* [PATCH] another systemd misc patch
@ 2021-02-03 3:31 Russell Coker
2021-02-05 19:44 ` Chris PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2021-02-03 3:31 UTC (permalink / raw)
To: selinux-refpolicy
Lots of littls changes related to systemd.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
@@ -84,6 +84,8 @@ template(`systemd_role_template',`
seutil_read_file_contexts($1_systemd_t)
seutil_search_default_contexts($1_systemd_t)
+ userdom_search_user_home_dirs($1_systemd_t)
+
# for machinectl shell
term_user_pty($1_systemd_t, user_devpts_t)
allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
@@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
######################################
## <summary>
+## Watch systemd-logind runtime dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dir',`
+ gen_require(`
+ type systemd_logind_runtime_t;
+ ')
+
+ allow $1 systemd_logind_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
######################################
## <summary>
+## Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dir',`
+ gen_require(`
+ type systemd_sessions_runtime_t;
+ ')
+
+ allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
@@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
########################################
## <summary>
+## Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can watch the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_watch_machines_dir',`
+ gen_require(`
+ type systemd_machined_runtime_t;
+ ')
+
+ allow $1 systemd_machined_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
@@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')
- domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
allow systemd_passwd_agent_t $1:fd use;
role $2 types systemd_passwd_agent_t;
')
@@ -673,6 +729,24 @@ interface(`systemd_manage_passwd_runtime
')
########################################
+## <summary>
+## watch systemd_passwd_runtime_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_passwd_runtime_dirs',`
+ gen_require(`
+ type systemd_passwd_runtime_t;
+ ')
+
+ allow $1 systemd_passwd_runtime_t:dir watch;
+')
+
+########################################
## <summary>
## manage systemd unit dirs and the files in them (Deprecated)
## </summary>
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -129,6 +129,7 @@ type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
@@ -358,13 +361,15 @@ ifdef(`enable_mls',`
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
-allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
+allow systemd_coredump_t self:unix_stream_socket connectto;
+allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
allow systemd_coredump_t self:process { getcap setcap setfscreate };
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
+kernel_read_crypto_sysctls(systemd_coredump_t)
kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
@@ -375,11 +380,16 @@ corecmd_read_all_executables(systemd_cor
dev_write_kmsg(systemd_coredump_t)
+domain_read_all_domains_state(systemd_coredump_t)
+
files_getattr_all_mountpoints(systemd_coredump_t)
files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)
+fs_getattr_cgroup(systemd_coredump_t)
+fs_getattr_tmpfs(systemd_coredump_t)
fs_getattr_xattr_fs(systemd_coredump_t)
+fs_search_cgroup_dirs(systemd_coredump_t)
fs_search_tmpfs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
@@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
seutil_search_default_contexts(systemd_coredump_t)
+allow systemd_generator_t self:fifo_file rw_file_perms;
+allow systemd_generator_t self:process setfscreate;
+
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
+corecmd_exec_bin(systemd_generator_t)
+corecmd_exec_shell(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+optional_policy(`
+ # for /lib/systemd/system-generators/openvpn-generator
+ openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+ # it runs postconf
+ # maybe /lib/systemd/system-generators/postfix-instance-generator
+ postfix_read_config(systemd_generator_t)
+')
+
#######################################
#
# Systemd generator local policy
@@ -404,12 +440,17 @@ allow systemd_generator_t self:process s
allow systemd_generator_t systemd_unit_t:file getattr;
+allow systemd_generator_t self:udp_socket create;
+
corecmd_getattr_bin_files(systemd_generator_t)
dev_read_sysfs(systemd_generator_t)
+dev_read_urand(systemd_generator_t)
dev_write_kmsg(systemd_generator_t)
dev_write_sysfs_dirs(systemd_generator_t)
+application_exec(systemd_generator_t)
+domain_read_all_entry_files(systemd_generator_t)
files_read_etc_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
@@ -417,9 +458,11 @@ files_read_boot_files(systemd_generator_
files_read_config_files(systemd_generator_t)
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
+files_getattr_usr_files(systemd_generator_t)
fs_list_efivars(systemd_generator_t)
fs_getattr_xattr_fs(systemd_generator_t)
+fs_search_nfs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
init_read_all_script_files(systemd_generator_t)
@@ -439,6 +482,11 @@ init_read_script_files(systemd_generator
kernel_use_fds(systemd_generator_t)
kernel_read_system_state(systemd_generator_t)
kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_read_network_state(systemd_generator_t)
+kernel_search_network_sysctl(systemd_generator_t)
+
+selinux_getattr_fs(systemd_generator_t)
+seutil_search_default_contexts(systemd_generator_t)
storage_raw_read_fixed_disk(systemd_generator_t)
@@ -446,6 +494,8 @@ systemd_log_parse_environment(systemd_ge
term_use_unallocated_ttys(systemd_generator_t)
+udev_search_runtime(systemd_generator_t)
+
optional_policy(`
fstools_exec(systemd_generator_t)
')
@@ -457,6 +507,10 @@ optional_policy(`
miscfiles_read_localization(systemd_generator_t)
')
+optional_policy(`
+ tmpreaper_exec(systemd_generator_t)
+')
+
#######################################
#
# Hostnamed policy
@@ -489,6 +543,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -557,6 +615,7 @@ logging_send_syslog_msg(systemd_log_pars
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:lockdown integrity;
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
kernel_read_kernel_sysctls(systemd_logind_t)
+auth_read_shadow(systemd_logind_t)
+
dev_getattr_dri_dev(systemd_logind_t)
dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
@@ -602,11 +663,13 @@ dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
+files_search_boot(systemd_logind_t)
files_search_runtime(systemd_logind_t)
fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
@@ -637,6 +700,7 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
+init_stream_connect(systemd_logind_t)
init_watch_utmp(systemd_logind_t)
# for /run/systemd/transient/*
@@ -701,6 +765,11 @@ optional_policy(`
')
optional_policy(`
+ dpkg_dbus_chat(systemd_logind_t)
+ dpkg_read_state(systemd_logind_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
@@ -743,6 +812,9 @@ allow systemd_machined_t systemd_machine
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:sock_file { create unlink };
+
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
@@ -859,6 +931,10 @@ sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
+ bluetooth_dbus_chat(systemd_hostnamed_t)
+')
+
+optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
@@ -899,7 +975,7 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
@@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
kernel_mount_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
kernel_mounton_message_if(systemd_nspawn_t)
kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
+
+kernel_read_irq_sysctls(systemd_nspawn_t)
+kernel_read_network_state(systemd_nspawn_t)
kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_sysctl(systemd_nspawn_t)
kernel_read_system_state(systemd_nspawn_t)
kernel_remount_proc(systemd_nspawn_t)
+kernel_request_load_module(systemd_nspawn_t)
+kernel_search_network_sysctl(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
@@ -949,6 +1037,7 @@ dev_read_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
+files_getattr_default_dirs(systemd_nspawn_t)
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
@@ -960,11 +1049,17 @@ files_setattr_runtime_dirs(systemd_nspaw
fs_getattr_cgroup(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
+fs_getattr_xattr_fs(systemd_nspawn_t)
+fs_manage_cgroup_dirs(systemd_nspawn_t)
+fs_manage_cgroup_files(systemd_nspawn_t)
+fs_manage_tmpfs_blk_files(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_cgroup(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
+fs_mounton_cgroup(systemd_nspawn_t)
+fs_read_nsfs_files(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
fs_remount_xattr_fs(systemd_nspawn_t)
-fs_read_cgroup_files(systemd_nspawn_t)
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
@@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
@@ -982,8 +1078,12 @@ init_write_runtime_socket(systemd_nspawn
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
+mount_exec(systemd_nspawn_t)
+
udev_read_runtime_files(systemd_nspawn_t)
+sysnet_exec_ifconfig(systemd_nspawn_t)
+
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
@@ -1006,6 +1106,7 @@ tunable_policy(`systemd_nspawn_labeled_n
allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+ fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
@@ -1030,6 +1131,7 @@ tunable_policy(`systemd_nspawn_labeled_n
logging_search_logs(systemd_nspawn_t)
+ seutil_exec_setfiles(systemd_nspawn_t)
seutil_search_default_contexts(systemd_nspawn_t)
')
@@ -1056,7 +1158,7 @@ allow systemd_passwd_agent_t self:capabi
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
+allow systemd_passwd_agent_t systemd_passwd_runtime_t:{ dir file } watch;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
@@ -1066,6 +1168,7 @@ init_runtime_filetrans(systemd_passwd_ag
can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
kernel_read_system_state(systemd_passwd_agent_t)
+kernel_search_fs_sysctls(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -1092,6 +1195,7 @@ init_create_runtime_dirs(systemd_passwd_
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
+init_use_script_ptys(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
@@ -1404,6 +1508,10 @@ tunable_policy(`systemd_tmpfiles_manage_
')
optional_policy(`
+ colord_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
# systemd-user-runtime-dir local policy
#
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };
allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
+
files_read_etc_files(systemd_user_runtime_dir_t)
fs_mount_tmpfs(systemd_user_runtime_dir_t)
@@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
seutil_libselinux_linked(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
@@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## send dbus messages to dpkg_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_dbus_chat',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## read dpkg_t process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_state',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:dir search;
+ allow $1 dpkg_t:file read_file_perms;
+')
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -95,6 +95,9 @@ ifdef(`init_systemd',`
# Allow sysadm to resolve the username of dynamic users by calling
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
+
+ systemd_run_passwd_agent(sysadm_t, sysadm_r)
+ systemd_watch_passwd_runtime_dirs(sysadm_t)
')
tunable_policy(`allow_ptrace',`
Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
@@ -340,6 +340,9 @@ optional_policy(`
optional_policy(`
systemd_read_logind_runtime_files(NetworkManager_t)
systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_watch_logind_runtime_dir(NetworkManager_t)
+ systemd_watch_logind_sessions_dir(NetworkManager_t)
+ systemd_watch_machines_dir(NetworkManager_t)
systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
')
Index: refpolicy-2.20210203/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210203/policy/modules/services/policykit.te
@@ -134,12 +134,15 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
systemd_read_machines(policykit_t)
+ systemd_watch_machines_dir(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)
+ systemd_watch_logind_sessions_dir(policykit_t)
# for /run/systemd/users/*
systemd_read_logind_runtime_files(policykit_t)
+ systemd_watch_logind_runtime_dir(policykit_t)
')
########################################
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
2021-02-03 3:31 [PATCH] another systemd misc patch Russell Coker
@ 2021-02-05 19:44 ` Chris PeBenito
2021-02-05 20:18 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2021-02-05 19:44 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 2/2/21 10:31 PM, Russell Coker wrote:
> Lots of littls changes related to systemd.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>
> ######################################
> ## <summary>
> +## Watch systemd-logind runtime dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_runtime_dir',`
systemd_watch_logind_runtime_dirs (plural)
> + gen_require(`
> + type systemd_logind_runtime_t;
> + ')
> +
> + allow $1 systemd_logind_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
> ## Use inherited systemd
> ## logind file descriptors.
> ## </summary>
> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>
> ######################################
> ## <summary>
> +## Watch logind sessions dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_sessions_dir',`
systemd_watch_logind_sessions_dirs (plural)
> + gen_require(`
> + type systemd_sessions_runtime_t;
> + ')
> +
> + allow $1 systemd_sessions_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
> ## Write inherited logind inhibit pipes.
> ## </summary>
> ## <param name="domain">
> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>
> ########################################
> ## <summary>
> +## Allow watching /run/systemd/machines
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can watch the machines files
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_machines_dir',`
systemd_watch_machines_dirs (plural)
> + gen_require(`
> + type systemd_machined_runtime_t;
> + ')
> +
> + allow $1 systemd_machined_runtime_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## systemd hostnamed over dbus.
> ## </summary>
> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
> ')
>
> - domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
domtrans_pattern() is the standard pattern. This change has no effect.
> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -129,6 +129,7 @@ type systemd_logind_t;
> type systemd_logind_exec_t;
> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> +init_stream_connect(systemd_logind_t)
>
> type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
> files_runtime_file(systemd_logind_inhibit_runtime_t)
> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>
> +kernel_read_kernel_sysctls(systemd_backlight_t)
> +
> systemd_log_parse_environment(systemd_backlight_t)
>
> # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
> #
>
> allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
> +allow systemd_coredump_t self:unix_stream_socket connectto;
> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
net_admin? That doesn't seem necessary for core dumping.
