systemd init from Russell Coker
This patch lets mandb_t search init_var_run_t dirs which it needs when running with systems. Also allows it to fs_getattr_xattr_fs() because it seemed pointless to put that in a separate patch. Allow init_t to do several things that it requires when init is systemd. Allow various operations on var_log_t to access var_log_t symlinks too. Let auditd setattr it's directory.
This commit is contained in:
Chris PeBenito
parent
35bcd82964
commit
477d984415
|
|
@ -1 +1 @@
|
|||
Subproject commit df745e009604455cbff2facbf1296962fe3743a8
|
||||
Subproject commit cc8217920149792e4a1ef7cc60af22e3b2bc6117
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(init, 2.2.16)
|
||||
policy_module(init, 2.2.17)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
@ -204,6 +204,7 @@ libs_rw_ld_so_cache(init_t)
|
|||
|
||||
logging_send_syslog_msg(init_t)
|
||||
logging_rw_generic_logs(init_t)
|
||||
logging_create_devlog(init_t)
|
||||
|
||||
seutil_read_config(init_t)
|
||||
|
||||
|
|
@ -316,6 +317,8 @@ ifdef(`init_systemd',`
|
|||
|
||||
seutil_read_file_contexts(init_t)
|
||||
|
||||
systemd_manage_lnk_file_passwd_run(init_t)
|
||||
|
||||
# udevd is a "systemd kobject uevent socket activated daemon"
|
||||
udev_create_kobject_uevent_sockets(init_t)
|
||||
|
||||
|
|
@ -402,7 +405,7 @@ optional_policy(`
|
|||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
allow initrc_t self:capability ~{ sys_admin sys_module };
|
||||
allow initrc_t self:capability2 block_suspend;
|
||||
allow initrc_t self:capability2 { wake_alarm block_suspend };
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
|
@ -830,6 +833,7 @@ ifdef(`init_systemd',`
|
|||
allow init_t self:process { getcap setcap };
|
||||
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
|
||||
# Until systemd is fixed
|
||||
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
|
||||
allow init_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
|
|||
|
||||
files_search_var($1)
|
||||
filetrans_pattern($1, var_log_t, $2, $3, $4)
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -645,6 +646,26 @@ interface(`logging_relabelto_devlog_sock_files',`
|
|||
allow $1 devlog_t:sock_file relabelto_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to the syslog control unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_create_devlog',`
|
||||
gen_require(`
|
||||
type devlog_t;
|
||||
')
|
||||
|
||||
allow $1 devlog_t:sock_file manage_sock_file_perms;
|
||||
dev_filetrans($1, devlog_t, sock_file)
|
||||
init_pid_filetrans($1, devlog_t, sock_file, "syslog")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the auditd configuration files.
|
||||
|
|
@ -742,6 +763,7 @@ interface(`logging_search_logs',`
|
|||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir search_dir_perms;
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
@ -779,6 +801,7 @@ interface(`logging_list_logs',`
|
|||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',`
|
|||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir rw_dir_perms;
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
|
|||
|
||||
files_search_var($1)
|
||||
append_files_pattern($1, var_log_t, logfile)
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
|
|||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
write_files_pattern($1, var_log_t, var_log_t)
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
|
|||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
rw_files_pattern($1, var_log_t, var_log_t)
|
||||
allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(logging, 1.25.9)
|
||||
policy_module(logging, 1.25.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue