2021-03-19 19:17:54 +00:00
|
|
|
policy_module(systemd, 1.11.2)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Declarations
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Enable support for systemd-tmpfiles to manage all non-security files.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_tmpfiles_manage_all, false)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow systemd-nspawn to create a labelled namespace with the same types
|
|
|
|
|
## as parent environment
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
|
|
|
|
|
2020-01-12 19:51:45 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow systemd-logind to interact with the bootloader (read which one is
|
|
|
|
|
## installed on fixed disks, enumerate entries for dbus property
|
|
|
|
|
## BootLoaderEntries, etc.)
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_logind_get_bootloader, false)
|
|
|
|
|
|
2020-11-08 13:50:12 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow systemd-socket-proxyd to bind any port instead of one labelled
|
|
|
|
|
## with systemd_socket_proxyd_port_t.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_socket_proxyd_bind_any, false)
|
|
|
|
|
|
|
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow systemd-socket-proxyd to connect to any port instead of
|
|
|
|
|
## labelled ones.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_socket_proxyd_connect_any, false)
|
|
|
|
|
|
2021-02-03 09:00:35 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow systemd-tmpfilesd to populate missing configuration files from factory
|
|
|
|
|
## template directory.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(systemd_tmpfilesd_factory, false)
|
|
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
attribute systemd_log_parse_env_type;
|
2017-02-18 21:16:30 +00:00
|
|
|
attribute systemd_tmpfiles_conf_type;
|
2019-04-19 15:50:59 +00:00
|
|
|
attribute systemd_user_session_type;
|
2021-03-13 23:22:59 +00:00
|
|
|
attribute systemd_user_activated_sock_file_type;
|
|
|
|
|
attribute systemd_user_unix_stream_activated_socket_type;
|
2016-03-31 07:40:42 +00:00
|
|
|
|
2020-05-30 13:13:22 +00:00
|
|
|
attribute_role systemd_sysusers_roles;
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_activate_t;
|
|
|
|
|
type systemd_activate_exec_t;
|
|
|
|
|
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_analyze_t;
|
|
|
|
|
type systemd_analyze_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_backlight_t;
|
|
|
|
|
type systemd_backlight_exec_t;
|
|
|
|
|
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
|
|
|
|
|
|
2016-12-27 13:44:58 +00:00
|
|
|
type systemd_backlight_unit_t;
|
|
|
|
|
init_unit_file(systemd_backlight_unit_t)
|
|
|
|
|
|
|
|
|
|
type systemd_backlight_var_lib_t;
|
|
|
|
|
files_type(systemd_backlight_var_lib_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_binfmt_t;
|
|
|
|
|
type systemd_binfmt_exec_t;
|
|
|
|
|
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
|
|
|
|
|
|
2016-12-27 13:45:21 +00:00
|
|
|
type systemd_binfmt_unit_t;
|
|
|
|
|
init_unit_file(systemd_binfmt_unit_t)
|
|
|
|
|
|
2020-01-15 20:46:40 +00:00
|
|
|
type systemd_conf_t;
|
|
|
|
|
files_config_file(systemd_conf_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_cgroups_t;
|
|
|
|
|
type systemd_cgroups_exec_t;
|
|
|
|
|
domain_type(systemd_cgroups_t)
|
|
|
|
|
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
|
|
|
|
|
role system_r types systemd_cgroups_t;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_cgroups_runtime_t alias systemd_cgroups_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_cgroups_runtime_t)
|
|
|
|
|
init_daemon_runtime_file(systemd_cgroups_runtime_t, dir, "systemd_cgroups")
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
type systemd_cgtop_t;
|
|
|
|
|
type systemd_cgtop_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_coredump_t;
|
|
|
|
|
type systemd_coredump_exec_t;
|
|
|
|
|
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
type systemd_coredump_var_lib_t;
|
|
|
|
|
files_type(systemd_coredump_var_lib_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_detect_virt_t;
|
|
|
|
|
type systemd_detect_virt_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
|
|
|
|
|
|
2021-02-03 09:00:35 +00:00
|
|
|
type systemd_factory_conf_t;
|
|
|
|
|
systemd_tmpfiles_conf_file(systemd_factory_conf_t)
|
|
|
|
|
|
2020-06-15 13:16:51 +00:00
|
|
|
type systemd_generator_t;
|
|
|
|
|
type systemd_generator_exec_t;
|
|
|
|
|
typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
|
|
|
|
|
typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };
|
|
|
|
|
init_system_domain(systemd_generator_t, systemd_generator_exec_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_hostnamed_t;
|
|
|
|
|
type systemd_hostnamed_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
|
|
|
|
|
2018-06-07 19:19:40 +00:00
|
|
|
type systemd_hw_t;
|
|
|
|
|
type systemd_hw_exec_t;
|
|
|
|
|
init_system_domain(systemd_hw_t, systemd_hw_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_hwdb_t;
|
2020-01-31 19:41:28 +00:00
|
|
|
files_type(systemd_hwdb_t)
|
2018-06-07 19:19:40 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
type systemd_journal_t;
|
|
|
|
|
files_type(systemd_journal_t)
|
|
|
|
|
logging_log_file(systemd_journal_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_locale_t;
|
|
|
|
|
type systemd_locale_exec_t;
|
|
|
|
|
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_logind_t;
|
|
|
|
|
type systemd_logind_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
|
2019-09-08 20:55:02 +00:00
|
|
|
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_logind_inhibit_runtime_t)
|
2020-05-17 11:37:04 +00:00
|
|
|
init_mountpoint(systemd_logind_inhibit_runtime_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_logind_runtime_t alias systemd_logind_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_logind_runtime_t)
|
|
|
|
|
init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
|
2020-05-17 11:37:04 +00:00
|
|
|
init_mountpoint(systemd_logind_runtime_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type systemd_logind_var_lib_t;
|
|
|
|
|
files_type(systemd_logind_var_lib_t)
|
2020-05-17 11:37:04 +00:00
|
|
|
init_mountpoint(systemd_logind_var_lib_t)
|
2017-12-06 17:06:04 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_machined_t;
|
|
|
|
|
type systemd_machined_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
|
|
|
|
|
2021-02-02 18:50:45 +00:00
|
|
|
type systemd_machined_devpts_t;
|
|
|
|
|
term_login_pty(systemd_machined_devpts_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_machined_runtime_t alias systemd_machined_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_machined_runtime_t)
|
|
|
|
|
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2019-02-07 21:15:32 +00:00
|
|
|
type systemd_modules_load_t;
|
|
|
|
|
type systemd_modules_load_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
|
|
|
|
|
|
2017-10-11 14:59:08 +00:00
|
|
|
type systemd_networkd_t;
|
|
|
|
|
type systemd_networkd_exec_t;
|
|
|
|
|
init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_networkd_runtime_t)
|
2021-02-04 15:19:40 +00:00
|
|
|
init_mountpoint(systemd_networkd_runtime_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type systemd_networkd_unit_t;
|
|
|
|
|
init_unit_file(systemd_networkd_unit_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
type systemd_notify_t;
|
|
|
|
|
type systemd_notify_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_nspawn_t;
|
|
|
|
|
type systemd_nspawn_exec_t;
|
|
|
|
|
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
|
2019-01-04 07:54:22 +00:00
|
|
|
mcs_killall(systemd_nspawn_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_nspawn_runtime_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2017-09-05 05:38:13 +00:00
|
|
|
type systemd_nspawn_tmp_t;
|
|
|
|
|
files_tmp_file(systemd_nspawn_tmp_t)
|
|
|
|
|
|
2020-10-05 18:18:28 +00:00
|
|
|
type systemd_pstore_t;
|
|
|
|
|
type systemd_pstore_exec_t;
|
|
|
|
|
init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_pstore_var_lib_t;
|
|
|
|
|
files_type(systemd_pstore_var_lib_t)
|
|
|
|
|
|
2016-05-26 12:43:10 +00:00
|
|
|
type systemd_resolved_t;
|
|
|
|
|
type systemd_resolved_exec_t;
|
|
|
|
|
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_resolved_runtime_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_run_t;
|
|
|
|
|
type systemd_run_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_stdio_bridge_t;
|
|
|
|
|
type systemd_stdio_bridge_exec_t;
|
|
|
|
|
