RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules/system/systemd.if

1129 lines
25 KiB
Plaintext
Raw Normal View History

Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## <summary>Systemd components (not PID 1)</summary>
systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-19 15:50:59 +00:00
#########################################
## <summary>
## Template for systemd --user per-role domains.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for generated types
## </summary>
## </param>
## <param name="role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="userdomain">
## <summary>
## The user domain for the role.
## </summary>
## </param>
#
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
systemd: allow regular users to run systemd-analyze Same deal as with systemd-run this is potentially useful for non privileged users and especially useful for admins. Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-09 07:38:05 +00:00
type systemd_run_exec_t, systemd_analyze_exec_t;
systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-19 15:50:59 +00:00
')
#################################
#
# Declarations
#
type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
init_pgm_spec_user_daemon_domain($1_systemd_t)
domain_user_exemption_target($1_systemd_t)
ubac_constrained($1_systemd_t)
role $2 types $1_systemd_t;
#################################
#
# Local policy
#
allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
# This domain is per-role because of the below transitions.
# See the sytemd --user section of systemd.te for the
# remainder of the rules.
allow $1_systemd_t $3:process { setsched rlimitinh };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
systemd: allow user environment helpers to communicate with systemd --user "systemd --user" spawns programs from /usr/lib/systemd/user-environment-generators/ in order to gather environment variables. On a Debian 10 virtual machine which gnupg, this directory contains: $ ls -Z /usr/lib/systemd/user-environment-generators system_u:object_r:bin_t 30-systemd-environment-d-generator system_u:object_r:bin_t 90gpg-agent For sysadm, these programs are run as sysadm_t (because there is a transition in systemd_role_template() in systemd.if: corecmd_bin_domtrans($1_systemd_t, $3)) but use file descriptors created by their parent process, which runs as sysadm_systemd_t. This leads to: type=AVC msg=audit(1569756917.537:244): avc: denied { use } for pid=9713 comm="30-systemd-envi" path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429 dev="tmpfs" ino=24859 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0 type=AVC msg=audit(1569756917.537:244): avc: denied { use } for pid=9713 comm="30-systemd-envi" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0 type=SYSCALL msg=audit(1569756917.537:244): arch=c000003e syscall=59 success=no exit=-13 a0=5647d12cf020 a1=7ffc605b1fb0 a2=7ffc605b2420 a3=0 items=0 ppid=9712 pid=9713 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=10 comm="30-systemd-envi" exe="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" subj=sysadm_u:sysadm_r:sysadm_t key=(null) [...] type=AVC msg=audit(1569756917.541:246): avc: denied { use } for pid=9714 comm="90gpg-agent" path=2F6D656D66643A39306770672D6167656E74202864656C6574656429 dev="tmpfs" ino=24860 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0 type=AVC msg=audit(1569756917.541:246): avc: denied { use } for pid=9714 comm="90gpg-agent" path="/usr/bin/bash" dev="vda1" ino=524662 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0 In systemd's source, here are the relevant functions: * manager_run_environment_generators() calls execute_directories(paths, DEFAULT_TIMEOUT_USEC, gather_environment, ...) [1], with gather_environment a global table defined in exec-util.c [2] * execute_directories() opens a "serialization fd" [3], that creates a memfd for communication with the child processes [4]. * execute_directories() calls fork() and do_execute() [5] in order to run each child process, providing them with the memfd descriptor in order to gather their output. * When a child process is executed, its context transitions from sysadm_systemd_t to sysadm_t. The child then writes environment variables to its output. * The parent process (systemd --user) collects the environment variables that have been written, and "consumes" the produced output in order to override its environment variables. [1] https://github.com/systemd/systemd/blob/v243/src/core/manager.c#L3836 [2] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L413 [3] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213 [4] https://github.com/systemd/systemd/blob/v243/src/shared/serialize.c#L200 [5] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L226 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-30 20:43:31 +00:00
# Allow using file descriptors for user environment generators
allow $3 $1_systemd_t:fd use;
allow normal users to use 'systemd-run' It can also be used to create temporary units under `systemd --user`. Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-21 17:44:08 +00:00
systemd: allow regular users to run systemd-analyze Same deal as with systemd-run this is potentially useful for non privileged users and especially useful for admins. Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-09 07:38:05 +00:00
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-19 15:50:59 +00:00
')
Setup generic generator attribute and change generator types. I'm seeing problems on RHEL7 with lvm2-activation-generator that are coming from recent changes to put systemd-fstab-generator into it's own domain. I resolved the issues by creaing this generator attribute to grant common generator permissions and move all generators into a single systemd_generator_t domain. Then setup specific types for the following generators: lvm2-activation-generator - needs to read lvm2 config systemd-sysv-generator - needs to read stuff in init_t that other generators don't. systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t For fstab generator allow it to write /sys [ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-17 12:39:30 +00:00
######################################
## <summary>
## Make the specified type usable as a
## systemd generator
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a systemd generator type.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to the generator domain.
