selinux-refpolicy/policy/modules/system/systemd.if

332 lines
7.0 KiB
Plaintext
Raw Normal View History

## <summary>Systemd components (not PID 1)</summary>
######################################
## <summary>
## Make the specified type usable as an
## log parse environment type.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a log parse environment type.
## </summary>
## </param>
#
interface(`systemd_log_parse_environment',`
gen_require(`
attribute systemd_log_parse_env_type;
')
typeattribute $1 systemd_log_parse_env_type;
')
######################################
## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_pids',`
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
2017-02-24 01:03:23 +00:00
allow $1 systemd_logind_var_run_t:dir list_dir_perms;
allow $1 systemd_logind_var_run_t:file read_file_perms;
')
######################################
## <summary>
## Manage systemd_login PID pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_logind_pid_pipes',`
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
')
######################################
## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_logind_fds',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
')
2017-02-24 01:03:23 +00:00
######################################
## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
gen_require(`
type systemd_logind_t, systemd_sessions_var_run_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_sessions_var_run_t:fifo_file write;
allow systemd_logind_t $1:process signal;
')
########################################
## <summary>
## Send and receive messages from
## systemd logind over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_logind',`
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
')
########################################
## <summary>
## Allow process to write to systemd_kmod_conf_t.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_write_kmod_files',`
gen_require(`
type systemd_kmod_conf_t;
')
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
')
2017-02-24 01:03:23 +00:00
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
## <summary>
## object class to manage
## </summary>
## </param>
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
########################################
## <summary>
## Allow process to relabel to systemd_kmod_conf_t.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_relabelto_kmod_files',`
gen_require(`
type systemd_kmod_conf_t;
')
allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
## </summary>
## <param name="domain">
## <summary>
## Domain that owns the fds
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent_fds',`
gen_require(`
type systemd_passwd_agent_t;
')
allow systemd_passwd_agent_t $1:fd use;
')
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_filetrans_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_var_run_t;
')
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
')
########################################
## <summary>
## manage systemd unit dirs and the files in them
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_all_units',`
gen_require(`
attribute systemdunit;
')
manage_dirs_pattern($1, systemdunit, systemdunit)
manage_files_pattern($1, systemdunit, systemdunit)
manage_lnk_files_pattern($1, systemdunit, systemdunit)
')
########################################
## <summary>
## Allow domain to create/manage systemd_journal_t files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_journal_files',`
gen_require(`
type systemd_logind_t;
')
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
')
########################################
## <summary>
2017-02-19 21:13:14 +00:00
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
## <summary>
## Domain systemd_logind_t may access.
## </summary>
## </param>
#
interface(`systemd_read_logind_state',`
gen_require(`
type systemd_logind_t;
')
allow systemd_logind_t $1:dir list_dir_perms;
allow systemd_logind_t $1:file read_file_perms;
')
########################################
## <summary>
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_logind',`
gen_require(`
type systemd_logind_t;
class service status;
')
allow $1 systemd_logind_t:service status;
')
########################################
## <summary>
## Send systemd_login a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
## <summary>
## Allow specified domain to start power units
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`systemd_start_power_units',`
gen_require(`
type power_unit_t;
class service start;
')
allow $1 power_unit_t:service start;
')