selinux-refpolicy/policy/modules/system/systemd.te

1138 lines
35 KiB
Plaintext
Raw Normal View History

2019-02-09 14:06:37 +00:00
policy_module(systemd, 1.7.1)
#########################################
#
# Declarations
#
## <desc>
## <p>
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
2017-02-24 01:03:23 +00:00
## <desc>
## <p>
## Allow systemd-nspawn to create a labelled namespace with the same types
## as parent environment
## </p>
## </desc>
gen_tunable(systemd_nspawn_labeled_namespace, false)
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
type systemd_analyze_t;
type systemd_analyze_exec_t;
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
type systemd_backlight_unit_t;
init_unit_file(systemd_backlight_unit_t)
type systemd_backlight_var_lib_t;
files_type(systemd_backlight_var_lib_t)
type systemd_binfmt_t;
type systemd_binfmt_exec_t;
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
2017-05-18 19:31:08 +00:00
type systemd_gpt_generator_t;
type systemd_gpt_generator_exec_t;
init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
role system_r types systemd_cgroups_t;
type systemd_cgroups_var_run_t;
files_pid_file(systemd_cgroups_var_run_t)
init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
type systemd_cgtop_t;
type systemd_cgtop_exec_t;
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
2017-02-24 01:03:23 +00:00
type systemd_coredump_var_lib_t;
files_type(systemd_coredump_var_lib_t)
type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
type systemd_hw_t;
type systemd_hw_exec_t;
init_system_domain(systemd_hw_t, systemd_hw_exec_t)
type systemd_hwdb_t;
files_type(systemd_hwdb_t);
2017-02-24 01:03:23 +00:00
type systemd_journal_t;
files_type(systemd_journal_t)
logging_log_file(systemd_journal_t)
type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
type systemd_logind_var_lib_t;
files_type(systemd_logind_var_lib_t)
type systemd_logind_var_run_t;
files_pid_file(systemd_logind_var_run_t)
init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
type systemd_logind_inhibit_var_run_t;
files_pid_file(systemd_logind_inhibit_var_run_t)
type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
2017-02-24 01:03:23 +00:00
type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
type systemd_modules_load_t;
type systemd_modules_load_exec_t;
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
type systemd_networkd_t;
type systemd_networkd_exec_t;
init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)
type systemd_networkd_var_run_t;
files_pid_file(systemd_networkd_var_run_t)
2017-02-24 01:03:23 +00:00
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
mcs_killall(systemd_nspawn_t)
2017-02-24 01:03:23 +00:00
type systemd_nspawn_var_run_t;
files_pid_file(systemd_nspawn_var_run_t)
type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)
type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_var_run_t;
files_pid_file(systemd_resolved_var_run_t)
type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
2017-02-24 01:03:23 +00:00
type systemd_passwd_var_run_t;
files_pid_file(systemd_passwd_var_run_t)
2017-08-14 20:32:29 +00:00
type systemd_rfkill_t;
type systemd_rfkill_exec_t;
init_daemon_domain(systemd_rfkill_t, systemd_rfkill_exec_t)
type systemd_rfkill_unit_t;
init_unit_file(systemd_rfkill_unit_t)
type systemd_rfkill_var_lib_t;
files_type(systemd_rfkill_var_lib_t)
type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
type systemd_sessions_var_run_t;
files_pid_file(systemd_sessions_var_run_t)
init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)
type systemd_update_done_t;
type systemd_update_done_exec_t;
init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
type systemd_update_run_t;
files_type(systemd_update_run_t)
#
# Unit file types
#
type power_unit_t;
init_unit_file(power_unit_t)
######################################
#
# Backlight local policy
#
2017-02-24 01:03:23 +00:00
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
2017-02-24 01:03:23 +00:00
# for udev.conf
files_read_etc_files(systemd_backlight_t)
2017-02-24 01:03:23 +00:00
# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)
files_search_var_lib(systemd_backlight_t)
#######################################
#
# Binfmt local policy
#
systemd_log_parse_environment(systemd_binfmt_t)
# Allow to read /etc/binfmt.d/ files
files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
2017-05-18 19:31:08 +00:00
#######################################
#
# GPT auto generator local policy
#
dev_read_sysfs(systemd_gpt_generator_t)