## </summary>
## </param>
#
interface(`systemd_unit_generator',`
gen_require(`
attribute systemd_generator_type;
')
typeattribute $1 systemd_generator_type;
init_system_domain($1, $2)
')
systemd: Add support for --log-target https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target= see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22 v2: Add comment about dontaudit rule Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-03-31 07:40:42 +00:00
######################################
## <summary>
## Make the specified type usable as an
## log parse environment type.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a log parse environment type.
## </summary>
## </param>
#
interface(`systemd_log_parse_environment',`
gen_require(`
attribute systemd_log_parse_env_type;
')
typeattribute $1 systemd_log_parse_env_type;
')
systemd: add an interface to use nss-systemd systemd's Name Service Switch (NSS) module provides UNIX user and group name resolution for dynamic users and groups allocated through options such as DynamicUser= in systemd unit files, according to its man page, https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml. If systemd compiled without NOLEGACY, commit https://github.com/systemd/systemd/commit/24eccc3414a29a14b319d639531bd23c158b20e1 ("nss-systemd,user-util: add a way how synthesizing "nobody" can be turned off") implemented a way to tweak nss-systemd's behavior by checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this access. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-15 20:46:40 +00:00
######################################
## <summary>
## Allow domain to use systemd's Name Service Switch (NSS) module.
## This module provides UNIX user and group name resolution for dynamic users
## and groups allocated through the DynamicUser= option in systemd unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_use_nss',`
gen_require(`
type systemd_conf_t;
')
# Get attributes of /etc/systemd/dont-synthesize-nobody
files_search_etc($1)
allow $1 systemd_conf_t:file getattr;
optional_policy(`
dbus_system_bus_client($1)
# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
init_dbus_chat($1)
')
')
systemd: introduce an interface for services using PrivateDevices=yes When a service is configured with PrivateDevices=yes, its /dev directory has label tmpfs_t. This requires allowing more accesses in order for the service to use /dev. This is related to https://github.com/SELinuxProject/refpolicy/pull/61 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-29 18:05:29 +00:00
######################################
## <summary>
## Allow domain to be used as a systemd service with a unit
## that uses PrivateDevices=yes in section [Service].
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_PrivateDevices',`
# For services using PrivateDevices, systemd mounts a dedicated
# tmpfs filesystem for the /dev, which gets label tmpfs_t.
# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
fs_read_tmpfs_symlinks($1)
')
systemd: Move lines.
2018-06-08 00:17:15 +00:00
#######################################
## <summary>
## Allow domain to read udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
Allow additional map permission when reading hwdb I'm seeing a denial for udev to map /etc/udev/hwdb.bin. This creates and uses a new interface to allow the needed permission for udev. type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Updated from previous to create a new interface. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-09 03:58:09 +00:00
#######################################
## <summary>
## Allow domain to map udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_map_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
allow $1 systemd_hwdb_t:file map;
')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
######################################
## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_pids',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_logind_runtime_t;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
files_search_pids($1)
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_logind_runtime_t:dir list_dir_perms;
allow $1 systemd_logind_runtime_t:file read_file_perms;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
######################################
## <summary>
## Manage systemd_login PID pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_logind_pid_pipes',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_logind_runtime_t;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
files_search_pids($1)
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t)
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
######################################
## <summary>
## Write systemd_login named pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_logind_pid_pipes',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_logind_runtime_t;
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
init_search_run($1)
files_search_pids($1)
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
######################################
## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_logind_fds',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
')
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
######################################
## <summary>
## Read logind sessions files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_sessions_files',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_sessions_runtime_t, systemd_logind_t;
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
allow $1 systemd_logind_t:fd use;
init_search_run($1)
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_sessions_runtime_t:dir list_dir_perms;
read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
######################################
## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_logind_t, systemd_sessions_runtime_t;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
allow $1 systemd_logind_t:fd use;
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_sessions_runtime_t:fifo_file write;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
allow systemd_logind_t $1:process signal;
')
Add private type for systemd logind inhibit files and pipes
2017-12-06 17:06:04 +00:00
######################################
## <summary>
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_inhibit_pipes',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_logind_inhibit_runtime_t;
Add private type for systemd logind inhibit files and pipes
2017-12-06 17:06:04 +00:00
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_logind_inhibit_runtime_t:fifo_file write;
Add private type for systemd logind inhibit files and pipes
2017-12-06 17:06:04 +00:00
')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
########################################
## <summary>
## Send and receive messages from
## systemd logind over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_logind',`
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
')
########################################
## <summary>
## Allow process to write to systemd_kmod_conf_t.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_write_kmod_files',`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
refpolicywarn(`$0($*) has been deprecated.')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
########################################
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## Get the system status information from systemd_login
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## </summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## </param>
#
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
interface(`systemd_status_logind',`
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
gen_require(`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
type systemd_logind_t;
class service status;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
allow $1 systemd_logind_t:service status;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
########################################
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## Send systemd_login a null signal.
