Merge pull request #46 from pebenito/systemd-user

config/appconfig-mcs/default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

config/appconfig-mcs/root_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_systemd_t:s0 staff_r:staff_systemd_t:s0 user_r:user_systemd_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

config/appconfig-mcs/staff_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t:s0		staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0

config/appconfig-mcs/unconfined_u_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0

config/appconfig-mcs/user_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t:s0		user_r:user_systemd_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0

config/appconfig-mls/default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

config/appconfig-mls/root_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_systemd_t:s0 staff_r:staff_systemd_t:s0 user_r:user_systemd_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

config/appconfig-mls/staff_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t:s0		staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0

config/appconfig-mls/unconfined_u_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0

config/appconfig-mls/user_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t:s0		user_r:user_systemd_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0

config/appconfig-standard/default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:init_t		user_r:user_systemd_t staff_r:staff_systemd_t sysadm_r:sysadm_systemd_t unconfined_r:unconfined_t
 system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
 system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t

config/appconfig-standard/root_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:init_t		unconfined_r:unconfined_t sysadm_r:sysadm_systemd_t staff_r:staff_systemd_t user_r:user_systemd_t
 system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
 
 staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

config/appconfig-standard/staff_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t			staff_r:staff_systemd_t sysadm_r:sysadm_systemd_t
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t

config/appconfig-standard/unconfined_u_default_contexts

@@ -1,4 +1,5 @@
 system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:init_t			unconfined_r:unconfined_t
 system_r:initrc_t		unconfined_r:unconfined_t
 system_r:local_login_t		unconfined_r:unconfined_t
 system_r:remote_login_t		unconfined_r:unconfined_t

config/appconfig-standard/user_u_default_contexts

@@ -1,3 +1,4 @@
+system_r:init_t			user_r:user_systemd_t
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t

policy/modules/system/init.if

@@ -650,6 +650,44 @@ interface(`init_domtrans',`
 	domtrans_pattern($1, init_exec_t, init_t)
 ')
 
+########################################
+## <summary>
+##	Execute init (/sbin/init) with a domain transition
+##	to the provided domain.
+## </summary>
+## <desc>
+##	Execute init (/sbin/init) with a domain transition
+##	to the provided domain.  This is used by systemd
+##	to execute the systemd user session.
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	New domain.
+##	</summary>
+## </param>
+#
+interface(`init_pgm_spec_user_daemon_domain',`
+	gen_require(`
+		type init_t, init_exec_t;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, init_exec_t)
+
+	spec_domtrans_pattern(init_t, init_exec_t, $1)
+
+	allow init_t $1:process { setsched rlimitinh noatsecure };
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute the init program in the caller domain.
@@ -670,6 +708,26 @@ interface(`init_exec',`
 	can_exec($1, init_exec_t)
 ')
 
+########################################
+## <summary>
+##	Allow the init program to be an entrypoint
+##	for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_pgm_entrypoint',`
+	gen_require(`
+		type init_exec_t;
+	')
+
+	allow $1 init_exec_t:file entrypoint;
+')
+
 ########################################
 ## <summary>
 ##	Execute the rc application in the caller domain.

policy/modules/system/init.te

@@ -240,7 +240,8 @@ ifdef(`init_systemd',`
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
 	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
 
-	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+	# setexec and setkeycreate for systemd --user
+	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
 	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
@@ -315,6 +316,9 @@ ifdef(`init_systemd',`
 	dev_write_watchdog(init_t)
 
 	domain_read_all_domains_state(init_t)
+	# for starting systemd --user in the right domain:
+	domain_subj_id_change_exemption(init_t)
+	domain_role_change_exemption(init_t)
 
 	files_read_all_pids(init_t)
 	files_list_usr(init_t)
@@ -391,6 +395,8 @@ ifdef(`init_systemd',`
 	selinux_validate_context(init_t)
 	selinux_compute_create_context(init_t)
 	selinux_compute_access_vector(init_t)
+	# for starting systemd --user in the right domain:
+	selinux_compute_user_contexts(init_t)
 
 	storage_getattr_removable_dev(init_t)
 
@@ -437,6 +443,9 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
+		systemd_search_all_user_keys(init_t)
+		systemd_create_all_user_keys(init_t)
+		systemd_write_all_user_keys(init_t)
 	')
 
 	optional_policy(`
@@ -446,6 +455,13 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		modutils_domtrans(init_t)
 	')
+
+	optional_policy(`
+		# for systemd --user:
+		unconfined_search_keys(init_t)
+		unconfined_create_keys(init_t)
+		unconfined_write_keys(init_t)
+	')
 ',`
 	tunable_policy(`init_upstart',`
 		corecmd_shell_domtrans(init_t, initrc_t)

policy/modules/system/mount.if

@@ -184,6 +184,24 @@ interface(`mount_rw_loopback_files',`
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	List mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_list_runtime',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Getattr on mount_var_run_t files