files_list_usr(systemd_gpt_generator_t)
2017-05-18 19:31:08 +00:00
files_read_etc_files(systemd_gpt_generator_t)
fs_getattr_xattr_fs(systemd_gpt_generator_t)
storage_raw_read_fixed_disk(systemd_gpt_generator_t)
systemd_log_parse_environment(systemd_gpt_generator_t)
######################################
#
# Cgroups local policy
#
allow systemd_cgroups_t self:capability net_admin;
2019-01-10 00:30:15 +00:00
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
kernel_dgram_send(systemd_cgroups_t)
# for /proc/cmdline
kernel_read_system_state(systemd_cgroups_t)
2019-01-10 00:30:15 +00:00
mls_fd_use_all_levels(systemd_cgroups_t)
2017-01-05 10:40:32 +00:00
selinux_getattr_fs(systemd_cgroups_t)
# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
# for /proc/1/environ
init_read_state(systemd_cgroups_t)
seutil_libselinux_linked(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
2019-01-10 00:30:15 +00:00
ifdef(`enable_mls',`
kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh)
')
######################################
#
# coredump local policy
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
allow systemd_coredump_t self:capability { setgid setuid setpcap };
allow systemd_coredump_t self:process { getcap setcap setfscreate };
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
kernel_use_fds(systemd_coredump_t)
corecmd_exec_bin(systemd_coredump_t)
corecmd_read_all_executables(systemd_coredump_t)
dev_write_kmsg(systemd_coredump_t)
files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)
fs_getattr_xattr_fs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
init_list_var_lib_dirs(systemd_coredump_t)
init_read_state(systemd_coredump_t)
init_search_pids(systemd_coredump_t)
init_write_runtime_socket(systemd_coredump_t)
logging_send_syslog_msg(systemd_coredump_t)
seutil_search_default_contexts(systemd_coredump_t)
#######################################
#
# Hostnamed policy
#
allow systemd_hostnamed_t self:capability { sys_admin };
kernel_read_kernel_sysctls(systemd_hostnamed_t)
dev_read_sysfs(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
Modify type for /etc/hostname hostnamectl updates /etc/hostname This change is setting the type for the file /etc/hostname to net_conf_t and granting hostnamectl permission to edit this file. Note that hostnamectl is initially creating a new file .#hostname* which is why the create permissions are requied. type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-15 03:20:29 +00:00
sysnet_etc_filetrans_config(systemd_hostnamed_t)
sysnet_manage_config(systemd_hostnamed_t)
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
dbus_system_bus_client(systemd_hostnamed_t)
2018-02-15 22:07:08 +00:00
init_dbus_chat(systemd_hostnamed_t)
')
optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
#########################################
#
# hw local policy
#
allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
2018-06-08 00:17:15 +00:00
files_search_pids(systemd_hw_t)
selinux_get_fs_mount(systemd_hw_t)
2018-06-08 00:17:15 +00:00
init_read_state(systemd_hw_t)
seutil_read_config(systemd_hw_t)
seutil_read_file_contexts(systemd_hw_t)
#######################################
#
# locale local policy
#
kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
seutil_read_file_contexts(systemd_locale_t)
systemd_log_parse_environment(systemd_locale_t)
optional_policy(`
dbus_connect_system_bus(systemd_locale_t)
dbus_system_bus_client(systemd_locale_t)
')
######################################
#
# systemd log parse enviroment
#
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
dontaudit systemd_log_parse_env_type self:capability net_admin;
kernel_read_system_state(systemd_log_parse_env_type)
dev_write_kmsg(systemd_log_parse_env_type)
term_use_console(systemd_log_parse_env_type)
init_read_state(systemd_log_parse_env_type)
logging_send_syslog_msg(systemd_log_parse_env_type)
#########################################
#
# Logind local policy
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
kernel_read_kernel_sysctls(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
dev_getattr_video_dev(systemd_logind_t)
dev_manage_wireless(systemd_logind_t)
dev_read_urand(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
files_read_etc_files(systemd_logind_t)
files_search_pids(systemd_logind_t)
fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
2016-02-03 13:14:38 +00:00
fs_read_efivarfs_files(systemd_logind_t)
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
2016-02-03 13:14:38 +00:00
selinux_get_enforce_mode(systemd_logind_t)
