)
+	# mount-setup
+	fs_unmount_autofs(init_t)
+	fs_getattr_pstore_dirs(init_t)
+
+	# systemd_socket_activated policy
+	mls_socket_write_all_levels(init_t)
+
+	selinux_compute_create_context(init_t)
+	selinux_compute_access_vector(init_t)
+
+	term_relabel_pty_dirs(init_t)
+
+	clock_read_adjtime(init_t)
+
+	logging_manage_pid_sockets(init_t)
+	logging_send_audit_msgs(init_t)
+	logging_relabelto_devlog_sock_files(init_t)
+
+	seutil_read_file_contexts(init_t)
+
+	systemd_relabelto_kmod_files(init_t)
+	systemd_dbus_chat_logind(init_t)
+
+	# udevd is a "systemd kobject uevent socket activated daemon"
+	udev_create_kobject_uevent_sockets(init_t)
+
+	optional_policy(`
+		dbus_system_bus_client(init_t)
+		dbus_connect_system_bus(init_t)
+	')
+
+	optional_policy(`
+		modutils_domtrans_insmod(init_t)
+	')
+',`
+	tunable_policy(`init_upstart',`
+		corecmd_shell_domtrans(init_t, initrc_t)
+	',`
+		# Run the shell in the sysadm role for single-user mode.
+		# causes problems with upstart
+		sysadm_shell_domtrans(init_t)
+	')
+')
+
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
@@ -201,14 +318,6 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
 
-tunable_policy(`init_upstart',`
-	corecmd_shell_domtrans(init_t, initrc_t)
-',`
-	# Run the shell in the sysadm role for single-user mode.
-	# causes problems with upstart
-	sysadm_shell_domtrans(init_t)
-')
-
 optional_policy(`
 	auth_rw_login_records(init_t)
 ')
@@ -609,6 +718,57 @@ ifdef(`distro_suse',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
+	files_lock_filetrans(initrc_t, initrc_lock_t, file)
+
+	manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+
+	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
+
+	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+
+	manage_files_pattern(initrc_t, systemdunit, systemdunit)
+	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+
+	kernel_dgram_send(initrc_t)
+
+	# run systemd misc initializations
+	# in the initrc_t domain, as would be
+	# done in traditional sysvinit/upstart.
+	corecmd_bin_entry_type(initrc_t)
+	corecmd_shell_entry_type(initrc_t)
+	corecmd_bin_domtrans(init_t, initrc_t)
+	corecmd_shell_domtrans(init_t, initrc_t)
+
+	files_read_boot_files(initrc_t)
+	files_setattr_pid_dirs(initrc_t)
+
+	selinux_set_enforce_mode(initrc_t)
+
+	init_stream_connect(initrc_t)
+	init_manage_var_lib_files(initrc_t)
+	init_rw_stream_sockets(initrc_t)
+	init_get_all_units_status(initrc_t)
+	init_stop_all_units(initrc_t)
+
+	# Create /etc/audit.rules.prev after firstboot remediation
+	logging_manage_audit_config(initrc_t)
+
+	# lvm2-activation-generator checks file labels
+	seutil_read_file_contexts(initrc_t)
+
+	systemd_start_power_units(initrc_t)
+
+	optional_policy(`
+		# create /var/lock/lvm/
+		lvm_create_lock_dirs(initrc_t)
+	')
+')
+
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)

diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 0e3c2a9..4305a86 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -24,6 +24,27 @@ interface(`locallogin_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow calling domain to read locallogin state.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed permission.
+##	</summary>
+## </param>
+#
+interface(`locallogin_read_state',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 local_login_t:file read_file_perms;
+	allow $1 local_login_t:lnk_file read_lnk_file_perms;
+	allow $1 local_login_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Allow processes to inherit local login file descriptors.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9fa0f5d..6a279f3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',`
 
 ########################################
 ## <summary>
+##	Allow domain to relabelto devlog sock_files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabelto_devlog_sock_files',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the auditd configuration files.
 ## </summary>
 ## <param name="domain">
@@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete syslog PID sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+	gen_require(`
+		type syslogd_var_run_t;
+	')
+
+	manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
 ##	Allows the domain to open a file in the
 ##	log directory, but does not allow the listing
 ##	of the contents of the log directory.

