RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-21 02:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #371 from pebenito/systemd-StandardInputText

Browse Source
This commit is contained in:
Chris PeBenito 2021-05-11 08:38:48 -04:00
commit 61bc896a67
3 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@ -21,9 +21,5 @@
/policy/modules/kernel/corenetwork.te /policy/modules/kernel/corenetwork.te
/tmp/ /tmp/
.vagrant/ /.vagrant/
/.vscode/
# monolithic generated files
/file_contexts
/homedir_template
/policy.conf

16
policy/modules/system/init.if
View File

@ -183,9 +183,17 @@ interface(`init_domain',`
allow init_t $1:process rlimitinh; allow init_t $1:process rlimitinh;
ifdef(`init_systemd',` ifdef(`init_systemd',`
gen_require(`
type init_tmpfs_t;
')
allow $1 init_t:unix_stream_socket { getattr read write ioctl }; allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition }; allow init_t $1:process2 { nnp_transition nosuid_transition };
# StandardInputText uses a memfd rw shm segment.
# Cannot deny writes or it breaks.
allow $1 init_tmpfs_t:file rw_inherited_file_perms;
') ')
') ')
@ -270,9 +278,17 @@ interface(`init_spec_daemon_domain',`
allow init_t $1:process rlimitinh; allow init_t $1:process rlimitinh;
ifdef(`init_systemd',` ifdef(`init_systemd',`
gen_require(`
type init_tmpfs_t;
')
allow $1 init_t:unix_stream_socket { getattr read write ioctl }; allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition }; allow init_t $1:process2 { nnp_transition nosuid_transition };
# StandardInputText uses a memfd rw shm segment.
# Cannot deny writes or it breaks.
allow $1 init_tmpfs_t:file rw_inherited_file_perms;
') ')
# daemons started from init will # daemons started from init will

8
policy/modules/system/init.te
View File

@ -112,6 +112,9 @@ files_type(initrc_state_t)
type initrc_tmp_t; type initrc_tmp_t;
files_tmp_file(initrc_tmp_t) files_tmp_file(initrc_tmp_t)
type init_tmpfs_t;
files_tmpfs_file(init_tmpfs_t)
type initrc_var_log_t; type initrc_var_log_t;
logging_log_file(initrc_var_log_t) logging_log_file(initrc_var_log_t)
@ -170,6 +173,9 @@ files_runtime_filetrans(init_t, initctl_t, fifo_file)
# Modify utmp. # Modify utmp.
allow init_t initrc_runtime_t:file { rw_file_perms setattr }; allow init_t initrc_runtime_t:file { rw_file_perms setattr };
allow init_t init_tmpfs_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, init_tmpfs_t, file)
kernel_read_system_state(init_t) kernel_read_system_state(init_t)
kernel_share_state(init_t) kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t) kernel_dontaudit_search_unlabeled(init_t)
@ -292,8 +298,6 @@ ifdef(`init_systemd',`
manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t)
# /memfd:systemd-state
fs_tmpfs_filetrans(init_t, init_runtime_t, file)
# mounton is required for systemd-timesyncd # mounton is required for systemd-timesyncd
allow init_t init_var_lib_t:dir { manage_dir_perms mounton }; allow init_t init_var_lib_t:dir { manage_dir_perms mounton };