* [refpolicy] [PATCH 1/1] policy for systemd-hwdb
@ 2018-06-07 19:19 Dave Sugar
2018-06-07 19:19 ` [refpolicy] [PATCH 1/1] policy for systemd-update-done Dave Sugar
2018-06-08 0:08 ` [refpolicy] [PATCH 1/1] policy for systemd-hwdb Chris PeBenito
0 siblings, 2 replies; 4+ messages in thread
From: Dave Sugar @ 2018-06-07 19:19 UTC (permalink / raw)
To: refpolicy
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/systemd.fc | 3 +++
policy/modules/system/systemd.if | 19 +++++++++++++++++++
policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
policy/modules/system/udev.te | 1 +
4 files changed, 47 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 64f1683c..47a88e8b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -4,6 +4,7 @@
/usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
/usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
/usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hw_exec_t,s0)
/usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
/usr/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
@@ -40,6 +41,8 @@
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
+/etc/udev/hwdb.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0)
+
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index bc988150..8356b143 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -772,5 +772,24 @@ interface(`systemd_getattr_updated_runtime',`
')
+#######################################
+## <summary>
+## Allow domain to read udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_hwdb',`
+ gen_require(`
+ type systemd_hwdb_t;
+ ')
+
+ read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+')
+
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 15fe6e1b..c324d3bf 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -81,6 +81,13 @@ type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+type systemd_hw_t;
+type systemd_hw_exec_t;
+init_system_domain(systemd_hw_t, systemd_hw_exec_t)
+
+type systemd_hwdb_t;
+files_type(systemd_hwdb_t);
+
type systemd_journal_t;
files_type(systemd_journal_t)
logging_log_file(systemd_journal_t)
@@ -322,6 +329,23 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+#########################################
+#
+# hw local policy
+#
+
+allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
+
+files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
+files_search_pids(systemd_hw_t)
+
+init_read_state(systemd_hw_t)
+
+selinux_get_fs_mount(systemd_hw_t)
+
+seutil_read_config(systemd_hw_t)
+seutil_read_file_contexts(systemd_hw_t)
+
#######################################
#
# locale local policy
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d71d0a7f..949853e4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -248,6 +248,7 @@ ifdef(`init_systemd',`
init_get_generic_units_status(udev_t)
init_stream_connect(udev_t)
+ systemd_read_hwdb(udev_t)
systemd_read_logind_sessions_files(udev_t)
systemd_read_logind_pids(udev_t)
--
2.14.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] policy for systemd-update-done
2018-06-07 19:19 [refpolicy] [PATCH 1/1] policy for systemd-hwdb Dave Sugar
@ 2018-06-07 19:19 ` Dave Sugar
2018-06-08 0:02 ` Chris PeBenito
2018-06-08 0:08 ` [refpolicy] [PATCH 1/1] policy for systemd-hwdb Chris PeBenito
1 sibling, 1 reply; 4+ messages in thread
From: Dave Sugar @ 2018-06-07 19:19 UTC (permalink / raw)
To: refpolicy
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/init.te | 1 +
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.if | 21 +++++++++++++++++++++
policy/modules/system/systemd.te | 22 ++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9bdb7e82..f77580d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -406,6 +406,7 @@ ifdef(`init_systemd',`
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(init_t)
+ systemd_getattr_updated_runtime(init_t)
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
systemd_list_tmpfiles_conf(init_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f8812453..64f1683c 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -25,6 +25,7 @@
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
# Systemd unit files
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c605602a..bc988150 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
')
+#######################################
+## <summary>
+## Allow domain to getattr on .updated file (generated by systemd-update-done
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_updated_runtime',`
+ gen_require(`
+ type systemd_update_run_t;
+ ')
+
+ getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+')
+
+
+
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf2c3296..15fe6e1b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)
+type systemd_update_done_t;
+type systemd_update_done_exec_t;
+init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
+
+type systemd_update_run_t;
+files_type(systemd_update_run_t)
+
#
# Unit file types
#
@@ -1006,3 +1013,18 @@ optional_policy(`
xserver_relabel_console_pipes(systemd_tmpfiles_t)
xserver_setattr_console_pipes(systemd_tmpfiles_t)
')
+
+#########################################
+#
+# Update Done local policy
+#
+
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+
+dev_write_kmsg(systemd_update_done_t)
+
+files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+
+kernel_read_system_state(systemd_update_done_t)
+
--
2.14.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] policy for systemd-update-done
2018-06-07 19:19 ` [refpolicy] [PATCH 1/1] policy for systemd-update-done Dave Sugar
@ 2018-06-08 0:02 ` Chris PeBenito
0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2018-06-08 0:02 UTC (permalink / raw)
To: refpolicy
On 06/07/2018 03:19 PM, Dave Sugar via refpolicy wrote:
> systemd-update-done needs to be able to create /etc/.updated and /var/.updated
>
> Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
> Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
> Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
> Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
> Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
> Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/system/init.te | 1 +
> policy/modules/system/systemd.fc | 1 +
> policy/modules/system/systemd.if | 21 +++++++++++++++++++++
> policy/modules/system/systemd.te | 22 ++++++++++++++++++++++
