selinux-refpolicy/policy/modules/system/systemd.if

1037 lines
23 KiB
Plaintext
Raw Normal View History

## <summary>Systemd components (not PID 1)</summary>
#########################################
## <summary>
## Template for systemd --user per-role domains.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for generated types
## </summary>
## </param>
## <param name="role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="userdomain">
## <summary>
## The user domain for the role.
## </summary>
## </param>
#
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
')
#################################
#
# Declarations
#
type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
init_pgm_spec_user_daemon_domain($1_systemd_t)
domain_user_exemption_target($1_systemd_t)
ubac_constrained($1_systemd_t)
role $2 types $1_systemd_t;
#################################
#
# Local policy
#
allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
# This domain is per-role because of the below transitions.
# See the sytemd --user section of systemd.te for the
# remainder of the rules.
allow $1_systemd_t $3:process { setsched rlimitinh };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
')
######################################
## <summary>
## Make the specified type usable as an
## log parse environment type.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a log parse environment type.
## </summary>
## </param>
#
interface(`systemd_log_parse_environment',`
gen_require(`
attribute systemd_log_parse_env_type;
')
typeattribute $1 systemd_log_parse_env_type;
')
######################################
## <summary>
## Allow domain to be used as a systemd service with a unit
## that uses PrivateDevices=yes in section [Service].
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_PrivateDevices',`
# For services using PrivateDevices, systemd mounts a dedicated
# tmpfs filesystem for the /dev, which gets label tmpfs_t.
# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
fs_read_tmpfs_symlinks($1)
')
2018-06-08 00:17:15 +00:00
#######################################
## <summary>
## Allow domain to read udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
#######################################
## <summary>
## Allow domain to map udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_map_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
allow $1 systemd_hwdb_t:file map;
')
######################################
## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_pids',`
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
2017-02-24 01:03:23 +00:00
allow $1 systemd_logind_var_run_t:dir list_dir_perms;
allow $1 systemd_logind_var_run_t:file read_file_perms;
')
######################################
## <summary>
## Manage systemd_login PID pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_logind_pid_pipes',`
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
')
######################################
## <summary>
## Write systemd_login named pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_logind_pid_pipes',`
gen_require(`
type systemd_logind_var_run_t;
')
init_search_run($1)
files_search_pids($1)
allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
')
######################################
## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_logind_fds',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
')
######################################
## <summary>
## Read logind sessions files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_sessions_files',`
gen_require(`
type systemd_sessions_var_run_t, systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
init_search_run($1)
allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
')
2017-02-24 01:03:23 +00:00
######################################
## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
gen_require(`
type systemd_logind_t, systemd_sessions_var_run_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_sessions_var_run_t:fifo_file write;
allow systemd_logind_t $1:process signal;
')
######################################
## <summary>
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_inhibit_pipes',`
gen_require(`
type systemd_logind_inhibit_var_run_t;
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
')
########################################
## <summary>
## Send and receive messages from
## systemd logind over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_logind',`
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
')
########################################
## <summary>
## Allow process to write to systemd_kmod_conf_t.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_write_kmod_files',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
2017-02-24 01:03:23 +00:00
## <summary>
## Get the system status information from systemd_login
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2017-02-24 01:03:23 +00:00
## </param>
#
interface(`systemd_status_logind',`
2017-02-24 01:03:23 +00:00
gen_require(`
type systemd_logind_t;
class service status;
2017-02-24 01:03:23 +00:00
')
allow $1 systemd_logind_t:service status;
2017-02-24 01:03:23 +00:00
')
########################################
## <summary>
## Send systemd_login a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
## <summary>
## Allow reading /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain that can access the machines files
## </summary>
## </param>
#
interface(`systemd_read_machines',`
gen_require(`
type systemd_machined_var_run_t;
')
allow $1 systemd_machined_var_run_t:dir list_dir_perms;
allow $1 systemd_machined_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_hostnamed',`
gen_require(`
type systemd_hostnamed_t;
class dbus send_msg;
')
allow $1 systemd_hostnamed_t:dbus send_msg;
allow systemd_hostnamed_t $1:dbus send_msg;
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
## </summary>
## <param name="domain">
## <summary>
## Domain that owns the fds
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent_fds',`
gen_require(`
type systemd_passwd_agent_t;
')
allow systemd_passwd_agent_t $1:fd use;
')
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
## that needs a password from the sysadmin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t;
type systemd_passwd_var_run_t;
')
manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
ps_process_pattern(systemd_passwd_agent_t, $1)
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_filetrans_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_var_run_t;
')
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
')
######################################
## <summary>
## Allow to domain to create systemd-passwd symlink
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_passwd_runtime_symlinks',`
gen_require(`
type systemd_passwd_var_run_t;
')
allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
')
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## manage systemd unit dirs and the files in them
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_all_units',`
gen_require(`
attribute systemdunit;
')
manage_dirs_pattern($1, systemdunit, systemdunit)
manage_files_pattern($1, systemdunit, systemdunit)
manage_lnk_files_pattern($1, systemdunit, systemdunit)
')
########################################
## <summary>
## Allow domain to read systemd_journal_t files
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_journal_files',`