policy/modules/system/systemd.if

@@ -1,5 +1,62 @@
 ## <summary>Systemd components (not PID 1)</summary>
 
+#########################################
+## <summary>
+##	Template for systemd --user per-role domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for generated types
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The user role.
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain for the role.
+##	</summary>
+## </param>
+#
+template(`systemd_role_template',`
+	gen_require(`
+		attribute systemd_user_session_type, systemd_log_parse_env_type;
+		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+	')
+
+	#################################
+	#
+	# Declarations
+	#
+	type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
+	init_pgm_spec_user_daemon_domain($1_systemd_t)
+	domain_user_exemption_target($1_systemd_t)
+	ubac_constrained($1_systemd_t)
+	role $2 types $1_systemd_t;
+
+	#################################
+	#
+	# Local policy
+	#
+
+	allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	# This domain is per-role because of the below transitions.
+	# See the sytemd --user section of systemd.te for the
+	# remainder of the rules.
+	allow $1_systemd_t $3:process { setsched rlimitinh };
+	corecmd_shell_domtrans($1_systemd_t, $3)
+	corecmd_bin_domtrans($1_systemd_t, $3)
+')
+
 ######################################
 ## <summary>
 ##   Make the specified type usable as an
@@ -905,3 +962,57 @@ interface(`systemd_getattr_updated_runtime',`
 
 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
 ')
+
+########################################
+## <summary>
+##	Search keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_search_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key search;
+')
+
+########################################
+## <summary>
+##	Create keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_create_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key create;
+')
+
+########################################
+## <summary>
+##	Write keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key write;
+')

policy/modules/system/systemd.te

@@ -22,6 +22,7 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
 
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
+attribute systemd_user_session_type;
 
 type systemd_activate_t;
 type systemd_activate_exec_t;
@@ -202,6 +203,12 @@ init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
 type systemd_update_run_t;
 files_type(systemd_update_run_t)
 
+type systemd_user_runtime_notify_t;
+userdom_user_runtime_content(systemd_user_runtime_notify_t)
+
+type systemd_user_runtime_t;
+userdom_user_runtime_content(systemd_user_runtime_t)
+
 #
 # Unit file types
 #
@@ -1132,3 +1139,44 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 seutil_read_file_contexts(systemd_update_done_t)
 
 systemd_log_parse_environment(systemd_update_done_t)
+
+#########################################
+#
+# User session (systemd --user) local policy
+#
+
+allow systemd_user_session_type self:capability { dac_read_search sys_resource };
+dontaudit systemd_user_session_type self:capability dac_override;
+allow systemd_user_session_type self:process setfscreate;
+allow systemd_user_session_type self:udp_socket create_socket_perms;
+allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
+allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr setopt };
+
+allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
+userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
+
+allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
+type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";
+
+dev_write_sysfs_dirs(systemd_user_session_type)
+dev_read_sysfs(systemd_user_session_type)
+
+files_read_etc_files(systemd_user_session_type)
+files_list_usr(systemd_user_session_type)
+
+fs_getattr_cgroup(systemd_user_session_type)
+fs_rw_cgroup_files(systemd_user_session_type)
+fs_manage_cgroup_dirs(systemd_user_session_type)
+
+init_signal(systemd_user_session_type)
+
+kernel_read_kernel_sysctls(systemd_user_session_type)
+
+mount_list_runtime(systemd_user_session_type)
+
+storage_getattr_fixed_disk_dev(systemd_user_session_type)
+
+# for systemd to read udev status
+udev_read_pid_files(systemd_user_session_type)
+udev_list_pids(systemd_user_session_type)

policy/modules/system/unconfined.if

@@ -488,6 +488,24 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 unconfined_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Search keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_search_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key search;
+')
+
 ########################################
 ## <summary>
 ##	Create keys for the unconfined domain.
@@ -506,6 +524,24 @@ interface(`unconfined_create_keys',`
 	allow $1 unconfined_t:key create;
 ')
 
+########################################
+## <summary>
+##	Write keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key write;
+')
+
 ########################################
 ## <summary>
 ##	Send messages to the unconfined domain over dbus.

policy/modules/system/unconfined.te

@@ -61,6 +61,8 @@ ifdef(`direct_sysadm_daemon',`
 ifdef(`init_systemd',`
 	# for systemd-analyze
 	init_service_status(unconfined_t)
+	# for systemd --user:
+	init_pgm_entrypoint(unconfined_t)
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)

policy/modules/system/userdomain.if

@@ -857,6 +857,10 @@ template(`userdom_common_user_template',`
 		slrnpull_search_spool($1_t)
 	')
 
+	optional_policy(`
+		systemd_role_template($1, $1_r, $1_t)
+	')
+
 	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')