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </summary>
## <param name="domain">
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## <summary>
## Domain allowed access.
## </summary>
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </param>
#
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
interface(`systemd_signull_logind',`
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
gen_require(`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
type systemd_logind_t;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
allow $1 systemd_logind_t:process signull;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
########################################
## <summary>
## Allow reading /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain that can access the machines files
## </summary>
## </param>
#
interface(`systemd_read_machines',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_machined_runtime_t;
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_machined_runtime_t:dir list_dir_perms;
allow $1 systemd_machined_runtime_t:file read_file_perms;
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
Interface with systemd_hostnamed over dbus to set hostname type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-15 03:20:28 +00:00
########################################
## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_hostnamed',`
gen_require(`
type systemd_hostnamed_t;
class dbus send_msg;
')
allow $1 systemd_hostnamed_t:dbus send_msg;
allow systemd_hostnamed_t $1:dbus send_msg;
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
## </summary>
## <param name="domain">
## <summary>
## Domain that owns the fds
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent_fds',`
gen_require(`
type systemd_passwd_agent_t;
')
allow systemd_passwd_agent_t $1:fd use;
')
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
## that needs a password from the sysadmin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t;
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_passwd_runtime_t;
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
allow systemd_passwd_agent_t $1:process signull;
missing from previous Here are the things that weren't applied from my previous patches, I think they are all worthy of inclusion.
2019-01-06 02:42:35 +00:00
ps_process_pattern(systemd_passwd_agent_t, $1)
Systemd-related changes from Russell Coker.
2017-04-06 21:37:50 +00:00
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
########################################
## <summary>
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
## Transition to systemd_passwd_runtime_t when creating dirs
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_filetrans_passwd_runtime_dirs',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_passwd_runtime_t;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block")
init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
more systemd stuff from Russell Coker This patch adds an interface to manage systemd_passwd_var_run_t symlinks that I'll add another patch to use shortly. It has a number of changes needed by systemd_logind_t to set permissions for local logins. It has some more permissions that systemd_machined_t needs, I don't think it's everything that systemd_machined_t needs but it's a start. It has some changes for udev_t for systemd-udevd.
2017-04-16 23:48:04 +00:00
######################################
## <summary>
## Allow to domain to create systemd-passwd symlink
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_passwd_runtime_symlinks',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_passwd_runtime_t;
more systemd stuff from Russell Coker This patch adds an interface to manage systemd_passwd_var_run_t symlinks that I'll add another patch to use shortly. It has a number of changes needed by systemd_logind_t to set permissions for local logins. It has some more permissions that systemd_machined_t needs, I don't think it's everything that systemd_machined_t needs but it's a start. It has some changes for udev_t for systemd-udevd.
2017-04-16 23:48:04 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
more systemd stuff from Russell Coker This patch adds an interface to manage systemd_passwd_var_run_t symlinks that I'll add another patch to use shortly. It has a number of changes needed by systemd_logind_t to set permissions for local logins. It has some more permissions that systemd_machined_t needs, I don't think it's everything that systemd_machined_t needs but it's a start. It has some changes for udev_t for systemd-udevd.