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_passwd_agent_t;
|
|
|
|
|
type systemd_passwd_agent_exec_t;
|
|
|
|
|
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_passwd_runtime_t alias systemd_passwd_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_passwd_runtime_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
init_path_unit_location_file(systemd_passwd_runtime_t)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2017-08-14 20:32:29 +00:00
|
|
|
type systemd_rfkill_t;
|
|
|
|
|
type systemd_rfkill_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_rfkill_t, systemd_rfkill_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_rfkill_unit_t;
|
|
|
|
|
init_unit_file(systemd_rfkill_unit_t)
|
|
|
|
|
|
|
|
|
|
type systemd_rfkill_var_lib_t;
|
|
|
|
|
files_type(systemd_rfkill_var_lib_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_sessions_t;
|
|
|
|
|
type systemd_sessions_exec_t;
|
|
|
|
|
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(systemd_sessions_runtime_t)
|
|
|
|
|
init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
|
2020-05-17 11:37:04 +00:00
|
|
|
init_mountpoint(systemd_sessions_runtime_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2020-11-08 13:50:12 +00:00
|
|
|
type systemd_socket_proxyd_t;
|
|
|
|
|
type systemd_socket_proxyd_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_socket_proxyd_port_t;
|
|
|
|
|
corenet_port(systemd_socket_proxyd_port_t)
|
|
|
|
|
|
|
|
|
|
type systemd_socket_proxyd_unit_file_t;
|
|
|
|
|
init_unit_file(systemd_socket_proxyd_unit_file_t)
|
|
|
|
|
|
2020-05-29 18:00:53 +00:00
|
|
|
type systemd_sysusers_t;
|
|
|
|
|
type systemd_sysusers_exec_t;
|
|
|
|
|
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
|
2020-05-30 13:13:22 +00:00
|
|
|
role systemd_sysusers_roles types systemd_sysusers_t;
|
2020-05-29 18:00:53 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
type systemd_tmpfiles_t;
|
|
|
|
|
type systemd_tmpfiles_exec_t;
|
|
|
|
|
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
|
|
|
|
|
|
2017-02-18 21:16:30 +00:00
|
|
|
type systemd_tmpfiles_conf_t;
|
|
|
|
|
files_config_file(systemd_tmpfiles_conf_t)
|
|
|
|
|
|
2018-06-07 19:19:41 +00:00
|
|
|
type systemd_update_done_t;
|
|
|
|
|
type systemd_update_done_exec_t;
|
|
|
|
|
init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
|
|
|
|
|
|
|
|
|
|
type systemd_update_run_t;
|
|
|
|
|
files_type(systemd_update_run_t)
|
|
|
|
|
|
2021-03-13 23:22:59 +00:00
|
|
|
type systemd_conf_home_t;
|
|
|
|
|
init_unit_file(systemd_conf_home_t)
|
|
|
|
|
xdg_config_content(systemd_conf_home_t)
|
|
|
|
|
|
|
|
|
|
type systemd_data_home_t;
|
|
|
|
|
xdg_data_content(systemd_data_home_t)
|
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
type systemd_user_runtime_notify_t;
|
|
|
|
|
userdom_user_runtime_content(systemd_user_runtime_notify_t)
|
|
|
|
|
|
|
|
|
|
type systemd_user_runtime_t;
|
|
|
|
|
userdom_user_runtime_content(systemd_user_runtime_t)
|
|
|
|
|
|
2020-01-31 21:46:56 +00:00
|
|
|
type systemd_user_runtime_dir_t;
|
|
|
|
|
type systemd_user_runtime_dir_exec_t;
|
|
|
|
|
init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
|
|
|
|
|
|
2020-04-16 14:30:56 +00:00
|
|
|
type systemd_user_tmpfs_t;
|
|
|
|
|
userdom_user_tmpfs_file(systemd_user_tmpfs_t)
|
|
|
|
|
|
2020-06-04 08:30:19 +00:00
|
|
|
type systemd_userdb_runtime_t;
|
|
|
|
|
files_runtime_file(systemd_userdb_runtime_t)
|
|
|
|
|
|
2021-03-13 23:22:59 +00:00
|
|
|
type systemd_user_unit_t;
|
|
|
|
|
init_unit_file(systemd_user_unit_t)
|
|
|
|
|
|
|
|
|
|
type systemd_user_runtime_unit_t;
|
|
|
|
|
init_unit_file(systemd_user_runtime_unit_t)
|
|
|
|
|
userdom_user_runtime_content(systemd_user_runtime_unit_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
#
|
|
|
|
|
# Unit file types
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
type power_unit_t;
|
|
|
|
|
init_unit_file(power_unit_t)
|
|
|
|
|
|
2016-12-27 13:44:58 +00:00
|
|
|
######################################
|
|
|
|
|
#
|
|
|
|
|
# Backlight local policy
|
|
|
|
|
#
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
|
|
|
|
|
|
2016-12-27 13:44:58 +00:00
|
|
|
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
|
|
|
|
|
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
|
|
|
|
|
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_backlight_t)
|
|
|
|
|
|
|
|
|
|
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
|
|
|
|
|
dev_rw_sysfs(systemd_backlight_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# for udev.conf
|
2016-12-27 13:44:58 +00:00
|
|
|
files_read_etc_files(systemd_backlight_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
# for /run/udev/data/+backlight*
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(systemd_backlight_t)
|
2016-12-27 13:44:58 +00:00
|
|
|
|
2017-09-05 05:38:13 +00:00
|
|
|
files_search_var_lib(systemd_backlight_t)
|
|
|
|
|
|
2016-12-27 13:45:21 +00:00
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# Binfmt local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_binfmt_t)
|
|
|
|
|
|
2016-12-27 13:45:21 +00:00
|
|
|
systemd_log_parse_environment(systemd_binfmt_t)
|
|
|
|
|
|
|
|
|
|
# Allow to read /etc/binfmt.d/ files
|
|
|
|
|
files_read_etc_files(systemd_binfmt_t)
|
|
|
|
|
|
|
|
|
|
fs_register_binary_executable_type(systemd_binfmt_t)
|
|
|
|
|
|
2020-03-17 12:39:30 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
######################################
|
|
|
|
|
#
|
|
|
|
|
# Cgroups local policy
|
|
|
|
|
#
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
allow systemd_cgroups_t self:capability net_admin;
|
|
|
|
|
|
2019-01-10 00:30:15 +00:00
|
|
|
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
# for /proc/cmdline
|
|
|
|
|
kernel_read_system_state(systemd_cgroups_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-01-10 00:30:15 +00:00
|
|
|
mls_fd_use_all_levels(systemd_cgroups_t)
|
|
|
|
|
|
2017-01-05 10:40:32 +00:00
|
|
|
selinux_getattr_fs(systemd_cgroups_t)
|
|
|
|
|
|
|
|
|
|
# write to /run/systemd/cgroups-agent
|
|
|
|
|
init_dgram_send(systemd_cgroups_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_stream_connect(systemd_cgroups_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
# for /proc/1/environ
|
|
|
|
|
init_read_state(systemd_cgroups_t)
|
|
|
|
|
|
|
|
|
|
seutil_libselinux_linked(systemd_cgroups_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
systemd_log_parse_environment(systemd_cgroups_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-01-10 00:30:15 +00:00
|
|
|
ifdef(`enable_mls',`
|
|
|
|
|
kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
######################################
|
2015-10-23 14:16:59 +00:00
|
|
|
#
|
2017-02-25 14:35:10 +00:00
|
|
|
# coredump local policy
|
2015-10-23 14:16:59 +00:00
|
|
|
#
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
|
|
|
|
|
allow systemd_coredump_t self:capability { setgid setuid setpcap };
|
|
|
|
|
allow systemd_coredump_t self:process { getcap setcap setfscreate };
|
2015-12-14 21:19:24 +00:00
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-10-01 19:30:29 +00:00
|
|
|
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_coredump_t)
|
|
|
|
|
kernel_read_system_state(systemd_coredump_t)
|
|
|
|
|
kernel_rw_pipes(systemd_coredump_t)
|
|
|
|
|
kernel_use_fds(systemd_coredump_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
corecmd_exec_bin(systemd_coredump_t)
|
|
|
|
|
corecmd_read_all_executables(systemd_coredump_t)
|
|
|
|
|
|
|
|
|
|
dev_write_kmsg(systemd_coredump_t)
|
|
|
|
|
|
2020-03-27 14:20:26 +00:00
|
|
|
files_getattr_all_mountpoints(systemd_coredump_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
files_read_etc_files(systemd_coredump_t)
|
|
|
|
|
files_search_var_lib(systemd_coredump_t)
|
|
|
|
|
|
|
|
|
|
fs_getattr_xattr_fs(systemd_coredump_t)
|
|
|
|
|
|
|
|
|
|
selinux_getattr_fs(systemd_coredump_t)
|
|
|
|
|
|
|
|
|
|
init_list_var_lib_dirs(systemd_coredump_t)
|
|
|
|
|
init_read_state(systemd_coredump_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_search_runtime(systemd_coredump_t)
|
2019-01-11 20:07:57 +00:00
|
|
|
init_write_runtime_socket(systemd_coredump_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_coredump_t)
|
|
|
|
|
|
|
|
|
|
seutil_search_default_contexts(systemd_coredump_t)
|
2016-03-31 07:40:42 +00:00
|
|
|
|
2020-06-15 13:16:51 +00:00
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# Systemd generator local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
|
2020-08-13 09:52:20 +00:00
|
|
|
allow systemd_generator_t self:capability dac_override;
|
|
|
|
|