> 4 files changed, 45 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 9bdb7e82..f77580d0 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -406,6 +406,7 @@ ifdef(`init_systemd',`
> # lvm2-activation-generator checks file labels
> seutil_read_file_contexts(init_t)
>
> + systemd_getattr_updated_runtime(init_t)
> systemd_manage_passwd_runtime_symlinks(init_t)
> systemd_use_passwd_agent(init_t)
> systemd_list_tmpfiles_conf(init_t)
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index f8812453..64f1683c 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -25,6 +25,7 @@
> /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
> /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> +/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
> /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
>
> # Systemd unit files
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index c605602a..bc988150 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
> read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> ')
>
> +#######################################
> +## <summary>
> +## Allow domain to getattr on .updated file (generated by systemd-update-done
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_getattr_updated_runtime',`
> + gen_require(`
> + type systemd_update_run_t;
> + ')
> +
> + getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
> +')
> +
> +
> +
> +
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index cf2c3296..15fe6e1b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
> type systemd_tmpfiles_conf_t;
> files_config_file(systemd_tmpfiles_conf_t)
>
> +type systemd_update_done_t;
> +type systemd_update_done_exec_t;
> +init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
> +
> +type systemd_update_run_t;
> +files_type(systemd_update_run_t)
> +
> #
> # Unit file types
> #
> @@ -1006,3 +1013,18 @@ optional_policy(`
> xserver_relabel_console_pipes(systemd_tmpfiles_t)
> xserver_setattr_console_pipes(systemd_tmpfiles_t)
> ')
> +
> +#########################################
> +#
> +# Update Done local policy
> +#
> +
> +allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
> +
> +dev_write_kmsg(systemd_update_done_t)
> +
> +files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
> +files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
> +
> +kernel_read_system_state(systemd_update_done_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH 1/1] policy for systemd-hwdb
2018-06-07 19:19 [refpolicy] [PATCH 1/1] policy for systemd-hwdb Dave Sugar
2018-06-07 19:19 ` [refpolicy] [PATCH 1/1] policy for systemd-update-done Dave Sugar
@ 2018-06-08 0:08 ` Chris PeBenito
1 sibling, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2018-06-08 0:08 UTC (permalink / raw)
To: refpolicy
On 06/07/2018 03:19 PM, Dave Sugar via refpolicy wrote:
> systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
> making a temp file first in /etc/udev/ then moving the tmp file
> over hwdb.bin when complete. It also relabels based in file_contexts
> This provides private type for /etc/udev/hwdb.bin
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/system/systemd.fc | 3 +++
> policy/modules/system/systemd.if | 19 +++++++++++++++++++
> policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
> policy/modules/system/udev.te | 1 +
> 4 files changed, 47 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 64f1683c..47a88e8b 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -4,6 +4,7 @@
> /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
> /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
> /usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
> +/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hw_exec_t,s0)
> /usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
> /usr/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
> /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
> @@ -40,6 +41,8 @@
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
> /usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
>
> +/etc/udev/hwdb.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0)
> +
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index bc988150..8356b143 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -772,5 +772,24 @@ interface(`systemd_getattr_updated_runtime',`
> ')
>
>
> +#######################################
> +## <summary>
> +## Allow domain to read udev hwdb file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_hwdb',`
> + gen_require(`
> + type systemd_hwdb_t;
> + ')
> +
> + read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> +')
> +
> +
>
>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 15fe6e1b..c324d3bf 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -81,6 +81,13 @@ type systemd_hostnamed_t;
> type systemd_hostnamed_exec_t;
> init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
>
> +type systemd_hw_t;
> +type systemd_hw_exec_t;
> +init_system_domain(systemd_hw_t, systemd_hw_exec_t)
> +
> +type systemd_hwdb_t;
> +files_type(systemd_hwdb_t);
> +
> type systemd_journal_t;
> files_type(systemd_journal_t)
> logging_log_file(systemd_journal_t)
> @@ -322,6 +329,23 @@ optional_policy(`
> networkmanager_dbus_chat(systemd_hostnamed_t)
> ')
>
> +#########################################
> +#
> +# hw local policy
> +#
> +
> +allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
> +
> +files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
> +files_search_pids(systemd_hw_t)
> +
> +init_read_state(systemd_hw_t)
> +
> +selinux_get_fs_mount(systemd_hw_t)
> +
> +seutil_read_config(systemd_hw_t)
> +seutil_read_file_contexts(systemd_hw_t)
> +
> #######################################
> #
> # locale local policy
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index d71d0a7f..949853e4 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -248,6 +248,7 @@ ifdef(`init_systemd',`
> init_get_generic_units_status(udev_t)
> init_stream_connect(udev_t)
>
> + systemd_read_hwdb(udev_t)
> systemd_read_logind_sessions_files(udev_t)
> systemd_read_logind_pids(udev_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-08 0:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-07 19:19 [refpolicy] [PATCH 1/1] policy for systemd-hwdb Dave Sugar
2018-06-07 19:19 ` [refpolicy] [PATCH 1/1] policy for systemd-update-done Dave Sugar
2018-06-08 0:02 ` Chris PeBenito
2018-06-08 0:08 ` [refpolicy] [PATCH 1/1] policy for systemd-hwdb Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).