2017-04-16 23:48:04 +00:00
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
########################################
## <summary>
init/systemd: move systemd_manage_all_units to init_manage_all_units The attribute systemdunit is defined in the file init.te, so interfaces granting access on it should be defined in init.if Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-08 17:54:48 +00:00
## manage systemd unit dirs and the files in them (Deprecated)
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_all_units',`
init/systemd: move systemd_manage_all_units to init_manage_all_units The attribute systemdunit is defined in the file init.te, so interfaces granting access on it should be defined in init.if Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-08 17:54:48 +00:00
refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
init_manage_all_unit_files($1)
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
########################################
## <summary>
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
## Allow domain to read systemd_journal_t files
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
interface(`systemd_read_journal_files',`
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
gen_require(`
Fix CI errors.
2017-02-24 01:16:40 +00:00
type systemd_journal_t;
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
')
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
########################################
## <summary>
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
## Allow domain to create/manage systemd_journal_t files
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
interface(`systemd_manage_journal_files',`
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
gen_require(`
type systemd_journal_t;
')
systemd: Move interface implementation.
2019-01-20 21:36:36 +00:00
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
allow $1 systemd_journal_t:file map;
Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-19 16:19:16 +00:00
')
Fix problem labeling /run/log/journal/* Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* [ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied [ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied [ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied [ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file [ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-09 21:15:13 +00:00
########################################
## <summary>
## Relabel to systemd-journald directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
allow $1 systemd_journal_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Relabel to systemd-journald file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_files',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
allow $1 systemd_journal_t:file relabelto_file_perms;
')
policy for systemd-networkd Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-11 14:59:08 +00:00
########################################
## <summary>
## Allow domain to read systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_networkd_units',`
gen_require(`
Add requires to interfaces that reference types or attributes without requiring them Signed-off-by: Daniel Burgener <dburgener@tresys.com>
2020-01-16 13:39:36 +00:00
type systemd_networkd_unit_t;
policy for systemd-networkd Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-11 14:59:08 +00:00
')
init_search_units($1)
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow domain to create/manage systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
interface to enable/disable systemd_networkd service Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 04:23:43 +00:00
########################################
## <summary>
## Allow specified domain to enable systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_enabledisable_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { enable disable };
')
allow $1 systemd_networkd_unit_t:service { enable disable };
')
policy for systemd-networkd Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-11 14:59:08 +00:00
########################################
## <summary>
## Allow specified domain to start systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_startstop_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { start stop };
')
allow $1 systemd_networkd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of systemd-networkd
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service status;
')
allow $1 systemd_networkd_unit_t:service status;
')
#######################################
## <summary>
## Relabel systemd_networkd tun socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelfrom_networkd_tun_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:tun_socket relabelfrom;
')
#######################################
## <summary>
## Read/Write from systemd_networkd netlink route socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_rw_networkd_netlink_route_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
')
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). Move implementation with other networkd_runtime interfaces.
2019-01-06 18:49:02 +00:00
#######################################
## <summary>
## Allow domain to list dirs under /run/systemd/netif
## </summary>
## <param name="domain">
## <summary>
## domain permitted the access
## </summary>
## </param>
#
interface(`systemd_list_networkd_runtime',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_networkd_runtime_t;
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). Move implementation with other networkd_runtime interfaces.
2019-01-06 18:49:02 +00:00
')
init_list_pids($1)
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
allow $1 systemd_networkd_runtime_t:dir list_dir_perms;
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). Move implementation with other networkd_runtime interfaces.
2019-01-06 18:49:02 +00:00
')
systemd: Add filesystem watches. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-08 15:51:11 +00:00
#######################################
## <summary>
## Watch directories under /run/systemd/netif
## </summary>
## <param name="domain">
## <summary>
## Domain permitted the access
## </summary>
## </param>
#
interface(`systemd_watch_networkd_runtime_dirs',`
gen_require(`
type systemd_networkd_runtime_t;
')
allow $1 systemd_networkd_runtime_t:dir watch;
')
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
#######################################
## <summary>
## Allow domain to read files generated by systemd_networkd
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_networkd_runtime',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_networkd_runtime_t;
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
')
policy for systemd-networkd Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-11 14:59:08 +00:00
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
########################################
## <summary>
dpkg: Updates from Russell Coker.