storage_getattr_removable_dev(systemd_logind_t)
storage_getattr_scsi_generic_dev(systemd_logind_t)
storage_setattr_removable_dev(systemd_logind_t)
storage_setattr_scsi_generic_dev(systemd_logind_t)
term_setattr_unallocated_ttys(systemd_logind_t)
term_use_unallocated_ttys(systemd_logind_t)
auth_manage_faillog(systemd_logind_t)
init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
init_get_system_status(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_service_start(systemd_logind_t)
init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
seutil_libselinux_linked(systemd_logind_t)
seutil_read_default_contexts(systemd_logind_t)
seutil_read_file_contexts(systemd_logind_t)
systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
udev_list_pids(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)
Allow systemd_logind to delete user_runtime_content_type files Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects. type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-12 02:15:28 +00:00
userdom_delete_all_user_runtime_dirs(systemd_logind_t)
userdom_delete_all_user_runtime_files(systemd_logind_t)
userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
2018-02-15 22:07:08 +00:00
# user_tmp_t is for the dbus-1 directory
userdom_list_user_tmp(systemd_logind_t)
userdom_manage_user_runtime_dirs(systemd_logind_t)
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
userdom_mounton_user_runtime_dirs(systemd_logind_t)
userdom_read_all_users_state(systemd_logind_t)
userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
userdom_relabel_user_tmpfs_files(systemd_logind_t)
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
ifdef(`distro_redhat',`
userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
')
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
')
optional_policy(`
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
2018-02-15 22:07:08 +00:00
optional_policy(`
modemmanager_dbus_chat(systemd_logind_t)
')
optional_policy(`
networkmanager_dbus_chat(systemd_logind_t)
')
optional_policy(`
policykit_dbus_chat(systemd_logind_t)
')
optional_policy(`
xserver_read_state(systemd_logind_t)
xserver_dbus_chat(systemd_logind_t)
xserver_dbus_chat_xdm(systemd_logind_t)
xserver_read_xdm_state(systemd_logind_t)
')
optional_policy(`
unconfined_dbus_send(systemd_logind_t)
')
#########################################
#
# machined local policy
#
allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
init_read_script_state(systemd_machined_t)
init_get_system_status(systemd_machined_t)
init_read_state(systemd_machined_t)
init_service_start(systemd_machined_t)
init_service_status(systemd_machined_t)
init_start_system(systemd_machined_t)
init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
seutil_search_default_contexts(systemd_machined_t)
optional_policy(`
init_dbus_chat(systemd_machined_t)
init_dbus_send_script(systemd_machined_t)
dbus_connect_system_bus(systemd_machined_t)
dbus_system_bus_client(systemd_machined_t)
')
########################################
#
# modules-load local policy
#
files_load_kernel_modules(systemd_modules_load_t)
files_read_etc_files(systemd_modules_load_t)
init_read_state(systemd_modules_load_t)
init_search_run(systemd_modules_load_t)
########################################
#
# networkd local policy
#
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:packet_socket create_socket_perms;
allow systemd_networkd_t self:process { getcap setcap setfscreate };
allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
kernel_dgram_send(systemd_networkd_t)
kernel_read_system_state(systemd_networkd_t)
kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)
corecmd_bin_entry_type(systemd_networkd_t)
corecmd_exec_bin(systemd_networkd_t)
corenet_rw_tun_tap_dev(systemd_networkd_t)
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
corenet_udp_bind_generic_node(systemd_networkd_t)
dev_read_urand(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
files_read_etc_files(systemd_networkd_t)
auth_use_nsswitch(systemd_networkd_t)
init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)
logging_send_syslog_msg(systemd_networkd_t)
miscfiles_read_localization(systemd_networkd_t)
sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
')
optional_policy(`
udev_read_db(systemd_networkd_t)
udev_read_pid_files(systemd_networkd_t)
')
########################################
#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
allow systemd_notify_t self:process { setfscreate setsockcreate };
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(systemd_notify_t)
files_read_etc_files(systemd_notify_t)
files_read_usr_files(systemd_notify_t)
fs_getattr_cgroup_files(systemd_notify_t)
auth_use_nsswitch(systemd_notify_t)
init_rw_stream_sockets(systemd_notify_t)
miscfiles_read_localization(systemd_notify_t)
2017-02-24 01:03:23 +00:00
########################################
#
# Nspawn local policy
#
allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
2017-02-24 01:03:23 +00:00
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
# for /tmp/.#inaccessible*
allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
kernel_mount_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
kernel_mounton_message_if(systemd_nspawn_t)
kernel_mounton_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_read_kernel_sysctls(systemd_nspawn_t)
kernel_read_system_state(systemd_nspawn_t)
kernel_remount_proc(systemd_nspawn_t)
kernel_unconfined(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
corenet_rw_tun_tap_dev(systemd_nspawn_t)
dev_getattr_fs(systemd_nspawn_t)
dev_manage_sysfs_dirs(systemd_nspawn_t)
dev_mounton_sysfs_dirs(systemd_nspawn_t)
dev_mount_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
files_mounton_mnt(systemd_nspawn_t)
files_mounton_root(systemd_nspawn_t)
files_mounton_tmp(systemd_nspawn_t)
files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_pid_dirs(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
fs_remount_xattr_fs(systemd_nspawn_t)
fs_read_cgroup_files(systemd_nspawn_t)
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
init_kill_scripts(systemd_nspawn_t)
init_read_state(systemd_nspawn_t)
init_search_run(systemd_nspawn_t)
init_write_runtime_socket(systemd_nspawn_t)
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
userdom_manage_user_home_dirs(systemd_nspawn_t)
tunable_policy(`systemd_nspawn_labeled_namespace',`
corecmd_exec_bin(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
dev_mounton(systemd_nspawn_t)
dev_setattr_generic_dirs(systemd_nspawn_t)
# manage etc symlinks for /etc/localtime
files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_pid_dirs(systemd_nspawn_t)
files_search_home(systemd_nspawn_t)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
fs_manage_tmpfs_dirs(systemd_nspawn_t)
fs_manage_tmpfs_files(systemd_nspawn_t)
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
fs_mount_cgroup(systemd_nspawn_t)
fs_mounton_cgroup(systemd_nspawn_t)
fs_mounton_tmpfs(systemd_nspawn_t)
fs_mounton_tmpfs_files(systemd_nspawn_t)
fs_remount_cgroup(systemd_nspawn_t)
fs_search_tmpfs(systemd_nspawn_t)
fs_unmount_cgroup(systemd_nspawn_t)
fs_write_cgroup_files(systemd_nspawn_t)
selinux_getattr_fs(systemd_nspawn_t)
selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
init_domtrans(systemd_nspawn_t)
logging_search_logs(systemd_nspawn_t)
seutil_search_default_contexts(systemd_nspawn_t)
')
optional_policy(`
allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
dbus_system_bus_client(systemd_nspawn_t)
2018-02-15 22:07:08 +00:00
optional_policy(`
unconfined_dbus_send(systemd_machined_t)
')
')
optional_policy(`
virt_manage_virt_content(systemd_nspawn_t)
')
#######################################
#
# systemd_passwd_agent_t local policy
#
allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
kernel_read_system_state(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
dev_read_generic_files(systemd_passwd_agent_t)
dev_write_generic_sock_files(systemd_passwd_agent_t)
dev_write_kmsg(systemd_passwd_agent_t)
files_read_etc_files(systemd_passwd_agent_t)
fs_getattr_xattr_fs(systemd_passwd_agent_t)
selinux_get_enforce_mode(systemd_passwd_agent_t)
selinux_getattr_fs(systemd_passwd_agent_t)
term_read_console(systemd_passwd_agent_t)
auth_use_nsswitch(systemd_passwd_agent_t)
init_create_runtime_dirs(systemd_passwd_agent_t)
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
miscfiles_read_localization(systemd_passwd_agent_t)
seutil_search_default_contexts(systemd_passwd_agent_t)
userdom_use_user_ttys(systemd_passwd_agent_t)
userdom_use_user_ptys(systemd_passwd_agent_t)
optional_policy(`
getty_use_fds(systemd_passwd_agent_t)
')
optional_policy(`
lvm_signull(systemd_passwd_agent_t)
')
optional_policy(`
plymouthd_stream_connect(systemd_passwd_agent_t)
')
2017-02-24 01:03:23 +00:00
2017-08-14 20:32:29 +00:00
#######################################
#
# Rfkill local policy
#
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
dev_read_sysfs(systemd_rfkill_t)
dev_rw_wireless(systemd_rfkill_t)
# Allow reading /etc/udev/udev.conf
files_read_etc_files(systemd_rfkill_t)
