* [refpolicy] [PATCH] systemd related changes second attempt
@ 2017-04-04 7:42 Russell Coker
0 siblings, 0 replies; only message in thread
From: Russell Coker @ 2017-04-04 7:42 UTC (permalink / raw)
To: refpolicy
Here's the second attempt at this patch. I addressed all issues Chris raised
apart from init_get_script_status(), and renaming systemd_manage_passwd_run().
Chris please rename systemd_manage_passwd_run() while applying this.
Description: App changes related to systemd
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-04-04
Index: refpolicy-2.20170402/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170402/policy/modules/contrib/apache.te
@@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+ifdef(`init_systemd', `
+ systemd_manage_passwd_run(httpd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
Index: refpolicy-2.20170402/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170402/policy/modules/contrib/cron.te
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)
auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,16 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
@@ -340,6 +340,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
Index: refpolicy-2.20170402/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170402/policy/modules/services/ssh.te
@@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
+ systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170402/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+# for hdparm init script run by udev
+initrc_service_status(udev_t)
+
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)
@@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+systemd_read_logind_sessions_files(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+
+dbus_system_bus_client(logrotate_t)
+init_write_pid_socket(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -126,6 +133,8 @@ ifdef(`distro_debian',`
logging_read_syslog_config(logrotate_t)
')
+init_manage_all_units(logrotate_t)
+
optional_policy(`
abrt_manage_cache(logrotate_t)
')
Index: refpolicy-2.20170402/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170402/policy/modules/system/lvm.te
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
logging_send_syslog_msg(lvm_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.te
@@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_logind_pid_pipes(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
Index: refpolicy-2.20170402/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170402/policy/modules/system/unconfined.te
@@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',`
')
optional_policy(`
+ init_unconfined(unconfined_t)
+')
+
+optional_policy(`
ada_domtrans(unconfined_t)
')
Index: refpolicy-2.20170402/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170402/policy/modules/system/logging.if
@@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
+
+ # because systemd is now using /run/systemd/journal/dev-log
+ init_search_run($1)
')
########################################
Index: refpolicy-2.20170402/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170402/policy/modules/system/locallogin.te
@@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
')
')
+optional_policy(`
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
tunable_policy(`console_login',`
# Able to relabel /dev/console to user tty types.
term_relabel_console(local_login_t)
Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170402/policy/modules/contrib/policykit.te
@@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+# for /run/systemd/machines
+systemd_read_machines(policykit_t)
+
+# for /run/systemd/seats/seat*
+systemd_read_logind_sessions_files(policykit_t)
+
+# for /run/systemd/users/*
+systemd_read_logind_pids(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.if
@@ -88,6 +88,10 @@ template(`dbus_role_template',`
ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')
#######################################
Index: refpolicy-2.20170402/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170402/policy/modules/kernel/files.if
@@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')
+########################################
+## <summary>
+## start etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+## stop etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service stop;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
Index: refpolicy-2.20170402/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170402/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
+ class service all_service_perms;
')
# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ files_get_etc_unit_status($1)
+ files_start_etc_service($1)
+ files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170402/policy/modules/roles/sysadm.te
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_unconfined(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20170402/policy/modules/system/lvm.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20170402/policy/modules/system/lvm.fc
@@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170402/policy/modules/contrib/mta.te
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst
init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
Index: refpolicy-2.20170402/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170402/policy/modules/services/xserver.te
@@ -285,6 +285,10 @@ files_search_pids(xauth_t)
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
# cjp: why?
term_use_ptmx(xauth_t)
Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if
@@ -399,7 +399,7 @@ interface(`sysnet_write_config',`
#######################################
## <summary>
-## Create network config files.
+## relabel network config files.
## </summary>
## <param name="domain">
## <summary>
@@ -407,13 +407,13 @@ interface(`sysnet_write_config',`
## </summary>
## </param>
#
-interface(`sysnet_create_config',`
+interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
- allow $1 net_conf_t:file create_file_perms;
+ allow $1 net_conf_t:file { relabelfrom relabelto };
')
#######################################
@@ -455,6 +455,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
+ files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
dev_read_sysfs(ntpd_t)
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)
+clock_read_adjtime(ntpd_t)
domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pid_dirs(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
Index: refpolicy-2.20170402/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.if
+++ refpolicy-2.20170402/policy/modules/system/init.if
@@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',`
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')
+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Get the attributes of initctl.
@@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')
+#######################################
+## <summary>
+## All perms on all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service all_service_perms;
+ ')
+
+ allow $1 systemdunit:service all_service_perms;
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Start all systemd units.
@@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`initrc_service_status',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_unconfined',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ dev_manage_null_service($1)
+ init_disable($1)
+ init_enable($1)
+ init_get_all_units_status($1)
+ init_get_generic_units_status($1)
+ init_get_system_status($1)
+ init_manage_all_units($1)
+ init_manage_script_service($1)
+ init_reboot_system($1)
+ init_reload($1)
+ init_reload_all_units($1)
+ init_shutdown_system($1)
+ init_start_all_units($1)
+ init_start_generic_units($1)
+ init_stop_all_units($1)
+ init_stop_generic_units($1)
+ init_stop_system($1)
+ init_telinit($1)
+')
Index: refpolicy-2.20170402/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170402/policy/modules/system/fstools.te
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
logging_send_syslog_msg(fsadm_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170402/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
######################################
## <summary>
+## Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ init_search_run($1)
+ files_search_pids($1)
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
######################################
## <summary>
+## Read logind sessions files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+ gen_require(`
+ type systemd_sessions_var_run_t, systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ init_search_run($1)
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
@@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')
+#######################################
+## <summary>
+## Allow a systemd_passwd_agent_t process to interact with a daemon
+## that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_run',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ type systemd_passwd_var_run_t;
+ ')
+
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
@@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',`
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+########################################
+## <summary>
+## Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+ gen_require(`
+ type systemd_machined_var_run_t;
+ ')
+
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+ allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te
@@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
-dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
-init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
-init_get_system_status(dpkg_script_t)
-init_start_generic_units(dpkg_script_t)
-init_stop_generic_units(dpkg_script_t)
-init_reload(dpkg_script_t)
-init_stop_system(dpkg_script_t)
-init_telinit(dpkg_script_t)
init_manage_script_service(dpkg_script_t)
init_startstop_all_script_services(dpkg_script_t)
+init_unconfined(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
Index: refpolicy-2.20170402/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.te
+++ refpolicy-2.20170402/policy/modules/system/init.te
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- sysnet_create_config(initrc_t)
- sysnet_write_config(initrc_t)
- sysnet_setattr_config(initrc_t)
+ sysnet_manage_config(initrc_t)
optional_policy(`
abrt_manage_pid_files(initrc_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170402/policy/modules/system/systemd.te
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.if
@@ -200,6 +200,9 @@ interface(`ntp_admin',`
type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
type ntpd_unit_t;
+ ifdef(`init_systemd',`
+ class dbus send_msg;
+ ')
')
allow $1 ntpd_t:process { ptrace signal_perms };
@@ -223,4 +226,9 @@ interface(`ntp_admin',`
admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
+
+ ifdef(`init_systemd',`
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+ ')
')
Index: refpolicy-2.20170402/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170402/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
+
+ optional_policy(`
+ systemd_read_logind_sessions_files($1_t)
+ ')
')
########################################
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-04-04 7:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-04 7:42 [refpolicy] [PATCH] systemd related changes second attempt Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.