[...]
> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>
> seutil_search_default_contexts(systemd_coredump_t)
>
> +allow systemd_generator_t self:fifo_file rw_file_perms;
> +allow systemd_generator_t self:process setfscreate;
> +
> +allow systemd_generator_t self:capability dac_override;
> +allow systemd_generator_t self:tcp_socket create;
> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
> +
> +corecmd_exec_bin(systemd_generator_t)
> +corecmd_exec_shell(systemd_generator_t)
> +files_exec_etc_files(systemd_generator_t)
> +fs_getattr_cgroup(systemd_generator_t)
> +fs_getattr_tmpfs(systemd_generator_t)
> +fs_rw_tmpfs_files(systemd_generator_t)
> +miscfiles_read_localization(systemd_generator_t)
> +
> +optional_policy(`
> + # for /lib/systemd/system-generators/openvpn-generator
> + openvpn_read_config(systemd_generator_t)
> +')
> +
> +optional_policy(`
> + # it runs postconf
> + # maybe /lib/systemd/system-generators/postfix-instance-generator
> + postfix_read_config(systemd_generator_t)
> +')
The systemd_generator_t rules need to move to proper places.
> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> +auth_read_shadow(systemd_logind_t)
If this is necessary, it seems Debian specific.
[...]
> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>
> +kernel_getattr_core_if(systemd_nspawn_t)
> +kernel_getattr_proc(systemd_nspawn_t)
> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
> +
> kernel_mount_proc(systemd_nspawn_t)
> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
> kernel_mounton_message_if(systemd_nspawn_t)
> kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_files(systemd_nspawn_t)
> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
With all of the mounting, perhaps we should consider coalescing on allowing it
to mount an all init_mountpoint_types.
[..]
> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> term_search_ptys(systemd_nspawn_t)
> term_setattr_generic_ptys(systemd_nspawn_t)
> term_use_ptmx(systemd_nspawn_t)
> +term_use_generic_ptys(systemd_nspawn_t)
Perhaps this should have a pty type?
> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> # systemd-user-runtime-dir local policy
> #
>
> -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
> +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };
sys_admin and mknod? What is sys_admin used for; also, I don't see any rules
for creating devices.
> allow systemd_user_runtime_dir_t self:process setfscreate;
>
> domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
> +
> files_read_etc_files(systemd_user_runtime_dir_t)
>
> fs_mount_tmpfs(systemd_user_runtime_dir_t)
> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
> seutil_libselinux_linked(systemd_user_runtime_dir_t)
>
> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
> userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>
> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## send dbus messages to dpkg_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_dbus_chat',`
> + gen_require(`
> + type dpkg_t;
> + ')
> +
> + allow $1 dpkg_t:dbus send_msg;
> +')
I'd prefer that the dbus chat interfaces are provided by the server process' domain.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
2021-02-05 19:44 ` Chris PeBenito
@ 2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2021-02-05 20:18 UTC (permalink / raw)
To: Chris PeBenito; +Cc: Russell Coker, selinux-refpolicy
Chris PeBenito <pebenito@ieee.org> writes:
> On 2/2/21 10:31 PM, Russell Coker wrote:
>> Lots of littls changes related to systemd.
>> Signed-off-by: Russell Coker <russell@coker.com.au>
>>
>
>> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>> ######################################
>> ## <summary>
>> +## Watch systemd-logind runtime dirs
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
>
>> + gen_require(`
>> + type systemd_logind_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_logind_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>> ## Use inherited systemd
>> ## logind file descriptors.
>> ## </summary>
>> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>> ######################################
>> ## <summary>
>> +## Watch logind sessions dirs.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
>
>> + gen_require(`
>> + type systemd_sessions_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_sessions_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>> ## Write inherited logind inhibit pipes.
>> ## </summary>
>> ## <param name="domain">
>> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>> ########################################
>> ## <summary>
>> +## Allow watching /run/systemd/machines
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain that can watch the machines files
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
>
>> + gen_require(`
>> + type systemd_machined_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_machined_runtime_t:dir watch;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Send and receive messages from
>> ## systemd hostnamed over dbus.
>> ## </summary>
>> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
>> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
>> ')
>> - domtrans_pattern($1, systemd_passwd_agent_exec_t,
>> systemd_passwd_agent_t)
>> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
>
> domtrans_pattern() is the standard pattern. This change has no effect.
>
>
>
>> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
>> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
>> @@ -129,6 +129,7 @@ type systemd_logind_t;
>> type systemd_logind_exec_t;
>> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>> +init_stream_connect(systemd_logind_t)
>> type systemd_logind_inhibit_runtime_t alias
>> systemd_logind_inhibit_var_run_t;
>> files_runtime_file(systemd_logind_inhibit_runtime_t)
>> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
>> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
>> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>> +kernel_read_kernel_sysctls(systemd_backlight_t)
>> +
>> systemd_log_parse_environment(systemd_backlight_t)
>> # Allow systemd-backlight to write to
>> /sys/class/backlight/*/brightness
>> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
>> #
>> allow systemd_coredump_t self:unix_dgram_socket { create write
>> connect getopt setopt };
>> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
>> +allow systemd_coredump_t self:unix_stream_socket connectto;
>> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
>
> net_admin? That doesn't seem necessary for core dumping.
>
>
> [...]
>> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>> seutil_search_default_contexts(systemd_coredump_t)
>> +allow systemd_generator_t self:fifo_file rw_file_perms;
>> +allow systemd_generator_t self:process setfscreate;
>> +
>> +allow systemd_generator_t self:capability dac_override;
>> +allow systemd_generator_t self:tcp_socket create;
>> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
>> +
>> +corecmd_exec_bin(systemd_generator_t)
>> +corecmd_exec_shell(systemd_generator_t)
>> +files_exec_etc_files(systemd_generator_t)
>> +fs_getattr_cgroup(systemd_generator_t)
>> +fs_getattr_tmpfs(systemd_generator_t)
>> +fs_rw_tmpfs_files(systemd_generator_t)
>> +miscfiles_read_localization(systemd_generator_t)
>> +
>> +optional_policy(`
>> + # for /lib/systemd/system-generators/openvpn-generator
>> + openvpn_read_config(systemd_generator_t)
>> +')
>> +
>> +optional_policy(`
>> + # it runs postconf
>> + # maybe /lib/systemd/system-generators/postfix-instance-generator
>> + postfix_read_config(systemd_generator_t)
>> +')
>
> The systemd_generator_t rules need to move to proper places.