# Allow reading /run/udev/data/+rfkill:rfkill0
udev_read_pid_files(systemd_rfkill_t)
systemd_log_parse_environment(systemd_rfkill_t)
#########################################
#
# Resolved local policy
#
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
allow systemd_resolved_t self:tcp_socket { accept listen };
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
Allow systemd-resolved to read sysctl type=AVC msg=audit(1527698300.007:150): avc: denied { search } for pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1527698300.007:150): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:150): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:151): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.007:149): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:06 +00:00
dev_read_sysfs(systemd_resolved_t)
kernel_dgram_send(systemd_resolved_t)
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
Allow systemd-resolved to read sysctl type=AVC msg=audit(1527698300.007:150): avc: denied { search } for pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1527698300.007:150): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:150): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:151): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.007:149): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:06 +00:00
kernel_read_net_sysctls(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
auth_use_nsswitch(systemd_resolved_t)
init_dgram_send(systemd_resolved_t)
seutil_read_file_contexts(systemd_resolved_t)
systemd_log_parse_environment(systemd_resolved_t)
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
systemd_read_networkd_runtime(systemd_resolved_t)
optional_policy(`
dbus_connect_system_bus(systemd_resolved_t)
dbus_system_bus_client(systemd_resolved_t)
')
#########################################
#
# Sessions local policy
#
allow systemd_sessions_t self:process setfscreate;
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
selinux_get_enforce_mode(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)
seutil_read_config(systemd_sessions_t)
seutil_read_default_contexts(systemd_sessions_t)
seutil_read_file_contexts(systemd_sessions_t)
systemd_log_parse_environment(systemd_sessions_t)
#########################################
#
# Tmpfiles local policy
#
allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
2017-02-24 01:03:23 +00:00
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
dev_getattr_fs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
files_create_lock_dirs(systemd_tmpfiles_t)
files_manage_all_pid_dirs(systemd_tmpfiles_t)
files_delete_usr_files(systemd_tmpfiles_t)
files_list_home(systemd_tmpfiles_t)
files_list_locks(systemd_tmpfiles_t)
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
files_manage_var_dirs(systemd_tmpfiles_t)
files_manage_var_lib_dirs(systemd_tmpfiles_t)
files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_read_etc_runtime_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
files_relabel_var_dirs(systemd_tmpfiles_t)
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
init_manage_utmp(systemd_tmpfiles_t)
init_manage_var_lib_files(systemd_tmpfiles_t)
# for /proc/1/environ
init_read_state(systemd_tmpfiles_t)
init_relabel_utmp(systemd_tmpfiles_t)
init_relabel_var_lib_dirs(systemd_tmpfiles_t)
logging_manage_generic_logs(systemd_tmpfiles_t)
logging_manage_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
miscfiles_manage_man_pages(systemd_tmpfiles_t)
miscfiles_relabel_man_cache(systemd_tmpfiles_t)
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
sysnet_manage_config(systemd_tmpfiles_t)
sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
files_manage_non_security_dirs(systemd_tmpfiles_t)
files_manage_non_security_files(systemd_tmpfiles_t)
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')
optional_policy(`
apt_use_fds(systemd_tmpfiles_t)
dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
')
optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')
optional_policy(`
xserver_create_console_pipes(systemd_tmpfiles_t)
xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
xserver_relabel_console_pipes(systemd_tmpfiles_t)
xserver_setattr_console_pipes(systemd_tmpfiles_t)
')
#########################################
#
# Update Done local policy
#
allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
dev_write_kmsg(systemd_update_done_t)
files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
kernel_read_system_state(systemd_update_done_t)