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 86b223c..6561474 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
 	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
 ')
 
+########################################
+## <summary>
+##	Create lvm_lock_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_create_lock_dirs',`
+	gen_require(`
+		type lvm_lock_t;
+	')
+
+	create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+	files_add_entry_lock_dirs($1)
+')
+
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..864979d
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,39 @@
+/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
+/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
+/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/bin/systemd-detect-virt	--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/bin/systemd-nspawn			--	gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
+/bin/systemd-run			--	gen_context(system_u:object_r:systemd_run_exec_t,s0)
+/bin/systemd-stdio-bridge	--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
+/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/bin/systemd-tty-ask-password-agent		--			gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt		--	gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-cgroups-agent	--	gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*hibernate.* --	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*power.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*reboot.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*shutdown.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+
+/var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+
+/var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+
+/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..8bca3a3
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,195 @@
+## <summary>Systemd components (not PID 1)</summary>
+
+######################################
+## <summary>
+##   Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_logind_pids',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##   Manage systemd_login PID pipes.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_manage_logind_pid_pipes',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##   Use inherited systemd
+##   logind file descriptors.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_use_logind_fds',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd logind over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+	gen_require(`
+		type systemd_logind_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_logind_t:dbus send_msg;
+	allow systemd_logind_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##   Allow process to write to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_write_kmod_files',`
+	gen_require(`
+		type systemd_kmod_conf_t;
+	')
+
+	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
+')
+
+########################################
+## <summary>
+##   Allow process to relabel to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_relabelto_kmod_files',`
+	gen_require(`
+		type systemd_kmod_conf_t;
+	')
+
+	allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+##   Read systemd homedir content
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_read_home_content',`
+	gen_require(`
+		type systemd_home_t;
+	')
+
+	optional_policy(`
+		gnome_search_gconf_data_dir($1)
+	')
+	read_files_pattern($1, systemd_home_t, systemd_home_t)
+	read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
+
+########################################
+## <summary>
+##   Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_status_logind',`
+	gen_require(`
+		type systemd_logind_t;
+		class service status;
+	')
+
+	allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+##   Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow specified domain to start power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_start_power_units',`
+	gen_require(`
+		type power_unit_t;
+		class service start;
+	')
+
+	allow $1 power_unit_t:service start;
+')

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..597d4aa
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,264 @@
+policy_module(systemd, 1.0.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for systemd-tmpfiles to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfiles_manage_all, false)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_analyze_t;
+type systemd_analyze_exec_t;
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_cgroups_t;
+type systemd_cgroups_exec_t;
+domain_type(systemd_cgroups_t)
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
+role system_r types systemd_cgroups_t;
+
+type systemd_cgroups_var_run_t;
+files_pid_file(systemd_cgroups_var_run_t)
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
+
+type systemd_cgtop_t;
+type systemd_cgtop_exec_t;
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_detect_virt_t;
+type systemd_detect_virt_exec_t;
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
+type systemd_hostnamed_t;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
+type systemd_locale_t;
+type systemd_locale_exec_t;
+init_system_domain(systemd_locale_t, systemd_locale_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
+
+type systemd_logind_var_lib_t;
+files_type(systemd_logind_var_lib_t)
+
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_nspawn_t;
+type systemd_nspawn_exec_t;
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+
+type systemd_run_t;
+type systemd_run_exec_t;
+init_daemon_domain(systemd_run_t, systemd_run_exec_t)
+
+type systemd_stdio_bridge_t;
+type systemd_stdio_bridge_exec_t;
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_sessions_t;
+type systemd_sessions_exec_t;
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+type systemd_sessions_var_run_t;
+files_pid_file(systemd_sessions_var_run_t)
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
+
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+type systemd_kmod_conf_t;
+files_config_file(systemd_kmod_conf_t)
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+#
+# Unit file types
+#
+
+type power_unit_t;
+init_unit_file(power_unit_t)
+
+######################################
+#
+# Cgroups local policy
+#
+
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+
+init_stream_connect(systemd_cgroups_t)
+
+logging_send_syslog_msg(systemd_cgroups_t)
+
+kernel_dgram_send(systemd_cgroups_t)
+
+#######################################
+#
+# locale local policy
+#
+
+files_read_etc_files(systemd_locale_t)
+
+logging_send_syslog_msg(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+optional_policy(`
+	dbus_connect_system_bus(systemd_locale_t)
+	dbus_system_bus_client(systemd_locale_t)
+')
+
+#######################################
+#
+# Hostnamed policy
+#
+
+files_read_etc_files(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_hostnamed_t)
+	dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
+#########################################
+#
+# Logind local policy
+#
+
+allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
+
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+files_search_pids(systemd_logind_t)
+
+auth_manage_faillog(systemd_logind_t)
+
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_tmpfs(systemd_logind_t)
+
+storage_getattr_removable_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+init_get_all_units_status(systemd_logind_t)
+init_start_all_units(systemd_logind_t)
+init_stop_all_units(systemd_logind_t)
+init_service_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+# This is for reading /proc/1/cgroup
+init_read_state(systemd_logind_t)
+
+locallogin_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+systemd_start_power_units(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_read_pid_files(systemd_logind_t)
+
+userdom_use_user_ttys(systemd_logind_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_logind_t)
+	dbus_connect_system_bus(systemd_logind_t)
+')
+
+#########################################
+#
+# Sessions local policy
+#
+
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+
+logging_send_syslog_msg(systemd_sessions_t)
+
+#########################################
+#
+# Tmpfiles local policy
+#
+
+allow systemd_tmpfiles_t self:capability  { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:process { setfscreate getcap };
+
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+tunable_policy(`systemd_tmpfiles_manage_all',`
+	# systemd-tmpfiles can be configured to manage anything.
+	# have a last-resort option for users to do this.
+	files_manage_non_security_dirs(systemd_tmpfiles_t)
+	files_manage_non_security_files(systemd_tmpfiles_t)
+	files_relabel_non_security_dirs(systemd_tmpfiles_t)
+	files_relabel_non_security_files(systemd_tmpfiles_t)
+')