allow systemd_generator_t self:process setfscreate;
|
2020-06-15 13:16:51 +00:00
|
|
|
|
|
|
|
|
corecmd_getattr_bin_files(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
dev_read_sysfs(systemd_generator_t)
|
|
|
|
|
dev_write_kmsg(systemd_generator_t)
|
|
|
|
|
dev_write_sysfs_dirs(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_generator_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime(systemd_generator_t)
|
2020-06-15 13:16:51 +00:00
|
|
|
files_list_boot(systemd_generator_t)
|
|
|
|
|
files_read_boot_files(systemd_generator_t)
|
|
|
|
|
files_search_all_mountpoints(systemd_generator_t)
|
|
|
|
|
files_list_usr(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
fs_list_efivars(systemd_generator_t)
|
|
|
|
|
fs_getattr_xattr_fs(systemd_generator_t)
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
init_create_runtime_files(systemd_generator_t)
|
|
|
|
|
init_manage_runtime_dirs(systemd_generator_t)
|
|
|
|
|
init_manage_runtime_symlinks(systemd_generator_t)
|
2020-06-15 13:16:51 +00:00
|
|
|
init_read_runtime_files(systemd_generator_t)
|
|
|
|
|
init_read_state(systemd_generator_t)
|
|
|
|
|
init_rename_runtime_files(systemd_generator_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_search_runtime(systemd_generator_t)
|
2020-06-15 13:16:51 +00:00
|
|
|
init_setattr_runtime_files(systemd_generator_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_write_runtime_files(systemd_generator_t)
|
2020-06-15 13:16:51 +00:00
|
|
|
init_list_unit_dirs(systemd_generator_t)
|
|
|
|
|
init_read_generic_units_symlinks(systemd_generator_t)
|
|
|
|
|
init_read_script_files(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
kernel_use_fds(systemd_generator_t)
|
|
|
|
|
kernel_read_system_state(systemd_generator_t)
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
storage_raw_read_fixed_disk(systemd_generator_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_generator_t)
|
|
|
|
|
|
2020-09-25 07:30:38 +00:00
|
|
|
term_use_unallocated_ttys(systemd_generator_t)
|
|
|
|
|
|
2020-08-11 12:53:18 +00:00
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
|
corecmd_shell_entry_type(systemd_generator_t)
|
|
|
|
|
')
|
|
|
|
|
|
2020-06-15 13:16:51 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
fstools_exec(systemd_generator_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
lvm_exec(systemd_generator_t)
|
|
|
|
|
lvm_map_config(systemd_generator_t)
|
|
|
|
|
lvm_read_config(systemd_generator_t)
|
|
|
|
|
miscfiles_read_localization(systemd_generator_t)
|
|
|
|
|
')
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# Hostnamed policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-02-20 03:20:57 +00:00
|
|
|
allow systemd_hostnamed_t self:capability sys_admin;
|
2019-02-18 15:15:03 +00:00
|
|
|
|
2015-12-14 21:19:24 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_hostnamed_t)
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
dev_read_sysfs(systemd_hostnamed_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
files_read_etc_files(systemd_hostnamed_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_hostnamed_t)
|
2020-09-05 16:09:37 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
seutil_read_file_contexts(systemd_hostnamed_t)
|
|
|
|
|
|
2019-01-15 03:20:29 +00:00
|
|
|
sysnet_etc_filetrans_config(systemd_hostnamed_t)
|
|
|
|
|
sysnet_manage_config(systemd_hostnamed_t)
|
|
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
systemd_log_parse_environment(systemd_hostnamed_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_connect_system_bus(systemd_hostnamed_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
dbus_system_bus_client(systemd_hostnamed_t)
|
2018-02-15 22:07:08 +00:00
|
|
|
init_dbus_chat(systemd_hostnamed_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
networkmanager_dbus_chat(systemd_hostnamed_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
|
2018-06-07 19:19:40 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# hw local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_hw_t)
|
|
|
|
|
|
2020-08-14 14:33:08 +00:00
|
|
|
allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabel_file_perms };
|
2018-06-07 19:19:40 +00:00
|
|
|
files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime(systemd_hw_t)
|
2018-06-07 19:19:40 +00:00
|
|
|
|
|
|
|
|
selinux_get_fs_mount(systemd_hw_t)
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_hw_t)
|
2018-06-07 19:19:40 +00:00
|
|
|
|
2018-06-08 00:17:15 +00:00
|
|
|
init_read_state(systemd_hw_t)
|
2020-08-13 10:08:03 +00:00
|
|
|
init_search_runtime(systemd_hw_t)
|
2018-06-08 00:17:15 +00:00
|
|
|
|
2018-06-07 19:19:40 +00:00
|
|
|
seutil_read_config(systemd_hw_t)
|
|
|
|
|
seutil_read_file_contexts(systemd_hw_t)
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# locale local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_locale_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_locale_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_locale_t)
|
2020-09-05 16:09:37 +00:00
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
seutil_read_file_contexts(systemd_locale_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_locale_t)
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
dbus_connect_system_bus(systemd_locale_t)
|
|
|
|
|
dbus_system_bus_client(systemd_locale_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
######################################
|
|
|
|
|
#
|
2020-08-11 13:01:34 +00:00
|
|
|
# systemd log parse environment
|
2017-02-25 14:35:10 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
|
|
|
|
|
dontaudit systemd_log_parse_env_type self:capability net_admin;
|
|
|
|
|
|
|
|
|
|
kernel_read_system_state(systemd_log_parse_env_type)
|
|
|
|
|
|
|
|
|
|
dev_write_kmsg(systemd_log_parse_env_type)
|
|
|
|
|
|
2019-12-30 17:01:43 +00:00
|
|
|
# For /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67
|
|
|
|
|
fs_read_efivarfs_files(systemd_log_parse_env_type)
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
term_use_console(systemd_log_parse_env_type)
|
|
|
|
|
|
|
|
|
|
init_read_state(systemd_log_parse_env_type)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_log_parse_env_type)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Logind local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-01-04 07:54:22 +00:00
|
|
|
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
|
2017-03-25 17:45:37 +00:00
|
|
|
allow systemd_logind_t self:process { getcap setfscreate };
|
2015-10-23 14:16:59 +00:00
|
|
|
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
|
|
|
|
|
|
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
|
|
|
|
|
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
|
|
|
|
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
|
|
|
|
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
|
2017-12-06 17:06:04 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
|
|
|
|
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
|
|
|
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2021-02-02 18:50:45 +00:00
|
|
|
# for /run/systemd/userdb/io.systemd.Machine
|
|
|
|
|
allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
|
|
|
|
|
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
|
|
|
|
|
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
|
2015-12-14 21:19:24 +00:00
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
dev_getattr_dri_dev(systemd_logind_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
dev_getattr_generic_usb_dev(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
dev_getattr_kvm_dev(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
dev_getattr_sound_dev(systemd_logind_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
dev_getattr_video_dev(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
dev_manage_wireless(systemd_logind_t)
|
|
|
|
|
dev_read_urand(systemd_logind_t)
|
|
|
|
|
dev_rw_dri(systemd_logind_t)
|
|
|
|
|
dev_rw_input_dev(systemd_logind_t)
|
|
|
|
|
dev_rw_sysfs(systemd_logind_t)
|
|
|
|
|
dev_setattr_dri_dev(systemd_logind_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
dev_setattr_generic_usb_dev(systemd_logind_t)
|
2019-01-11 10:30:43 +00:00
|
|
|
dev_setattr_input_dev(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
dev_setattr_kvm_dev(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
dev_setattr_sound_dev(systemd_logind_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
dev_setattr_video_dev(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
domain_obj_id_change_exemption(systemd_logind_t)
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