>
>
>
>> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>> kernel_read_kernel_sysctls(systemd_logind_t)
>> +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.
This also happens on fedora (not sure why)
>
> [...]
>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>> # for /run/systemd/nspawn/incoming in chroot
>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>> +kernel_getattr_core_if(systemd_nspawn_t)
>> +kernel_getattr_proc(systemd_nspawn_t)
>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>> +
>> kernel_mount_proc(systemd_nspawn_t)
>> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>> kernel_mounton_message_if(systemd_nspawn_t)
>> kernel_mounton_proc(systemd_nspawn_t)
>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>
> With all of the mounting, perhaps we should consider coalescing on
> allowing it to mount an all init_mountpoint_types.
mounton unlabeled dirs indicates that something is unlabeled/mislabeled
though. Wouldnt allow that.
>
> [..]
>> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
>> term_search_ptys(systemd_nspawn_t)
>> term_setattr_generic_ptys(systemd_nspawn_t)
>> term_use_ptmx(systemd_nspawn_t)
>> +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?
Agree
>
>
>> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
>> # systemd-user-runtime-dir local policy
>> #
>> -allow systemd_user_runtime_dir_t self:capability { fowner chown
>> sys_admin dac_read_search dac_override };
>> +allow systemd_user_runtime_dir_t self:capability { chown
>> dac_override dac_read_search dac_override fowner sys_admin mknod };
>
> sys_admin and mknod? What is sys_admin used for; also, I don't see
> any rules for creating devices.
its probably old systemd stuff (fixed in more recent version): ie /run/user/UID/inaccessible/blk
should be able to ignore this
>
>> allow systemd_user_runtime_dir_t self:process setfscreate;
>> domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir
>> manage_dir_perms;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
>> +
>> files_read_etc_files(systemd_user_runtime_dir_t)
>> fs_mount_tmpfs(systemd_user_runtime_dir_t)
>> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
>> seutil_libselinux_linked(systemd_user_runtime_dir_t)
>> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
>> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
>> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
>> userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
>> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
>> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
>> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
>> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## send dbus messages to dpkg_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`dpkg_dbus_chat',`
>> + gen_require(`
>> + type dpkg_t;
>> + ')
>> +
>> + allow $1 dpkg_t:dbus send_msg;
>> +')
>
> I'd prefer that the dbus chat interfaces are provided by the server process' domain.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
2021-02-05 20:18 ` Dominick Grift
@ 2021-02-05 20:31 ` Chris PeBenito
2021-02-05 20:45 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2021-02-05 20:31 UTC (permalink / raw)
To: Dominick Grift; +Cc: Russell Coker, selinux-refpolicy
On 2/5/21 3:18 PM, Dominick Grift wrote:
> Chris PeBenito <pebenito@ieee.org> writes:
>> On 2/2/21 10:31 PM, Russell Coker wrote:
>>> Lots of littls changes related to systemd.
>>> Signed-off-by: Russell Coker <russell@coker.com.au>
>>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>>> # for /run/systemd/nspawn/incoming in chroot
>>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>>> +kernel_getattr_core_if(systemd_nspawn_t)
>>> +kernel_getattr_proc(systemd_nspawn_t)
>>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>>> +
>>> kernel_mount_proc(systemd_nspawn_t)
>>> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>>> kernel_mounton_message_if(systemd_nspawn_t)
>>> kernel_mounton_proc(systemd_nspawn_t)
>>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>>
>> With all of the mounting, perhaps we should consider coalescing on
>> allowing it to mount an all init_mountpoint_types.
>
> mounton unlabeled dirs indicates that something is unlabeled/mislabeled
> though. Wouldnt allow that.
Yes I agree. I noticed all the mountons but didn't notice this specific one.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
2021-02-05 20:31 ` Chris PeBenito
@ 2021-02-05 20:45 ` Dominick Grift
0 siblings, 0 replies; 8+ messages in thread
From: Dominick Grift @ 2021-02-05 20:45 UTC (permalink / raw)
To: Chris PeBenito; +Cc: Russell Coker, selinux-refpolicy
On 2/5/21 9:31 PM, Chris PeBenito wrote:
> On 2/5/21 3:18 PM, Dominick Grift wrote:
>> Chris PeBenito <pebenito@ieee.org> writes:
>>> On 2/2/21 10:31 PM, Russell Coker wrote:
>>>> Lots of littls changes related to systemd.
>>>> Signed-off-by: Russell Coker <russell@coker.com.au>
>
>>>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>>>> # for /run/systemd/nspawn/incoming in chroot
>>>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>>>> +kernel_getattr_core_if(systemd_nspawn_t)
>>>> +kernel_getattr_proc(systemd_nspawn_t)
>>>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>>>> +
>>>> kernel_mount_proc(systemd_nspawn_t)
>>>> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>>>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>>>> kernel_mounton_message_if(systemd_nspawn_t)
>>>> kernel_mounton_proc(systemd_nspawn_t)
>>>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>>>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>>>
>>> With all of the mounting, perhaps we should consider coalescing on
>>> allowing it to mount an all init_mountpoint_types.
>>
>> mounton unlabeled dirs indicates that something is unlabeled/mislabeled
>> though. Wouldnt allow that.
>
> Yes I agree. I noticed all the mountons but didn't notice this specific
> one.
>
I know how that goes, i probably "reviewed" this patch and overlooked
this wrole wtuff ...
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
2021-10-09 10:05 Russell Coker
@ 2021-10-27 13:09 ` Chris PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2021-10-27 13:09 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 10/9/21 06:05, Russell Coker wrote:
> Here's the latest version of this patch with the previous issues addressed.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210908/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210908/policy/modules/system/systemd.if
> @@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine
> allow $1 systemd_machined_t:fd use;
> allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
> ')
> +
> +########################################
> +## <summary>
> +## run systemd-nspawn in systemd_nspawn_t domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role of the object to create.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_run_nspawn', `
> + gen_require(`
> + type systemd_nspawn_t, systemd_nspawn_exec_t;
> + ')
> +
> + role $2 types systemd_nspawn_t;
> + domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
> +')
What is the use case? I see it later in the patch run by sysadm_t, but I don't
understand why sysadm would run it directly, instead of using the systemctl.
