SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Jason Zaman <jason@perfinion.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <jason@perfinion.com>
Subject: [PATCH 1/9] systemd: Add elogind support
Date: Tue, 24 Dec 2019 18:10:35 +0800
Message-ID: <20191224101043.58122-1-jason@perfinion.com> (raw)

Elogind is based off systemd-logind extracted to stand alone.

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/admin/sudo.if       |  2 ++
 policy/modules/system/authlogin.if |  5 +++++
 policy/modules/system/systemd.fc   |  5 +++++
 policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index c1459364..4f08af28 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -159,6 +159,8 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		systemd_dbus_chat_logind($1_sudo_t)
+		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c16748f2..83837458 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -71,6 +71,11 @@ interface(`auth_use_pam',`
 		optional_policy(`
 			fprintd_dbus_chat($1)
 		')
+
+		optional_policy(`
+			systemd_dbus_chat_logind($1)
+			systemd_write_inherited_logind_sessions_pipes($1)
+		')
 	')
 
 	optional_policy(`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 607b1d88..e6831465 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
+/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
 # Systemd generators
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 
@@ -56,6 +60,7 @@
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1422d8e2..f13b7252 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
 
 type systemd_logind_t;
 type systemd_logind_exec_t;
+dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
 
@@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
 type systemd_logind_runtime_t alias systemd_logind_var_run_t;
 files_pid_file(systemd_logind_runtime_t)
 init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
 
 type systemd_logind_var_lib_t;
 files_type(systemd_logind_var_lib_t)
@@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
+files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
+
+create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 
 manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
@@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
 
 kernel_read_kernel_sysctls(systemd_logind_t)
 
+auth_write_login_records(systemd_logind_t)
+
 dev_getattr_dri_dev(systemd_logind_t)
 dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
@@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_purge_tmp(systemd_logind_t)
 files_read_etc_files(systemd_logind_t)
 files_search_pids(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
+fs_manage_cgroup_dirs(systemd_logind_t)
+fs_manage_cgroup_files(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
@@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 
+logging_send_audit_msgs(systemd_logind_t)
+
 selinux_get_enforce_mode(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
@@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
 
 auth_manage_faillog(systemd_logind_t)
 
+init_create_runtime_dirs(systemd_logind_t)
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
@@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+       fs_read_nfs_files(systemd_logind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_read_cifs_files(systemd_logind_t)
+')
+
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -568,6 +589,10 @@ optional_policy(`
 	policykit_dbus_chat(systemd_logind_t)
 ')
 
+optional_policy(`
+	shutdown_domtrans(systemd_logind_t)
+')
+
 optional_policy(`
 	xserver_read_state(systemd_logind_t)
 	xserver_dbus_chat(systemd_logind_t)
-- 
2.24.1


             reply index

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-24 10:10 Jason Zaman [this message]
2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
2019-12-26 17:23   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
2019-12-26 17:06   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
2019-12-28  4:35   ` Jason Zaman
2019-12-28 15:59     ` Dominick Grift

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191224101043.58122-1-jason@perfinion.com \
    --to=jason@perfinion.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git