2017-02-19 21:13:14 +00:00
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
## <summary>
## Domain systemd_logind_t may access.
## </summary>
## </param>
#
interface(`systemd_read_logind_state',`
gen_require(`
type systemd_logind_t;
')
allow systemd_logind_t $1:dir list_dir_perms;
allow systemd_logind_t $1:file read_file_perms;
')
########################################
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## Allow specified domain to start power units
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </summary>
## <param name="domain">
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## <summary>
## Domain to not audit.
## </summary>
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </param>
#
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
interface(`systemd_start_power_units',`
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
gen_require(`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
type power_unit_t;
class service start;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
allow $1 power_unit_t:service start;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
audit daemon can halt system, allow this to happen. auditd can halt the system for several reasons based on configuration. These mostly revovle around audit partition full issues. I am seeing the following denials when attempting to halt the system. Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.122:1943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.147:1944): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Jan 12 04:44:54 localhost audispd: node=localhost type=AVC msg=audit(1578804294.103:1923): avc: denied { getattr } for pid=6936 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=45 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 v2 - use optional rather than ifdef v3 - fix order Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-01-22 12:35:42 +00:00
########################################
## <summary>
## Get the system status information about power units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_power_units',`
gen_require(`
type power_unit_t;
class service status;
')
allow $1 power_unit_t:service status;
')
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
########################################
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## Make the specified type usable for
## systemd tmpfiles config files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd tmpfiles config files.
## </summary>
## </param>
#
systemd: Whitespace fix.
2017-09-08 15:41:56 +00:00
interface(`systemd_tmpfiles_conf_file',`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
files_config_file($1)
typeattribute $1 systemd_tmpfiles_conf_type;
')
########################################
## <summary>
## Allow the specified domain to create
## the tmpfiles config directory with
## the correct context.
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </summary>
## <param name="domain">
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## <summary>
## Domain allowed access.
## </summary>
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </param>
#
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
interface(`systemd_tmpfiles_creator',`
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
gen_require(`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
type systemd_tmpfiles_conf_t;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
allow $1 systemd_tmpfiles_conf_t:dir create;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
########################################
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## Create an object in the systemd tmpfiles config
## directory, with a private type
## using a type transition.
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </summary>
## <param name="domain">
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_filetrans',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_search_pids($1)
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
init: allow systemd to relabel /dev and /run systemd relabels everything in /dev and /run after loading the policy. In these directories there is a socket file for udev, /run/udev/control, which is not allowed to be relabelled from tmpfs_t: avc: denied { relabelfrom } for pid=1 comm="systemd" name="control" dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1 avc: denied { relabelto } for pid=1 comm="systemd" name="control" dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t tcontext=system_u:object_r:udev_var_run_t tclass=sock_file permissive=1 /run/tmpfiles.d directory (used by systemd-tmpfiles service) is also relabelled.
2017-09-10 18:22:22 +00:00
########################################
## <summary>
## Allow domain to list systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_list_tmpfiles_conf',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_files',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## <summary>
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
## object class to manage
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
## </summary>
## </param>
#
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
interface(`systemd_tmpfilesd_managed',`
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
gen_require(`
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
type systemd_tmpfiles_t;
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
systemd-tmpfiles: refactor runtime configs handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-18 21:16:30 +00:00
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville.
2015-10-23 14:16:59 +00:00
')
Interface to read /run/systemd/resolve/resolv.conf With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:07:53 +00:00
Add systemd_dbus_chat_resolved() interface
2018-11-11 12:33:00 +00:00
########################################
## <summary>
## Send and receive messages from
## systemd resolved over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_resolved',`
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
allow systemd_resolved_t $1:dbus send_msg;
')
Interface to read /run/systemd/resolve/resolv.conf With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:07:53 +00:00
#######################################
## <summary>
## Allow domain to read resolv.conf file generated by systemd_resolved
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_resolved_runtime',`
gen_require(`
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
type systemd_resolved_runtime_t;
Interface to read /run/systemd/resolve/resolv.conf With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:07:53 +00:00
')
Rename *_var_run_t types to *_runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-08 20:55:02 +00:00
read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
Interface to read /run/systemd/resolve/resolv.conf With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file. Please note, this can't be in optional due to tunable_policy in nis_authenticate interface. type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-16 20:07:53 +00:00
')
policy for systemd-update-done systemd-update-done needs to be able to create /etc/.updated and /var/.updated Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed. Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state. Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 19:19:41 +00:00
#######################################
## <summary>
## Allow domain to getattr on .updated file (generated by systemd-update-done
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_getattr_updated_runtime',`
gen_require(`
type systemd_update_run_t;
')
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-19 15:50:59 +00:00
########################################
## <summary>
## Search keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_search_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key search;
')
########################################
## <summary>
## Create keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_create_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key create;
')
########################################
## <summary>
## Write keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key write;
')