> Index: refpolicy-2.20210908/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210908/policy/modules/system/systemd.te
> @@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump
>
> seutil_search_default_contexts(systemd_coredump_t)
>
> +
> #######################################
> #
> # Systemd generator local policy
Please remove the extra endline.
> @@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file
> allow systemd_generator_t self:capability dac_override;
> allow systemd_generator_t self:process setfscreate;
>
> +allow systemd_generator_t self:tcp_socket create;
> +allow systemd_generator_t self:udp_socket create;
Create sockets but do nothing with them? i.e. read/write/ioctl
> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
> +
> allow systemd_generator_t systemd_unit_t:file getattr;
>
> +kernel_dontaudit_getattr_proc(systemd_generator_t)
> +kernel_read_kernel_sysctls(systemd_generator_t)
> +kernel_read_network_state(systemd_generator_t)
> +kernel_read_system_state(systemd_generator_t)
> +kernel_search_network_sysctl(systemd_generator_t)
> +kernel_use_fds(systemd_generator_t)
> +
> +corecmd_exec_bin(systemd_generator_t)
> corecmd_exec_shell(systemd_generator_t)
> -corecmd_getattr_bin_files(systemd_generator_t)
>
> dev_read_sysfs(systemd_generator_t)
> +dev_read_urand(systemd_generator_t)
> dev_write_kmsg(systemd_generator_t)
> dev_write_sysfs_dirs(systemd_generator_t)
>
> -files_read_etc_files(systemd_generator_t)
> +application_exec(systemd_generator_t)
> +domain_read_all_entry_files(systemd_generator_t)
These last two could use blank lines for separation.
[...]
> @@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>
> +term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t)
> +allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms;
Please move these up after the self block of rules.
> +kernel_getattr_core_if(systemd_nspawn_t)
> +kernel_getattr_proc(systemd_nspawn_t)
> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
> +
> kernel_mount_proc(systemd_nspawn_t)
> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
> kernel_mounton_message_if(systemd_nspawn_t)
> kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_files(systemd_nspawn_t)
> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
> +
> +kernel_read_irq_sysctls(systemd_nspawn_t)
> +kernel_read_network_state(systemd_nspawn_t)
> kernel_read_kernel_sysctls(systemd_nspawn_t)
> +kernel_read_sysctl(systemd_nspawn_t)
> kernel_read_system_state(systemd_nspawn_t)
> kernel_remount_proc(systemd_nspawn_t)
> +kernel_request_load_module(systemd_nspawn_t)
> +kernel_search_network_sysctl(systemd_nspawn_t)
Please remove the extra newlines.
> corecmd_exec_shell(systemd_nspawn_t)
> corecmd_search_bin(systemd_nspawn_t)
> @@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t)
> dev_read_rand(systemd_nspawn_t)
> dev_read_urand(systemd_nspawn_t)
>
> +files_getattr_default_dirs(systemd_nspawn_t)
> files_getattr_tmp_dirs(systemd_nspawn_t)
> files_manage_etc_files(systemd_nspawn_t)
> files_manage_mnt_dirs(systemd_nspawn_t)
> @@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw
>
> fs_getattr_cgroup(systemd_nspawn_t)
> fs_getattr_tmpfs(systemd_nspawn_t)
> +fs_getattr_xattr_fs(systemd_nspawn_t)
> +fs_manage_cgroup_dirs(systemd_nspawn_t)
> +fs_manage_cgroup_files(systemd_nspawn_t)
> +fs_manage_tmpfs_blk_files(systemd_nspawn_t)
> fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> +fs_mount_cgroup(systemd_nspawn_t)
> fs_mount_tmpfs(systemd_nspawn_t)
> +fs_mounton_cgroup(systemd_nspawn_t)
> +fs_read_nsfs_files(systemd_nspawn_t)
> fs_remount_tmpfs(systemd_nspawn_t)
> fs_remount_xattr_fs(systemd_nspawn_t)
> -fs_read_cgroup_files(systemd_nspawn_t)
>
> term_getattr_generic_ptys(systemd_nspawn_t)
> term_getattr_pty_fs(systemd_nspawn_t)
> @@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t)
> term_search_ptys(systemd_nspawn_t)
> term_setattr_generic_ptys(systemd_nspawn_t)
> term_use_ptmx(systemd_nspawn_t)
> +term_use_generic_ptys(systemd_nspawn_t)
>
> init_domtrans_script(systemd_nspawn_t)
> init_getrlimit(systemd_nspawn_t)
> @@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn
> init_spec_domtrans_script(systemd_nspawn_t)
>
> miscfiles_manage_localization(systemd_nspawn_t)
> +mount_exec(systemd_nspawn_t)
> +
> udev_read_runtime_files(systemd_nspawn_t)
>
> +sysnet_exec_ifconfig(systemd_nspawn_t)
> +
> # for writing inside chroot
> sysnet_manage_config(systemd_nspawn_t)
With all the mountons, it seems to make sense to switch it to mount on
init_mountpoint_type. See init.te:262, which is what we have for systemd.
[...]
> @@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor
> ')
>
> optional_policy(`
> + colord_read_lib_files(systemd_tmpfiles_t)
> + colord_relabel_lib(systemd_tmpfiles_t)
> +')
Instead of new interfaces and calling here, you should add
systemd_tmpfilesd_managed(colord_var_lib_t) in colord.te.
> Index: refpolicy-2.20210908/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210908/policy/modules/services/ssh.te
> @@ -270,6 +270,7 @@ ifdef(`init_systemd',`
> auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_dgram_nspawn(sshd_t)
> systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
Is this sshd running inside a namespace started by nspawn?
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] another systemd misc patch
@ 2021-10-09 10:17 Russell Coker
0 siblings, 0 replies; 8+ messages in thread
From: Russell Coker @ 2021-10-09 10:17 UTC (permalink / raw)
To: Chris PeBenito; +Cc: selinux-refpolicy
On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote:
> > +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
Done.