files_search_runtime(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
fs_getattr_cgroup(systemd_logind_t)
|
|
|
|
|
fs_getattr_tmpfs(systemd_logind_t)
|
|
|
|
|
fs_getattr_tmpfs_dirs(systemd_logind_t)
|
|
|
|
|
fs_list_tmpfs(systemd_logind_t)
|
|
|
|
|
fs_mount_tmpfs(systemd_logind_t)
|
|
|
|
|
fs_read_cgroup_files(systemd_logind_t)
|
2016-02-03 13:14:38 +00:00
|
|
|
fs_read_efivarfs_files(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
|
|
|
|
|
fs_unmount_tmpfs(systemd_logind_t)
|
2016-02-03 13:14:38 +00:00
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
storage_getattr_removable_dev(systemd_logind_t)
|
|
|
|
|
storage_getattr_scsi_generic_dev(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
storage_setattr_removable_dev(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
storage_setattr_scsi_generic_dev(systemd_logind_t)
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
term_setattr_unallocated_ttys(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
term_use_unallocated_ttys(systemd_logind_t)
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
auth_manage_faillog(systemd_logind_t)
|
2020-06-04 16:41:21 +00:00
|
|
|
auth_use_nsswitch(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
|
|
|
|
|
init_dbus_send_script(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_get_all_units_status(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
init_get_system_status(systemd_logind_t)
|
2019-01-05 23:00:02 +00:00
|
|
|
init_read_utmp(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
init_service_start(systemd_logind_t)
|
|
|
|
|
init_service_status(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
init_start_all_units(systemd_logind_t)
|
|
|
|
|
init_stop_all_units(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
init_start_system(systemd_logind_t)
|
|
|
|
|
init_stop_system(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
|
|
|
|
locallogin_read_state(systemd_logind_t)
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
seutil_libselinux_linked(systemd_logind_t)
|
|
|
|
|
seutil_read_default_contexts(systemd_logind_t)
|
|
|
|
|
seutil_read_file_contexts(systemd_logind_t)
|
|
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
systemd_log_parse_environment(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
systemd_start_power_units(systemd_logind_t)
|
|
|
|
|
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_list_runtime(systemd_logind_t)
|
|
|
|
|
udev_read_runtime_files(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-12-12 02:15:28 +00:00
|
|
|
userdom_delete_all_user_runtime_dirs(systemd_logind_t)
|
|
|
|
|
userdom_delete_all_user_runtime_files(systemd_logind_t)
|
|
|
|
|
userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
|
|
|
|
|
userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
|
|
|
|
|
userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
|
2019-12-12 18:41:11 +00:00
|
|
|
userdom_delete_user_tmp_dirs(systemd_logind_t)
|
|
|
|
|
userdom_delete_user_tmp_files(systemd_logind_t)
|
|
|
|
|
userdom_delete_user_tmp_symlinks(systemd_logind_t)
|
|
|
|
|
userdom_delete_user_tmp_named_pipes(systemd_logind_t)
|
|
|
|
|
userdom_delete_user_tmp_named_sockets(systemd_logind_t)
|
2018-02-15 22:07:08 +00:00
|
|
|
# user_tmp_t is for the dbus-1 directory
|
|
|
|
|
userdom_list_user_tmp(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
userdom_manage_user_runtime_dirs(systemd_logind_t)
|
|
|
|
|
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
|
|
|
|
|
userdom_mounton_user_runtime_dirs(systemd_logind_t)
|
|
|
|
|
userdom_read_all_users_state(systemd_logind_t)
|
|
|
|
|
userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
|
|
|
|
|
userdom_relabel_user_tmpfs_files(systemd_logind_t)
|
|
|
|
|
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
|
|
|
|
|
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
|
|
|
|
|
userdom_setattr_user_ttys(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
userdom_use_user_ttys(systemd_logind_t)
|
|
|
|
|
|
2017-11-30 22:41:46 +00:00
|
|
|
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
|
|
|
|
|
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
|
|
|
|
|
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
|
|
|
|
|
# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
|
|
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
|
userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
|
|
|
|
|
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
|
|
|
|
|
')
|
|
|
|
|
|
2020-01-12 19:51:45 +00:00
|
|
|
tunable_policy(`systemd_logind_get_bootloader',`
|
|
|
|
|
fs_getattr_dos_fs(systemd_logind_t)
|
|
|
|
|
fs_list_dos(systemd_logind_t)
|
|
|
|
|
fs_read_dos_files(systemd_logind_t)
|
|
|
|
|
')
|
2020-01-12 20:57:17 +00:00
|
|
|
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
|
|
|
|
# This reads the first sectors of fixed disk devices.
|
|
|
|
|
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
|
2020-01-12 19:51:45 +00:00
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_connect_system_bus(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
dbus_system_bus_client(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
2018-02-18 16:24:04 +00:00
|
|
|
devicekit_dbus_chat_disk(systemd_logind_t)
|
2017-03-25 17:45:37 +00:00
|
|
|
devicekit_dbus_chat_power(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
2018-02-15 22:07:08 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
modemmanager_dbus_chat(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-03-25 17:45:37 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
networkmanager_dbus_chat(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
policykit_dbus_chat(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
xserver_read_state(systemd_logind_t)
|
|
|
|
|
xserver_dbus_chat(systemd_logind_t)
|
|
|
|
|
xserver_dbus_chat_xdm(systemd_logind_t)
|
|
|
|
|
xserver_read_xdm_state(systemd_logind_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_dbus_send(systemd_logind_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
')
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# machined local policy
|
|
|
|
|
#
|
|
|
|
|
|
2017-04-16 23:48:04 +00:00
|
|
|
allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
|
2017-02-25 14:35:10 +00:00
|
|
|
allow systemd_machined_t self:process setfscreate;
|
|
|
|
|
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
|
|
|
|
|
|
2021-02-02 18:50:45 +00:00
|
|
|
term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
|
2021-02-02 18:58:24 +00:00
|
|
|
allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perms;
|
2021-02-02 18:50:45 +00:00
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
|
|
|
|
|
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_machined_t)
|
|
|
|
|
kernel_read_system_state(systemd_machined_t)
|
|
|
|
|
|
2021-02-02 15:07:12 +00:00
|
|
|
dev_getattr_fs(systemd_machined_t)
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
files_read_etc_files(systemd_machined_t)
|
|
|
|
|
|
|
|
|
|
fs_getattr_cgroup(systemd_machined_t)
|
|
|
|
|
fs_getattr_tmpfs(systemd_machined_t)
|
2017-04-16 23:48:04 +00:00
|
|
|
fs_read_nsfs_files(systemd_machined_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
selinux_getattr_fs(systemd_machined_t)
|
|
|
|
|
|
|
|
|
|
init_read_script_state(systemd_machined_t)
|
|
|
|
|
init_get_system_status(systemd_machined_t)
|
|
|
|
|
init_read_state(systemd_machined_t)
|
|
|
|
|
init_service_start(systemd_machined_t)
|
|
|
|
|
init_service_status(systemd_machined_t)
|
|
|
|
|
init_start_system(systemd_machined_t)
|
|
|
|
|
init_stop_system(systemd_machined_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
init_get_generic_units_status(systemd_machined_t)
|
|
|
|
|
init_start_generic_units(systemd_machined_t)
|
|
|
|
|
init_stop_generic_units(systemd_machined_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_machined_t)
|
|
|
|
|
|
|
|
|
|
seutil_search_default_contexts(systemd_machined_t)
|
|
|
|
|
|
2021-02-02 15:07:12 +00:00
|
|
|
term_getattr_pty_fs(systemd_machined_t)
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
init_dbus_chat(systemd_machined_t)
|
|
|
|
|
init_dbus_send_script(systemd_machined_t)
|
|
|
|
|
|
|
|
|
|
dbus_connect_system_bus(systemd_machined_t)
|
|
|
|
|
dbus_system_bus_client(systemd_machined_t)
|
|
|
|
|
')
|
|
|
|
|
|
2019-02-07 21:15:32 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# modules-load local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-05-24 18:38:51 +00:00
|
|
|
kernel_load_module(systemd_modules_load_t)
