init/systemd: allow systemd to map the SELinux status page

systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
Christian Göttsche 2020-09-05 18:09:37 +02:00
parent dcf7ae9f48
commit 1103350ee3
2 changed files with 24 additions and 1 deletions

View File

@ -439,6 +439,8 @@ ifdef(`init_systemd',`
selinux_compute_access_vector(init_t)
# for starting systemd --user in the right domain:
selinux_compute_user_contexts(init_t)
# mmap status page
selinux_map_security_files(init_t)
storage_getattr_removable_dev(init_t)

View File

@ -424,6 +424,9 @@ dev_read_sysfs(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
selinux_get_enforce_mode(systemd_hostnamed_t)
selinux_map_security_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
sysnet_etc_filetrans_config(systemd_hostnamed_t)
@ -454,6 +457,8 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
files_search_runtime(systemd_hw_t)
selinux_get_fs_mount(systemd_hw_t)
selinux_get_enforce_mode(systemd_hw_t)
selinux_map_security_files(systemd_hw_t)
init_read_state(systemd_hw_t)
@ -469,6 +474,9 @@ kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
selinux_get_enforce_mode(systemd_locale_t)
selinux_map_security_files(systemd_locale_t)
seutil_read_file_contexts(systemd_locale_t)
systemd_log_parse_environment(systemd_locale_t)
@ -561,6 +569,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
selinux_get_enforce_mode(systemd_logind_t)
selinux_map_security_files(systemd_logind_t)
storage_getattr_removable_dev(systemd_logind_t)
storage_getattr_scsi_generic_dev(systemd_logind_t)
@ -1080,6 +1089,9 @@ corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
selinux_get_enforce_mode(systemd_resolved_t)
selinux_map_security_files(systemd_resolved_t)
auth_use_nsswitch(systemd_resolved_t)
files_watch_root_dirs(systemd_resolved_t)
@ -1113,6 +1125,7 @@ kernel_read_kernel_sysctls(systemd_sessions_t)
selinux_get_enforce_mode(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)
selinux_map_security_files(systemd_sessions_t)
seutil_read_config(systemd_sessions_t)
seutil_read_default_contexts(systemd_sessions_t)
@ -1134,6 +1147,9 @@ files_manage_etc_files(systemd_sysusers_t)
kernel_read_kernel_sysctls(systemd_sysusers_t)
selinux_get_enforce_mode(systemd_sysusers_t)
selinux_map_security_files(systemd_sysusers_t)
auth_manage_shadow(systemd_sysusers_t)
auth_etc_filetrans_shadow(systemd_sysusers_t)
auth_use_nsswitch(systemd_sysusers_t)
@ -1202,7 +1218,8 @@ fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
selinux_get_enforce_mode(systemd_tmpfiles_t)
selinux_map_security_files(systemd_tmpfiles_t)
auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
@ -1287,6 +1304,9 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
kernel_read_kernel_sysctls(systemd_update_done_t)
selinux_get_enforce_mode(systemd_update_done_t)
selinux_map_security_files(systemd_update_done_t)
seutil_read_file_contexts(systemd_update_done_t)
systemd_log_parse_environment(systemd_update_done_t)
@ -1381,6 +1401,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
selinux_get_enforce_mode(systemd_user_runtime_dir_t)
selinux_map_security_files(systemd_user_runtime_dir_t)
systemd_log_parse_environment(systemd_user_runtime_dir_t)
systemd_dbus_chat_logind(systemd_user_runtime_dir_t)