> > +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
Done.
> > +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
Done.
> > - domtrans_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> domtrans_pattern() is the standard pattern. This change has no effect.
OK, I'll remove that.
> > -allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t
> > self:unix_stream_socket connectto;
> > +allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap net_admin sys_ptrace };
> net_admin? That doesn't seem necessary for core dumping.
That's one of the systemd programs that wanted netadmin to set socket buffers.
I'll dontaudit it.
> > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
> >
> > seutil_search_default_contexts(systemd_coredump_t)
> >
> > +allow systemd_generator_t self:fifo_file rw_file_perms;
> > +allow systemd_generator_t self:process setfscreate;
> The systemd_generator_t rules need to move to proper places.
Done.
> > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
> >
> > kernel_read_kernel_sysctls(systemd_logind_t)
> >
> > +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.
I'll try removing it.
> > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> >
> > term_search_ptys(systemd_nspawn_t)
> > term_setattr_generic_ptys(systemd_nspawn_t)
> > term_use_ptmx(systemd_nspawn_t)
> >
> > +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?
OK.
> > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> >
> > # systemd-user-runtime-dir local policy
> > #
> >
> > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin
> > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t
> > self:capability { chown dac_override dac_read_search dac_override fowner
> > sys_admin mknod };
> sys_admin and mknod? What is sys_admin used for; also, I don't see any
> rules for creating devices.
That's because of something that I hadn't included in that patch. It has to
unlink device nodes labelled user_tmp_t.
I just sent another patch for this.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] another systemd misc patch
@ 2021-10-09 10:05 Russell Coker
2021-10-27 13:09 ` Chris PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2021-10-09 10:05 UTC (permalink / raw)
To: selinux-refpolicy
Here's the latest version of this patch with the previous issues addressed.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210908/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210908/policy/modules/system/systemd.if
@@ -102,6 +102,8 @@ template(`systemd_role_template',`
seutil_search_default_contexts($1_systemd_t)
seutil_read_file_contexts($1_systemd_t)
+ userdom_search_user_home_dirs($1_systemd_t)
+
# for machinectl shell
term_user_pty($1_systemd_t, user_devpts_t)
allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
@@ -169,6 +171,10 @@ template(`systemd_role_template',`
systemd_watch_passwd_runtime_dirs($3)
optional_policy(`
+ dirmngr_tmp_dir_search($1_systemd_t)
+ ')
+
+ optional_policy(`
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
xdg_read_config_files($1_systemd_t)
@@ -791,6 +797,24 @@ interface(`systemd_write_logind_runtime_
######################################
## <summary>
+## Watch systemd-logind runtime dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dirs',`
+ gen_require(`
+ type systemd_logind_runtime_t;
+ ')
+
+ allow $1 systemd_logind_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -851,6 +875,24 @@ interface(`systemd_write_inherited_login
######################################
## <summary>
+## Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dirs',`
+ gen_require(`
+ type systemd_sessions_runtime_t;
+ ')
+
+ allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
@@ -1023,6 +1065,24 @@ interface(`systemd_connect_machined',`
########################################
## <summary>
+## Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can watch the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+ gen_require(`
+ type systemd_machined_runtime_t;
+ ')
+
+ allow $1 systemd_machined_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
@@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')
+
+########################################
+## <summary>
+## run systemd-nspawn in systemd_nspawn_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role of the object to create.
+## </summary>
+## </param>
+#
+interface(`systemd_run_nspawn', `
+ gen_require(`
+ type systemd_nspawn_t, systemd_nspawn_exec_t;
+ ')
+
+ role $2 types systemd_nspawn_t;
+ domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
+')
+
+########################################
+## <summary>
+## send datagrams to systemd_nspawn_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dgram_nspawn', `
+ gen_require(`
+ type systemd_nspawn_t, systemd_nspawn_var_run_t;
+ ')
+
+ dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t)
+')
Index: refpolicy-2.20210908/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210908/policy/modules/system/systemd.te
@@ -142,6 +142,7 @@ type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -191,6 +192,9 @@ type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
mcs_killall(systemd_nspawn_t)
+type systemd_nspawn_devpts_t;
+term_login_pty(systemd_nspawn_devpts_t)
+
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_runtime_file(systemd_nspawn_runtime_t)
@@ -281,10 +285,13 @@ files_type(systemd_update_run_t)
type systemd_conf_home_t;
init_unit_file(systemd_conf_home_t)
-xdg_config_content(systemd_conf_home_t)
type systemd_data_home_t;
-xdg_data_content(systemd_data_home_t)
+
+optional_policy(`
+ xdg_config_content(systemd_conf_home_t)
+ xdg_data_content(systemd_data_home_t)
+')
type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)
@@ -327,6 +334,8 @@ allow systemd_backlight_t systemd_backli
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
@@ -392,28 +401,37 @@ ifdef(`enable_mls',`
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:unix_stream_socket connectto;
allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
+dontaudit systemd_coredump_t self:capability net_admin;
allow systemd_coredump_t self:process { getcap setcap setfscreate };
+allow systemd_coredump_t self:cap_userns sys_ptrace;
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
+kernel_read_crypto_sysctls(systemd_coredump_t)
kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
kernel_use_fds(systemd_coredump_t)
corecmd_exec_bin(systemd_coredump_t)
-corecmd_read_all_executables(systemd_coredump_t)
+corecmd_mmap_all_executables(systemd_coredump_t)
dev_write_kmsg(systemd_coredump_t)
+domain_read_all_domains_state(systemd_coredump_t)
+
files_getattr_all_mountpoints(systemd_coredump_t)
files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)
+fs_getattr_cgroup(systemd_coredump_t)
+fs_getattr_tmpfs(systemd_coredump_t)
fs_getattr_xattr_fs(systemd_coredump_t)
+fs_search_cgroup_dirs(systemd_coredump_t)
fs_search_tmpfs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
@@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump
seutil_search_default_contexts(systemd_coredump_t)
+
#######################################
#
# Systemd generator local policy
@@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:udp_socket create;
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
allow systemd_generator_t systemd_unit_t:file getattr;
+kernel_dontaudit_getattr_proc(systemd_generator_t)
+kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_read_network_state(systemd_generator_t)
+kernel_read_system_state(systemd_generator_t)
+kernel_search_network_sysctl(systemd_generator_t)
+kernel_use_fds(systemd_generator_t)
+
+corecmd_exec_bin(systemd_generator_t)
corecmd_exec_shell(systemd_generator_t)
-corecmd_getattr_bin_files(systemd_generator_t)
dev_read_sysfs(systemd_generator_t)
+dev_read_urand(systemd_generator_t)
dev_write_kmsg(systemd_generator_t)
dev_write_sysfs_dirs(systemd_generator_t)
-files_read_etc_files(systemd_generator_t)
+application_exec(systemd_generator_t)
+domain_read_all_entry_files(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
files_read_boot_files(systemd_generator_t)
files_read_config_files(systemd_generator_t)
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
+files_getattr_usr_files(systemd_generator_t)
-fs_list_efivars(systemd_generator_t)