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_modules_load_t)
|
2019-07-21 12:44:08 +00:00
|
|
|
kernel_request_load_module(systemd_modules_load_t)
|
2019-05-24 18:38:51 +00:00
|
|
|
|
2019-09-06 21:28:40 +00:00
|
|
|
dev_read_sysfs(systemd_modules_load_t)
|
|
|
|
|
|
2020-08-12 16:17:19 +00:00
|
|
|
files_mmap_read_kernel_modules(systemd_modules_load_t)
|
2019-02-07 21:15:32 +00:00
|
|
|
files_read_etc_files(systemd_modules_load_t)
|
|
|
|
|
|
2019-05-24 18:38:51 +00:00
|
|
|
modutils_read_module_config(systemd_modules_load_t)
|
|
|
|
|
modutils_read_module_deps(systemd_modules_load_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_modules_load_t)
|
2019-02-07 21:15:32 +00:00
|
|
|
|
2017-10-11 14:59:08 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# networkd local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
|
2019-09-14 11:53:17 +00:00
|
|
|
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
|
2017-10-11 14:59:08 +00:00
|
|
|
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
|
|
|
|
allow systemd_networkd_t self:packet_socket create_socket_perms;
|
|
|
|
|
allow systemd_networkd_t self:process { getcap setcap setfscreate };
|
|
|
|
|
allow systemd_networkd_t self:rawip_socket create_socket_perms;
|
|
|
|
|
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
|
|
|
|
|
allow systemd_networkd_t self:udp_socket create_socket_perms;
|
|
|
|
|
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
|
|
|
manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
|
|
|
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
|
|
|
|
|
kernel_read_system_state(systemd_networkd_t)
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_networkd_t)
|
|
|
|
|
kernel_read_network_state(systemd_networkd_t)
|
|
|
|
|
kernel_request_load_module(systemd_networkd_t)
|
|
|
|
|
kernel_rw_net_sysctls(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
corecmd_bin_entry_type(systemd_networkd_t)
|
|
|
|
|
corecmd_exec_bin(systemd_networkd_t)
|
|
|
|
|
|
2020-04-19 12:22:26 +00:00
|
|
|
corenet_sendrecv_icmp_packets(systemd_networkd_t)
|
|
|
|
|
corenet_sendrecv_dhcpd_client_packets(systemd_networkd_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
corenet_rw_tun_tap_dev(systemd_networkd_t)
|
2019-02-07 21:15:32 +00:00
|
|
|
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
|
|
|
|
|
corenet_udp_bind_generic_node(systemd_networkd_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
|
|
|
|
|
dev_read_urand(systemd_networkd_t)
|
|
|
|
|
dev_read_sysfs(systemd_networkd_t)
|
|
|
|
|
dev_write_kmsg(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_networkd_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
files_watch_runtime_dirs(systemd_networkd_t)
|
|
|
|
|
files_watch_root_dirs(systemd_networkd_t)
|
2020-10-05 15:51:05 +00:00
|
|
|
files_list_runtime(systemd_networkd_t)
|
2020-09-18 14:29:41 +00:00
|
|
|
fs_getattr_xattr_fs(systemd_networkd_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
|
|
|
|
|
auth_use_nsswitch(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
init_dgram_send(systemd_networkd_t)
|
|
|
|
|
init_read_state(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
sysnet_read_config(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_networkd_t)
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
dbus_system_bus_client(systemd_networkd_t)
|
|
|
|
|
dbus_connect_system_bus(systemd_networkd_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
|
|
|
|
|
dbus_watch_system_bus_runtime_named_sockets(systemd_networkd_t)
|
2019-09-14 11:55:57 +00:00
|
|
|
|
|
|
|
|
systemd_dbus_chat_hostnamed(systemd_networkd_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(systemd_networkd_t)
|
2017-10-11 14:59:08 +00:00
|
|
|
')
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# systemd_notify local policy
|
|
|
|
|
#
|
|
|
|
|
allow systemd_notify_t self:capability chown;
|
|
|
|
|
allow systemd_notify_t self:process { setfscreate setsockcreate };
|
|
|
|
|
|
|
|
|
|
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
|
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
|
|
|
|
|
domain_use_interactive_fds(systemd_notify_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_notify_t)
|
|
|
|
|
files_read_usr_files(systemd_notify_t)
|
|
|
|
|
|
|
|
|
|
fs_getattr_cgroup_files(systemd_notify_t)
|
|
|
|
|
|
|
|
|
|
auth_use_nsswitch(systemd_notify_t)
|
|
|
|
|
|
|
|
|
|
init_rw_stream_sockets(systemd_notify_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(systemd_notify_t)
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Nspawn local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-01-11 10:30:43 +00:00
|
|
|
allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
|
2019-01-04 07:54:22 +00:00
|
|
|
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
|
2017-04-01 16:08:42 +00:00
|
|
|
allow systemd_nspawn_t self:capability2 wake_alarm;
|
|
|
|
|
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
|
2019-01-11 10:30:43 +00:00
|
|
|
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
|
2017-04-01 16:08:42 +00:00
|
|
|
|
|
|
|
|
allow systemd_nspawn_t systemd_journal_t:dir search;
|
|
|
|
|
|
|
|
|
|
allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
|
|
|
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
|
2020-06-27 21:11:48 +00:00
|
|
|
init_runtime_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2019-01-04 07:54:22 +00:00
|
|
|
files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
|
2017-09-05 05:38:13 +00:00
|
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
|
|
|
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
|
2019-01-04 07:54:22 +00:00
|
|
|
# for /tmp/.#inaccessible*
|
|
|
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
|
2017-09-05 05:38:13 +00:00
|
|
|
|
2017-04-01 16:08:42 +00:00
|
|
|
# for /run/systemd/nspawn/incoming in chroot
|
2019-09-08 20:55:02 +00:00
|
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
|
2017-04-01 16:08:42 +00:00
|
|
|
|
|
|
|
|
kernel_mount_proc(systemd_nspawn_t)
|
|
|
|
|
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
|
|
|
|
|
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
|
|
|
|
|
kernel_mounton_message_if(systemd_nspawn_t)
|
|
|
|
|
kernel_mounton_proc(systemd_nspawn_t)
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_nspawn_t)
|
|
|
|
|
kernel_read_system_state(systemd_nspawn_t)
|
|
|
|
|
kernel_remount_proc(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
corecmd_exec_shell(systemd_nspawn_t)
|
|
|
|
|
corecmd_search_bin(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
corenet_rw_tun_tap_dev(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
dev_getattr_fs(systemd_nspawn_t)
|
|
|
|
|
dev_manage_sysfs_dirs(systemd_nspawn_t)
|
|
|
|
|
dev_mounton_sysfs_dirs(systemd_nspawn_t)
|
|
|
|
|
dev_mount_sysfs(systemd_nspawn_t)
|
|
|
|
|
dev_read_rand(systemd_nspawn_t)
|
|
|
|
|
dev_read_urand(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
files_getattr_tmp_dirs(systemd_nspawn_t)
|
|
|
|
|
files_manage_etc_files(systemd_nspawn_t)
|
|
|
|
|
files_manage_mnt_dirs(systemd_nspawn_t)
|
|
|
|
|
files_mounton_mnt(systemd_nspawn_t)
|
|
|
|
|
files_mounton_root(systemd_nspawn_t)
|
|
|
|
|
files_mounton_tmp(systemd_nspawn_t)
|
2019-01-04 07:54:22 +00:00
|
|
|
files_read_kernel_symbol_table(systemd_nspawn_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_setattr_runtime_dirs(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
|
|
|
|
|
fs_getattr_tmpfs(systemd_nspawn_t)
|
|
|
|
|
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
|
|
|
|
|
fs_mount_tmpfs(systemd_nspawn_t)
|
|
|
|
|
fs_remount_tmpfs(systemd_nspawn_t)
|
2019-01-22 09:00:28 +00:00
|
|
|
fs_remount_xattr_fs(systemd_nspawn_t)
|
|
|
|
|
fs_read_cgroup_files(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
|
|
|
|
|
term_getattr_generic_ptys(systemd_nspawn_t)
|
|
|
|
|
term_getattr_pty_fs(systemd_nspawn_t)
|
|
|
|
|
term_mount_devpts(systemd_nspawn_t)
|
|
|
|
|
term_search_ptys(systemd_nspawn_t)
|
|
|
|
|
term_setattr_generic_ptys(systemd_nspawn_t)
|
|
|
|
|
term_use_ptmx(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
init_domtrans_script(systemd_nspawn_t)
|
2019-01-04 07:51:18 +00:00
|
|
|
init_getrlimit(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
init_kill_scripts(systemd_nspawn_t)
|
|
|
|
|
init_read_state(systemd_nspawn_t)
|
|
|
|
|
init_search_run(systemd_nspawn_t)
|
2019-01-11 20:07:57 +00:00
|
|
|
init_write_runtime_socket(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
init_spec_domtrans_script(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_manage_localization(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