2017-02-24 01:03:23 +00:00
gen_require(`
2017-02-24 01:16:40 +00:00
type systemd_journal_t;
2017-02-24 01:03:23 +00:00
')
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
2017-02-24 01:03:23 +00:00
')
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
########################################
## <summary>
## Allow domain to create/manage systemd_journal_t files
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_journal_files',`
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
gen_require(`
type systemd_journal_t;
')
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
allow $1 systemd_journal_t:file map;
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
')
Fix problem labeling /run/log/journal/* Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* [ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied [ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied [ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied [ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file [ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-09 21:15:13 +00:00
########################################
## <summary>
## Relabel to systemd-journald directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
allow $1 systemd_journal_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Relabel to systemd-journald file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_files',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
allow $1 systemd_journal_t:file relabelto_file_perms;
')
########################################
## <summary>
## Allow domain to read systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_networkd_units',`
gen_require(`
type systemd_networkd_t;
')
init_search_units($1)
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow domain to create/manage systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow specified domain to enable systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_enabledisable_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { enable disable };
')
allow $1 systemd_networkd_unit_t:service { enable disable };
')
########################################
## <summary>
## Allow specified domain to start systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_startstop_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { start stop };
')
allow $1 systemd_networkd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of systemd-networkd
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service status;
')
allow $1 systemd_networkd_unit_t:service status;
')
#######################################
## <summary>
## Relabel systemd_networkd tun socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelfrom_networkd_tun_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:tun_socket relabelfrom;
')
#######################################
## <summary>
## Read/Write from systemd_networkd netlink route socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_rw_networkd_netlink_route_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
')
#######################################
## <summary>
## Allow domain to list dirs under /run/systemd/netif
## </summary>
## <param name="domain">
## <summary>
## domain permitted the access
## </summary>
## </param>
#
interface(`systemd_list_networkd_runtime',`
gen_require(`
type systemd_networkd_var_run_t;
')
init_list_pids($1)
allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
')
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
#######################################
## <summary>
## Allow domain to read files generated by systemd_networkd
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_networkd_runtime',`
gen_require(`
type systemd_networkd_var_run_t;
')
list_dirs_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
read_files_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
')
########################################
## <summary>
2017-02-19 21:13:14 +00:00
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
## <summary>
## Domain systemd_logind_t may access.
## </summary>
## </param>
#
interface(`systemd_read_logind_state',`
gen_require(`
type systemd_logind_t;
')
allow systemd_logind_t $1:dir list_dir_perms;
allow systemd_logind_t $1:file read_file_perms;
')
########################################
## <summary>
## Allow specified domain to start power units
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`systemd_start_power_units',`
gen_require(`
type power_unit_t;
class service start;
')
allow $1 power_unit_t:service start;
')
########################################
## <summary>
## Make the specified type usable for
## systemd tmpfiles config files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd tmpfiles config files.
## </summary>
## </param>
#
2017-09-08 15:41:56 +00:00
interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
files_config_file($1)
typeattribute $1 systemd_tmpfiles_conf_type;
')
########################################
## <summary>
## Allow the specified domain to create
## the tmpfiles config directory with
## the correct context.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
allow $1 systemd_tmpfiles_conf_t:dir create;
')
########################################
## <summary>
## Create an object in the systemd tmpfiles config
## directory, with a private type
## using a type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_filetrans',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_search_pids($1)
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
########################################
## <summary>
## Allow domain to list systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_list_tmpfiles_conf',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_files',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
')
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
## <summary>
## object class to manage
## </summary>
## </param>
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
########################################
## <summary>
## Send and receive messages from
## systemd resolved over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_resolved',`
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
allow systemd_resolved_t $1:dbus send_msg;
')
#######################################
## <summary>
## Allow domain to read resolv.conf file generated by systemd_resolved
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_resolved_runtime',`
gen_require(`
type systemd_resolved_var_run_t;
')
read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
')
#######################################
## <summary>
## Allow domain to getattr on .updated file (generated by systemd-update-done
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_getattr_updated_runtime',`
gen_require(`
type systemd_update_run_t;
')
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
########################################
## <summary>
## Search keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_search_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key search;
')
########################################
## <summary>
## Create keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_create_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key create;
')
########################################
## <summary>
## Write keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key write;
')