fs_getattr_cgroup(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
fs_getattr_xattr_fs(systemd_generator_t)
+fs_list_efivars(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
+fs_search_nfs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
init_read_all_script_files(systemd_generator_t)
@@ -472,10 +509,10 @@ init_list_unit_dirs(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
-kernel_use_fds(systemd_generator_t)
-kernel_read_system_state(systemd_generator_t)
-kernel_read_kernel_sysctls(systemd_generator_t)
-kernel_dontaudit_getattr_proc(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+selinux_getattr_fs(systemd_generator_t)
+seutil_search_default_contexts(systemd_generator_t)
storage_raw_read_fixed_disk(systemd_generator_t)
@@ -487,6 +524,8 @@ ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
+udev_search_runtime(systemd_generator_t)
+
optional_policy(`
fstools_exec(systemd_generator_t)
')
@@ -495,7 +534,21 @@ optional_policy(`
lvm_exec(systemd_generator_t)
lvm_map_config(systemd_generator_t)
lvm_read_config(systemd_generator_t)
- miscfiles_read_localization(systemd_generator_t)
+')
+
+optional_policy(`
+ # for /lib/systemd/system-generators/openvpn-generator
+ openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+ # it runs postconf
+ # maybe /lib/systemd/system-generators/postfix-instance-generator
+ postfix_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+ tmpreaper_exec(systemd_generator_t)
')
#######################################
@@ -531,6 +584,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -599,6 +656,7 @@ logging_send_syslog_msg(systemd_log_pars
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:lockdown integrity;
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -646,11 +704,13 @@ dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
+files_search_boot(systemd_logind_t)
files_search_runtime(systemd_logind_t)
fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
@@ -682,6 +742,7 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
+init_stream_connect(systemd_logind_t)
# for /run/systemd/transient/*
init_restart_units(systemd_logind_t)
@@ -748,6 +809,11 @@ optional_policy(`
')
optional_policy(`
+ dpkg_dbus_chat(systemd_logind_t)
+ dpkg_read_state(systemd_logind_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
@@ -790,6 +856,9 @@ allow systemd_machined_t systemd_machine
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:sock_file { create unlink };
+
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
@@ -908,6 +977,10 @@ sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
+ bluetooth_dbus_chat(systemd_hostnamed_t)
+')
+
+optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
@@ -948,8 +1021,8 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
-allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot audit_control };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
@@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
+term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t)
+allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms;
+
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
kernel_mount_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
kernel_mounton_message_if(systemd_nspawn_t)
kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
+
+kernel_read_irq_sysctls(systemd_nspawn_t)
+kernel_read_network_state(systemd_nspawn_t)
kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_sysctl(systemd_nspawn_t)
kernel_read_system_state(systemd_nspawn_t)
kernel_remount_proc(systemd_nspawn_t)
+kernel_request_load_module(systemd_nspawn_t)
+kernel_search_network_sysctl(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
@@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
+files_getattr_default_dirs(systemd_nspawn_t)
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
@@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw
fs_getattr_cgroup(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
+fs_getattr_xattr_fs(systemd_nspawn_t)
+fs_manage_cgroup_dirs(systemd_nspawn_t)
+fs_manage_cgroup_files(systemd_nspawn_t)
+fs_manage_tmpfs_blk_files(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_cgroup(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
+fs_mounton_cgroup(systemd_nspawn_t)
+fs_read_nsfs_files(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
fs_remount_xattr_fs(systemd_nspawn_t)
-fs_read_cgroup_files(systemd_nspawn_t)
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
@@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
@@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
+mount_exec(systemd_nspawn_t)
+
udev_read_runtime_files(systemd_nspawn_t)
+sysnet_exec_ifconfig(systemd_nspawn_t)
+
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
@@ -1055,11 +1155,13 @@ tunable_policy(`systemd_nspawn_labeled_n
allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+ fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
fs_manage_tmpfs_dirs(systemd_nspawn_t)
fs_manage_tmpfs_files(systemd_nspawn_t)
+ fs_manage_tmpfs_sockets(systemd_nspawn_t)
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
fs_mount_cgroup(systemd_nspawn_t)
fs_mounton_cgroup(systemd_nspawn_t)
@@ -1077,8 +1179,11 @@ tunable_policy(`systemd_nspawn_labeled_n
init_domtrans(systemd_nspawn_t)
+ logging_manage_runtime_sockets(systemd_nspawn_t)
+ logging_relabelto_devlog_sock_files(systemd_nspawn_t)
logging_search_logs(systemd_nspawn_t)
+ seutil_exec_setfiles(systemd_nspawn_t)
seutil_search_default_contexts(systemd_nspawn_t)
')
@@ -1105,7 +1210,7 @@ allow systemd_passwd_agent_t self:capabi
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
+allow systemd_passwd_agent_t systemd_passwd_runtime_t:{ dir file } watch;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
@@ -1115,6 +1220,7 @@ init_runtime_filetrans(systemd_passwd_ag
can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
kernel_read_system_state(systemd_passwd_agent_t)
+kernel_search_fs_sysctls(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -1141,6 +1247,7 @@ init_create_runtime_dirs(systemd_passwd_
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
+init_use_script_ptys(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
@@ -1420,6 +1527,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_search_auto_mountpoints(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
@@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor
')
optional_policy(`
+ colord_read_lib_files(systemd_tmpfiles_t)
+ colord_relabel_lib(systemd_tmpfiles_t)
+')
+
+optional_policy(`
dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -1611,13 +1724,15 @@ seutil_libselinux_linked(systemd_user_se
# systemd-user-runtime-dir local policy
#
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod };
allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
files_read_etc_files(systemd_user_runtime_dir_t)
@@ -1650,8 +1765,13 @@ userdom_delete_all_user_runtime_chr_file
userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
+userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t)
+
userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
@@ -1661,3 +1781,15 @@ userdom_relabelto_user_runtime_dirs(syst
optional_policy(`
dbus_system_bus_client(systemd_user_runtime_dir_t)
')
+
+optional_policy(`
+ dirmngr_unlink_tmp_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+ gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
+ userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+')
Index: refpolicy-2.20210908/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20210908/policy/modules/admin/dpkg.if
@@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## send dbus messages to dpkg_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_dbus_chat',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## read dpkg_t process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_state',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:dir search;
+ allow $1 dpkg_t:file read_file_perms;
+')
Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210908/policy/modules/roles/sysadm.te
@@ -99,6 +99,10 @@ ifdef(`init_systemd',`
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
+ systemd_run_nspawn(sysadm_t, sysadm_r)
+ systemd_run_passwd_agent(sysadm_t, sysadm_r)