# for writing inside chroot
|
|
|
|
|
sysnet_manage_config(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
userdom_manage_user_home_dirs(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
tunable_policy(`systemd_nspawn_labeled_namespace',`
|
2019-01-04 07:54:22 +00:00
|
|
|
corecmd_exec_bin(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
corecmd_exec_shell(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
dev_mounton(systemd_nspawn_t)
|
|
|
|
|
dev_setattr_generic_dirs(systemd_nspawn_t)
|
|
|
|
|
|
2017-09-17 15:07:41 +00:00
|
|
|
# manage etc symlinks for /etc/localtime
|
|
|
|
|
files_manage_etc_symlinks(systemd_nspawn_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_mounton_runtime_dirs(systemd_nspawn_t)
|
2017-09-17 15:07:41 +00:00
|
|
|
files_search_home(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
|
|
|
|
|
fs_getattr_cgroup(systemd_nspawn_t)
|
|
|
|
|
fs_manage_cgroup_dirs(systemd_nspawn_t)
|
|
|
|
|
fs_manage_tmpfs_dirs(systemd_nspawn_t)
|
|
|
|
|
fs_manage_tmpfs_files(systemd_nspawn_t)
|
|
|
|
|
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
|
|
|
|
|
fs_mount_cgroup(systemd_nspawn_t)
|
|
|
|
|
fs_mounton_cgroup(systemd_nspawn_t)
|
|
|
|
|
fs_mounton_tmpfs(systemd_nspawn_t)
|
|
|
|
|
fs_mounton_tmpfs_files(systemd_nspawn_t)
|
|
|
|
|
fs_remount_cgroup(systemd_nspawn_t)
|
|
|
|
|
fs_search_tmpfs(systemd_nspawn_t)
|
2017-09-05 05:38:13 +00:00
|
|
|
fs_unmount_cgroup(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
fs_write_cgroup_files(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
selinux_getattr_fs(systemd_nspawn_t)
|
2019-01-04 07:54:22 +00:00
|
|
|
selinux_remount_fs(systemd_nspawn_t)
|
2017-04-01 16:08:42 +00:00
|
|
|
selinux_search_fs(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
init_domtrans(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
logging_search_logs(systemd_nspawn_t)
|
|
|
|
|
|
|
|
|
|
seutil_search_default_contexts(systemd_nspawn_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
|
|
|
|
|
|
|
|
|
|
dbus_system_bus_client(systemd_nspawn_t)
|
2018-02-15 22:07:08 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
unconfined_dbus_send(systemd_machined_t)
|
|
|
|
|
')
|
2017-04-01 16:08:42 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
virt_manage_virt_content(systemd_nspawn_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-25 14:35:10 +00:00
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# systemd_passwd_agent_t local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
|
|
|
|
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
|
|
|
|
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
|
2020-12-11 18:22:42 +00:00
|
|
|
allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
|
|
|
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
|
|
|
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
|
|
|
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
kernel_read_system_state(systemd_passwd_agent_t)
|
|
|
|
|
kernel_stream_connect(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
dev_create_generic_dirs(systemd_passwd_agent_t)
|
|
|
|
|
dev_read_generic_files(systemd_passwd_agent_t)
|
|
|
|
|
dev_write_generic_sock_files(systemd_passwd_agent_t)
|
|
|
|
|
dev_write_kmsg(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
fs_getattr_xattr_fs(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
selinux_get_enforce_mode(systemd_passwd_agent_t)
|
|
|
|
|
selinux_getattr_fs(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
term_read_console(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
auth_use_nsswitch(systemd_passwd_agent_t)
|
|
|
|
|
|
2019-01-11 20:07:57 +00:00
|
|
|
init_create_runtime_dirs(systemd_passwd_agent_t)
|
|
|
|
|
init_read_runtime_pipes(systemd_passwd_agent_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
init_read_state(systemd_passwd_agent_t)
|
|
|
|
|
init_read_utmp(systemd_passwd_agent_t)
|
|
|
|
|
init_stream_connect(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(systemd_passwd_agent_t)
|
|
|
|
|
|
|
|
|
|
seutil_search_default_contexts(systemd_passwd_agent_t)
|
|
|
|
|
|
2020-04-30 18:53:31 +00:00
|
|
|
userdom_use_user_terminals(systemd_passwd_agent_t)
|
2017-02-25 14:35:10 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
getty_use_fds(systemd_passwd_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
lvm_signull(systemd_passwd_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
plymouthd_stream_connect(systemd_passwd_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2020-10-09 13:42:31 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# systemd-pstore local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
dontaudit systemd_pstore_t self:capability net_admin;
|
|
|
|
|
|
|
|
|
|
manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(systemd_pstore_t)
|
|
|
|
|
files_search_var_lib(systemd_pstore_t)
|
|
|
|
|
|
|
|
|
|
fs_list_pstore_dirs(systemd_pstore_t)
|
|
|
|
|
fs_read_pstore_files(systemd_pstore_t)
|
|
|
|
|
fs_delete_pstore_files(systemd_pstore_t)
|
|
|
|
|
|
|
|
|
|
init_search_run(systemd_pstore_t)
|
|
|
|
|
init_list_var_lib_dirs(systemd_pstore_t)
|
|
|
|
|
|
|
|
|
|
kernel_read_system_state(systemd_pstore_t)
|
|
|
|
|
|
|
|
|
|
logging_send_syslog_msg(systemd_pstore_t)
|
|
|
|
|
|
2017-08-14 20:32:29 +00:00
|
|
|
#######################################
|
|
|
|
|
#
|
|
|
|
|
# Rfkill local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-10-12 13:51:53 +00:00
|
|
|
allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
|
|
|
|
|
|
2017-08-14 20:32:29 +00:00
|
|
|
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
|
|
|
|
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
|
|
|
|
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
|
|
|
|
|
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_rfkill_t)
|
|
|
|
|
|
2017-08-14 20:32:29 +00:00
|
|
|
dev_read_sysfs(systemd_rfkill_t)
|
|
|
|
|
dev_rw_wireless(systemd_rfkill_t)
|
|
|
|
|
|
|
|
|
|
# Allow reading /etc/udev/udev.conf
|
|
|
|
|
files_read_etc_files(systemd_rfkill_t)
|
|
|
|
|
|
|
|
|
|
# Allow reading /run/udev/data/+rfkill:rfkill0
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(systemd_rfkill_t)
|
2017-08-14 20:32:29 +00:00
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_rfkill_t)
|
|
|
|
|
|
2016-05-26 12:43:10 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Resolved local policy
|
|
|
|
|
#
|
|
|
|
|
|
2018-11-11 12:37:00 +00:00
|
|
|
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
|
2016-05-26 12:43:10 +00:00
|
|
|
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
|
|
|
|
|
|
|
|
|
|
allow systemd_resolved_t self:tcp_socket { accept listen };
|
|
|
|
|
|
2020-01-08 15:51:11 +00:00
|
|
|
allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
|
|
|
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
|
2016-05-26 12:43:10 +00:00
|
|
|
|
2018-06-06 14:25:06 +00:00
|
|
|
dev_read_sysfs(systemd_resolved_t)
|
|
|
|
|
|
2016-05-26 12:43:10 +00:00
|
|
|
kernel_read_crypto_sysctls(systemd_resolved_t)
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_resolved_t)
|
2018-06-06 14:25:06 +00:00
|
|
|
kernel_read_net_sysctls(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
|
|
|
|
|
corenet_tcp_bind_generic_node(systemd_resolved_t)
|
2018-11-11 12:37:00 +00:00
|
|
|
corenet_tcp_bind_dns_port(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
|
|
|
|
corenet_udp_bind_generic_node(systemd_resolved_t)
|
2018-11-11 12:37:00 +00:00
|
|
|
corenet_udp_bind_dns_port(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_resolved_t)
|
2020-09-05 16:09:37 +00:00
|
|
|
|
2016-05-26 12:43:10 +00:00
|
|
|
auth_use_nsswitch(systemd_resolved_t)
|
|
|
|
|
|
2020-01-08 15:51:11 +00:00
|
|
|
files_watch_root_dirs(systemd_resolved_t)
|
|
|
|
|
files_watch_runtime_dirs(systemd_resolved_t)
|
2020-08-13 12:08:37 +00:00
|
|
|
files_list_runtime(systemd_resolved_t)
|
2020-02-01 21:18:25 +00:00
|
|
|
|
2018-06-06 14:25:09 +00:00
|
|
|
init_dgram_send(systemd_resolved_t)
|
|
|
|
|
|
2016-05-26 12:43:10 +00:00
|
|
|
seutil_read_file_contexts(systemd_resolved_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_resolved_t)
|
2018-06-06 14:25:07 +00:00
|
|
|
systemd_read_networkd_runtime(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
2018-06-06 14:25:08 +00:00
|
|
|
dbus_connect_system_bus(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
dbus_system_bus_client(systemd_resolved_t)
|
2020-01-08 15:51:11 +00:00
|
|
|
dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
|
|
|
|
|
dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
|
2016-05-26 12:43:10 +00:00
|
|
|
')
|
|
|
|
|
|
2020-11-08 13:50:12 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Socket-proxyd local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
|
|
|
|
|
allow systemd_socket_proxyd_t self:tcp_socket accept;
|
|
|
|
|
|
|
|
|
|
kernel_read_system_state(systemd_socket_proxyd_t)
|
|
|
|
|
|
|
|
|
|
auth_use_nsswitch(systemd_socket_proxyd_t)
|
2020-12-03 14:37:02 +00:00
|
|
|
|
2020-11-08 13:50:12 +00:00
|
|
|
sysnet_dns_name_resolve(systemd_socket_proxyd_t)
|
|
|
|
|
|
|
|
|
|
tunable_policy(`systemd_socket_proxyd_bind_any',`
|
2020-12-03 14:37:02 +00:00
|
|
|
corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
|
2020-11-08 13:50:12 +00:00
|
|
|
',`
|
2020-12-03 14:37:02 +00:00
|
|
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
|
2020-11-08 13:50:12 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
tunable_policy(`systemd_socket_proxyd_connect_any',`
|
2020-12-03 14:37:02 +00:00
|
|
|
corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
|
2020-11-08 13:50:12 +00:00
|
|
|
',`
|
2020-12-03 14:37:02 +00:00
|
|
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
|
2020-11-08 13:50:12 +00:00
|
|
|
')
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Sessions local policy
|
|
|
|
|
#
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
allow systemd_sessions_t self:process setfscreate;
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_sessions_t)
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
selinux_get_fs_mount(systemd_sessions_t)
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_sessions_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
|
|
|
|
|
seutil_read_config(systemd_sessions_t)
|
|
|
|
|
seutil_read_default_contexts(systemd_sessions_t)
|
|
|
|
|
seutil_read_file_contexts(systemd_sessions_t)
|
|
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
systemd_log_parse_environment(systemd_sessions_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2020-05-29 18:00:53 +00:00
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Sysusers local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow systemd_sysusers_t self:capability { chown fsetid };
|
|
|
|
|
allow systemd_sysusers_t self:process setfscreate;
|
|
|
|
|
allow systemd_sysusers_t self:unix_dgram_socket sendto;
|
|
|
|
|
|
|
|
|
|
files_manage_etc_files(systemd_sysusers_t)
|
|
|
|
|
|
|
|
|
|
kernel_read_kernel_sysctls(systemd_sysusers_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_sysusers_t)
|
2020-09-05 16:09:37 +00:00
|
|
|
|
2020-05-29 18:00:53 +00:00
|
|
|
auth_manage_shadow(systemd_sysusers_t)
|
|
|
|
|
auth_etc_filetrans_shadow(systemd_sysusers_t)
|
|
|
|
|
auth_use_nsswitch(systemd_sysusers_t)
|
|
|
|
|
|
|
|
|
|
seutil_libselinux_linked(systemd_sysusers_t)
|
|
|
|
|
seutil_read_file_contexts(systemd_sysusers_t)
|
|
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_sysusers_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Tmpfiles local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-01-04 07:54:22 +00:00
|
|
|
allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
|
2015-10-23 14:16:59 +00:00
|
|
|
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
|
|
|
|
|
2020-08-14 14:33:08 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
|
2017-03-28 22:51:35 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
|
|
|
|
|
|
2020-10-05 18:18:28 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
|
|
|
|
|
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:file manage_file_perms;
|
|
|
|
|
|
2020-08-14 14:33:08 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { manage_file_perms relabel_file_perms };
|
2017-03-28 22:51:35 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
|
|
|
|
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
2020-08-14 14:33:08 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms;
|
|
|
|
|
allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
|
2017-02-24 01:03:23 +00:00
|
|
|
|
2017-02-18 21:16:30 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
|
2021-02-03 09:00:35 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
|
2017-02-18 21:16:30 +00:00
|
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
|
|
|
|
|
|
2019-01-04 07:54:22 +00:00
|
|
|
kernel_getattr_proc(systemd_tmpfiles_t)
|
2015-12-14 21:19:24 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
kernel_read_network_state(systemd_tmpfiles_t)
|
2015-12-14 21:19:24 +00:00
|
|
|
|
2019-01-04 07:54:22 +00:00
|
|
|
dev_getattr_fs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
|
|
|
|
dev_read_urand(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
2020-02-05 15:47:47 +00:00
|
|
|
dev_setattr_all_sysfs(systemd_tmpfiles_t)
|
2020-10-05 18:18:28 +00:00
|
|
|
# Allow systemd-tmpfiles to enable pstore kernel parameters over sysfs
|
|
|
|
|
# /sys/module/printk/parameters/always_kmsg_dump
|
|
|
|
|
# /sys/module/kernel/parameters/crash_kexec_post_notifiers
|
|
|
|
|
dev_write_sysfs(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
files_create_lock_dirs(systemd_tmpfiles_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_manage_all_runtime_dirs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
files_delete_usr_files(systemd_tmpfiles_t)
|
|
|
|
|
files_list_home(systemd_tmpfiles_t)
|
2019-01-31 02:58:52 +00:00
|
|
|
files_list_locks(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_manage_var_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_manage_var_lib_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_purge_tmp(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_read_etc_files(systemd_tmpfiles_t)
|
2019-01-04 07:54:22 +00:00
|
|
|
files_read_etc_runtime_files(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
files_relabel_var_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_relabelfrom_home(systemd_tmpfiles_t)
|
|
|
|
|
files_relabelto_home(systemd_tmpfiles_t)
|
|
|
|
|
files_relabelto_etc_dirs(systemd_tmpfiles_t)
|
2021-02-03 15:02:11 +00:00
|
|
|
files_setattr_lock_dirs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
# for /etc/mtab
|
|
|
|
|
files_manage_etc_symlinks(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
|
2019-01-04 07:33:12 +00:00
|
|
|
fs_getattr_tmpfs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
fs_getattr_xattr_fs(systemd_tmpfiles_t)
|
2019-01-31 02:58:52 +00:00
|
|
|
fs_list_tmpfs(systemd_tmpfiles_t)
|
2020-06-08 19:28:45 +00:00
|
|
|
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
|
|
|
|
|
selinux_get_fs_mount(systemd_tmpfiles_t)
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
|
2019-01-04 07:33:12 +00:00
|
|
|
auth_append_lastlog(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
auth_manage_faillog(systemd_tmpfiles_t)
|
2019-01-04 07:33:12 +00:00
|
|
|
auth_manage_lastlog(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
auth_manage_login_records(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
auth_manage_var_auth(systemd_tmpfiles_t)
|
2019-01-04 07:33:12 +00:00
|
|
|
auth_relabel_lastlog(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
auth_relabel_login_records(systemd_tmpfiles_t)
|
|
|
|
|
auth_setattr_login_records(systemd_tmpfiles_t)
|
|
|
|
|
|
2021-02-04 15:55:09 +00:00
|
|
|
auth_use_nsswitch(systemd_tmpfiles_t)
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
init_manage_utmp(systemd_tmpfiles_t)
|
|
|
|
|
init_manage_var_lib_files(systemd_tmpfiles_t)
|
|
|
|
|
# for /proc/1/environ
|
|
|
|
|
init_read_state(systemd_tmpfiles_t)
|
|
|
|
|
|
|
|
|
|
init_relabel_utmp(systemd_tmpfiles_t)
|
|
|
|
|
init_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
|
|
|
|
|
|
|
|
|
logging_manage_generic_logs(systemd_tmpfiles_t)
|
|
|
|
|
logging_manage_generic_log_dirs(systemd_tmpfiles_t)
|
|
|
|
|
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
|
|
|
|
|
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
|
|
|
|
|
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
|
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
|
|
|
|
|
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_manage_man_pages(systemd_tmpfiles_t)
|
|
|
|
|
miscfiles_relabel_man_cache(systemd_tmpfiles_t)
|
|
|
|
|
|
|
|
|
|
seutil_read_config(systemd_tmpfiles_t)
|
2015-10-23 14:16:59 +00:00
|
|
|
seutil_read_file_contexts(systemd_tmpfiles_t)
|
|
|
|
|
|
2017-04-06 21:37:50 +00:00
|
|
|
sysnet_manage_config(systemd_tmpfiles_t)
|
|
|
|
|
sysnet_relabel_config(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
|
2016-03-31 07:40:42 +00:00
|
|
|
systemd_log_parse_environment(systemd_tmpfiles_t)