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 06175a7..d4c92cc 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -92,6 +92,25 @@ interface(`udev_read_state',`
 	allow $1 udev_t:lnk_file read_lnk_file_perms;
 ')
 
+
+########################################
+## <summary>
+##	Allow domain to create uevent sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_sockets',`
+	gen_require(`
+		type udev_t;
+	')
+
+	allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit a

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:23:35 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467

Add sysfs_types attribute.

Collect all types used to label sysfs entries.

 policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
 policy/modules/kernel/devices.te |  5 +++--
 policy/modules/system/init.te    |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##	Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		attribute sysfs_types;
+	')
+
+	allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+	allow $1 sysfs_types:file relabel_file_perms;
+	allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_types;
 
 #
 # device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
 #
 # /sys/devices/system/cpu/online device
 #
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
 #
 # sysfs_t is the type for the /sys pseudofs
 #
-type sysfs_t;
+type sysfs_t, sysfs_types;
 files_mountpoint(sysfs_t)
 fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
 	dev_create_generic_dirs(init_t)
 	dev_manage_input_dev(init_t)
 	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_sysfs(init_t)
 	dev_read_urand(init_t)
 	dev_write_kmsg(init_t)
 

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     f9f01e684dcb23519fcd03e6efdbff754dbef7be
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May  1 22:45:01 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May  7 15:53:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9f01e68

Module version bump for minor fixes from Guido Trentalancia.

 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/system/init.te   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 87f5f9a4..a2869be7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.1)
+policy_module(kernel, 1.22.2)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a01b5093..a572300d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.20)
+policy_module(init, 2.2.21)
 
 gen_require(`
 	class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     1b7b773c1a5f2df67ef78aa7e5cb1016d4d82638
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Sun May 14 15:24:03 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:51 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b773c

Enable /etc directory protection using ProtectSystem

Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.

This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.

 policy/modules/kernel/files.if | 19 +++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a74f7913..c6df0a62 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2853,6 +2853,25 @@ interface(`files_relabelto_etc_dirs',`
 
 ########################################
 ## <summary>
+##	Mount a filesystem on the
+##	etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f388f1e0..3d3697fb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
 	files_search_kernel_modules(init_t)
 	# for privatetmp functions
 	files_mounton_tmp(init_t)
+	files_mounton_etc_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_rw_cgroup_files(init_t)

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     65729b614bfeb81ad1a2b8587a6ccc6e5ebd04a7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:48:51 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:56 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=65729b61

Module version bump for systemd fix from Krzysztof Nowicki.

 policy/modules/kernel/files.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index c0578cc4..4768906d 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.12)
+policy_module(files, 1.23.13)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4e2c6504..e44dfded 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.22)
+policy_module(init, 2.2.23)
 
 gen_require(`
 	class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/

[Sven Vermeulen]

commit:     1b7b773c1a5f2df67ef78aa7e5cb1016d4d82638
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Sun May 14 15:24:03 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:51 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b773c

Enable /etc directory protection using ProtectSystem

Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.

This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.

 policy/modules/kernel/files.if | 19 +++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a74f7913..c6df0a62 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2853,6 +2853,25 @@ interface(`files_relabelto_etc_dirs',`
 
 ########################################
 ## <summary>
+##	Mount a filesystem on the
+##	etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f388f1e0..3d3697fb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
 	files_search_kernel_modules(init_t)
 	# for privatetmp functions
 	files_mounton_tmp(init_t)
+	files_mounton_etc_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_rw_cgroup_files(init_t)

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     94e5bdcfc5d1a49605d019ff465dd9f56bd9686d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:29:26 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94e5bdcf

storage, userdomain: Module version bump.

 policy/modules/kernel/storage.te    | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index eb9b5b8d..d2a49c97 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.15.0)
+policy_module(storage, 1.15.1)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index a3a1802e..3db9b0c2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.9)
+policy_module(userdomain, 4.14.10)
 
 ########################################
 #