+
+
# Allow sysadm to get the status of and set properties of other users,
# sessions, and seats on the system.
systemd_dbus_chat_logind(sysadm_t)
Index: refpolicy-2.20210908/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210908/policy/modules/services/networkmanager.te
@@ -332,6 +332,9 @@ optional_policy(`
optional_policy(`
systemd_read_logind_runtime_files(NetworkManager_t)
systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_watch_logind_runtime_dirs(NetworkManager_t)
+ systemd_watch_logind_sessions_dirs(NetworkManager_t)
+ systemd_watch_machines_dirs(NetworkManager_t)
systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
')
Index: refpolicy-2.20210908/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210908/policy/modules/services/policykit.te
@@ -134,12 +134,15 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
systemd_read_machines(policykit_t)
+ systemd_watch_machines_dirs(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)
+ systemd_watch_logind_sessions_dirs(policykit_t)
# for /run/systemd/users/*
systemd_read_logind_runtime_files(policykit_t)
+ systemd_watch_logind_runtime_dirs(policykit_t)
')
########################################
Index: refpolicy-2.20210908/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210908/policy/modules/services/devicekit.te
@@ -195,6 +195,12 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
+ systemd_use_logind_fds(devicekit_disk_t)
+ systemd_write_inherited_logind_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
udev_domtrans_udevadm(devicekit_disk_t)
udev_read_runtime_files(devicekit_disk_t)
')
Index: refpolicy-2.20210908/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210908/policy/modules/services/ssh.te
@@ -270,6 +270,7 @@ ifdef(`init_systemd',`
auth_use_pam_systemd(sshd_t)
init_dbus_chat(sshd_t)
init_rw_stream_sockets(sshd_t)
+ systemd_dgram_nspawn(sshd_t)
systemd_write_inherited_logind_sessions_pipes(sshd_t)
')
Index: refpolicy-2.20210908/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/apps/gpg.if
+++ refpolicy-2.20210908/policy/modules/apps/gpg.if
@@ -274,6 +274,24 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## unlink gpg_agent_tmp_t sock_file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_unlink_sock',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:sock_file unlink;
+')
+
+########################################
+## <summary>
## filetrans in gpg_runtime_t dirs
## </summary>
## <param name="domain">
Index: refpolicy-2.20210908/policy/modules/services/dirmngr.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/dirmngr.if
+++ refpolicy-2.20210908/policy/modules/services/dirmngr.if
@@ -34,6 +34,24 @@ interface(`dirmngr_role',`
allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
+############################################################
+## <summary>
+## unlink dirmngr_tmp_t sock_file
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`dirmngr_unlink_tmp_sock',`
+ gen_require(`
+ type dirmngr_tmp_t;
+ ')
+
+ allow $1 dirmngr_tmp_t:sock_file unlink;
+')
+
########################################
## <summary>
## Execute dirmngr in the dirmngr domain.
@@ -95,6 +113,24 @@ interface(`dirmngr_stream_connect',`
')
########################################
+## <summary>
+## Search dirmngr_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_tmp_dir_search',`
+ gen_require(`
+ type dirmngr_tmp_t;
+ ')
+
+ allow $1 dirmngr_tmp_t:dir search_dir_perms;
+')
+
+########################################
## <summary>
## All of the rules required to
## administrate an dirmngr environment.
Index: refpolicy-2.20210908/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210908/policy/modules/system/logging.te
@@ -555,6 +555,7 @@ ifdef(`init_systemd',`
logging_send_syslog_msg(syslogd_t)
systemd_manage_journal_files(syslogd_t)
+ systemd_search_user_runtime(syslogd_t)
udev_read_runtime_files(syslogd_t)
Index: refpolicy-2.20210908/policy/modules/services/colord.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/colord.if
+++ refpolicy-2.20210908/policy/modules/services/colord.if
@@ -58,3 +58,22 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+######################################
+## <summary>
+## relabel colord lib files and dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_relabel_lib',`
+ gen_require(`
+ type colord_var_lib_t;
+ ')
+
+ allow $1 colord_var_lib_t:dir { list_dir_perms relabelfrom relabelto };
+ allow $1 colord_var_lib_t:file { relabelfrom relabelto };
+')
Index: refpolicy-2.20210908/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210908/policy/modules/system/userdomain.if
@@ -4539,6 +4539,25 @@ interface(`userdom_dontaudit_write_user_
########################################
## <summary>
+## Delete user_tmp_t device nodes (probably should not have been
+## created in the first place)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow deleting
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_user_tmp_devices',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:{ chr_file blk_file } unlink;
+')
+
+########################################
+## <summary>
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-10-27 13:09 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03 3:31 [PATCH] another systemd misc patch Russell Coker
2021-02-05 19:44 ` Chris PeBenito
2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito
2021-02-05 20:45 ` Dominick Grift
2021-10-09 10:05 Russell Coker
2021-10-27 13:09 ` Chris PeBenito
2021-10-09 10:17 Russell Coker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).