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
|
|
|
|
|
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
|
|
|
|
|
|
2015-10-23 14:16:59 +00:00
|
|
|
tunable_policy(`systemd_tmpfiles_manage_all',`
|
|
|
|
|
# systemd-tmpfiles can be configured to manage anything.
|
|
|
|
|
# have a last-resort option for users to do this.
|
|
|
|
|
files_manage_non_security_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_manage_non_security_files(systemd_tmpfiles_t)
|
|
|
|
|
files_relabel_non_security_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_relabel_non_security_files(systemd_tmpfiles_t)
|
|
|
|
|
')
|
2017-03-28 22:51:35 +00:00
|
|
|
|
2021-02-03 09:00:35 +00:00
|
|
|
tunable_policy(`systemd_tmpfilesd_factory', `
|
|
|
|
|
allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
|
|
|
|
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
|
|
|
|
|
|
|
|
|
files_manage_etc_files(systemd_tmpfiles_t)
|
2021-02-03 14:59:22 +00:00
|
|
|
files_relabel_config_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_relabel_config_files(systemd_tmpfiles_t)
|
2021-02-03 09:00:35 +00:00
|
|
|
',`
|
|
|
|
|
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
|
|
|
|
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
|
|
|
|
|
|
|
|
|
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
|
2021-02-03 14:59:22 +00:00
|
|
|
files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
|
|
|
|
|
files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
|
2021-02-03 09:00:35 +00:00
|
|
|
')
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
dbus_read_lib_files(systemd_tmpfiles_t)
|
2019-01-04 07:51:18 +00:00
|
|
|
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
|
2017-03-28 22:51:35 +00:00
|
|
|
')
|
|
|
|
|
|
2017-04-29 15:14:15 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
apt_use_fds(systemd_tmpfiles_t)
|
|
|
|
|
dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
|
|
|
|
|
')
|
|
|
|
|
|
2017-03-28 22:51:35 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
xfs_create_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
xserver_create_console_pipes(systemd_tmpfiles_t)
|
|
|
|
|
xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
|
xserver_relabel_console_pipes(systemd_tmpfiles_t)
|
|
|
|
|
xserver_setattr_console_pipes(systemd_tmpfiles_t)
|
|
|
|
|
')
|
2018-06-07 19:19:41 +00:00
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# Update Done local policy
|
|
|
|
|
#
|
|
|
|
|
|
2019-02-24 10:08:20 +00:00
|
|
|
allow systemd_update_done_t self:process setfscreate;
|
2018-06-07 19:19:41 +00:00
|
|
|
|
2019-02-24 10:08:20 +00:00
|
|
|
allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
|
2018-06-07 19:19:41 +00:00
|
|
|
|
2019-04-10 14:17:20 +00:00
|
|
|
files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
|
|
|
|
|
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
|
2018-06-07 19:19:41 +00:00
|
|
|
|
2019-09-14 12:36:13 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_update_done_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_update_done_t)
|
2020-09-05 16:09:37 +00:00
|
|
|
|
2019-02-24 10:08:20 +00:00
|
|
|
seutil_read_file_contexts(systemd_update_done_t)
|
2018-06-07 19:19:41 +00:00
|
|
|
|
2019-02-24 10:08:20 +00:00
|
|
|
systemd_log_parse_environment(systemd_update_done_t)
|
2019-04-19 15:50:59 +00:00
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# User session (systemd --user) local policy
|
|
|
|
|
#
|
|
|
|
|
|
2020-05-27 09:37:39 +00:00
|
|
|
allow systemd_user_session_type self:bpf { prog_load prog_run };
|
2019-04-19 15:50:59 +00:00
|
|
|
allow systemd_user_session_type self:capability { dac_read_search sys_resource };
|
|
|
|
|
dontaudit systemd_user_session_type self:capability dac_override;
|
2020-05-27 09:37:39 +00:00
|
|
|
allow systemd_user_session_type self:fifo_file rw_fifo_file_perms;
|
|
|
|
|
allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap };
|
2019-04-19 15:50:59 +00:00
|
|
|
allow systemd_user_session_type self:udp_socket create_socket_perms;
|
|
|
|
|
allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
|
2019-09-06 19:49:22 +00:00
|
|
|
allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };
|
2019-04-19 15:50:59 +00:00
|
|
|
|
|
|
|
|
allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
|
2020-05-27 09:37:39 +00:00
|
|
|
allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
|
2019-04-19 15:50:59 +00:00
|
|
|
allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
|
|
|
|
|
userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
|
|
|
|
|
|
|
|
|
|
allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
|
|
|
|
|
type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";
|
|
|
|
|
|
2020-04-16 14:30:56 +00:00
|
|
|
allow systemd_user_session_type systemd_user_tmpfs_t:file manage_file_perms;
|
|
|
|
|
fs_tmpfs_filetrans(systemd_user_session_type, systemd_user_tmpfs_t, file)
|
|
|
|
|
|
2020-04-18 18:00:57 +00:00
|
|
|
# Run generators in /usr/lib/systemd/user-environment-generators with no domain transition
|
|
|
|
|
can_exec(systemd_user_session_type, systemd_generator_exec_t)
|
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
dev_write_sysfs_dirs(systemd_user_session_type)
|
|
|
|
|
dev_read_sysfs(systemd_user_session_type)
|
|
|
|
|
|
2020-05-27 09:37:39 +00:00
|
|
|
domain_getattr_all_entry_files(systemd_user_session_type)
|
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
files_read_etc_files(systemd_user_session_type)
|
|
|
|
|
files_list_usr(systemd_user_session_type)
|
2020-05-27 09:37:39 +00:00
|
|
|
# /etc/localtime
|
|
|
|
|
files_watch_etc_symlinks(systemd_user_session_type)
|
2019-04-19 15:50:59 +00:00
|
|
|
|
|
|
|
|
fs_getattr_cgroup(systemd_user_session_type)
|
2019-09-19 19:20:57 +00:00
|
|
|
fs_getattr_tmpfs(systemd_user_session_type)
|
2019-04-19 15:50:59 +00:00
|
|
|
fs_rw_cgroup_files(systemd_user_session_type)
|
|
|
|
|
fs_manage_cgroup_dirs(systemd_user_session_type)
|
|
|
|
|
|
2019-09-19 19:20:57 +00:00
|
|
|
# for /proc/sys/fs/nr_open
|
|
|
|
|
kernel_read_fs_sysctls(systemd_user_session_type)
|
2019-04-19 15:50:59 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_user_session_type)
|
|
|
|
|
|
2020-05-27 09:37:39 +00:00
|
|
|
selinux_compute_access_vector(systemd_user_session_type)
|
2019-09-19 19:20:57 +00:00
|
|
|
selinux_compute_create_context(systemd_user_session_type)
|
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
storage_getattr_fixed_disk_dev(systemd_user_session_type)
|
|
|
|
|
|
2020-05-27 09:37:39 +00:00
|
|
|
# for /run/systemd/notify
|
|
|
|
|
init_dgram_send(systemd_user_session_type)
|
|
|
|
|
init_signal(systemd_user_session_type)
|
|
|
|
|
|
|
|
|
|
logging_send_audit_msgs(systemd_user_session_type)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(systemd_user_session_type)
|
|
|
|
|
|
|
|
|
|
mount_list_runtime(systemd_user_session_type)
|
|
|
|
|
mount_watch_runtime_dirs(systemd_user_session_type)
|
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
# for systemd to read udev status
|
2020-06-27 21:11:48 +00:00
|
|
|
udev_read_runtime_files(systemd_user_session_type)
|
|
|
|
|
udev_list_runtime(systemd_user_session_type)
|
2020-01-31 21:46:56 +00:00
|
|
|
|
2020-05-27 09:37:39 +00:00
|
|
|
seutil_libselinux_linked(systemd_user_session_type)
|
|
|
|
|
|
2020-01-31 21:46:56 +00:00
|
|
|
#########################################
|
|
|
|
|
#
|
|
|
|
|
# systemd-user-runtime-dir local policy
|
|
|
|
|
#
|
|
|
|
|
|
2020-05-18 19:23:39 +00:00
|
|
|
allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
|
2020-01-31 21:46:56 +00:00
|
|
|
allow systemd_user_runtime_dir_t self:process setfscreate;
|
|
|
|
|
|
|
|
|
|
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
|
|
|
|
|
|
2021-03-13 23:22:59 +00:00
|
|
|
allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
|
|
|
|
|
allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
|
|
|
|
|
|
2020-01-31 21:46:56 +00:00
|
|
|
files_read_etc_files(systemd_user_runtime_dir_t)
|
|
|
|
|
|
|
|
|
|
fs_mount_tmpfs(systemd_user_runtime_dir_t)
|
|
|
|
|
fs_getattr_tmpfs(systemd_user_runtime_dir_t)
|
|
|
|
|
fs_list_tmpfs(systemd_user_runtime_dir_t)
|
|
|
|
|
fs_unmount_tmpfs(systemd_user_runtime_dir_t)
|
|
|
|
|
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
|
2020-04-04 08:34:00 +00:00
|
|
|
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
|
|
|
|
|
|
2020-09-09 18:56:12 +00:00
|
|
|
selinux_use_status_page(systemd_user_runtime_dir_t)
|
2020-01-31 21:46:56 +00:00
|
|
|
|
|
|
|
|
systemd_log_parse_environment(systemd_user_runtime_dir_t)
|
|
|
|
|
systemd_dbus_chat_logind(systemd_user_runtime_dir_t)
|
|
|
|
|
|
|
|
|
|
seutil_read_file_contexts(systemd_user_runtime_dir_t)
|
2020-04-04 08:34:00 +00:00
|
|
|
seutil_libselinux_linked(systemd_user_runtime_dir_t)
|
2020-01-31 21:46:56 +00:00
|
|
|
|
2021-03-13 23:22:59 +00:00
|
|
|
userdom_list_all_user_runtime(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_files(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_symlinks(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_named_pipes(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_blk_files(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_delete_all_user_runtime_chr_files(systemd_user_runtime_dir_t)
|
|
|
|
|
|
|
|
|
|
userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
|
|
|
|
|
|
2020-01-31 21:46:56 +00:00
|
|
|
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
|
|
|
|
|
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
|
|
|
|
2020-11-17 03:46:28 +00:00
|
|
|
optional_policy(`
|
2021-03-13 23:22:59 +00:00
|
|
|
dbus_system_bus_client(systemd_user_runtime_dir_t)
|
2020-11-17 03:46:28 +00:00
|
|
|
')
|
