diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 467d8a26d..0f11f80b9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3117,6 +3117,26 @@ interface(`files_manage_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') +######################################## +## +## Do not audit attempts to create, read, write, +## and delete generic files in /etc. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`files_dontaudit_manage_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file manage_file_perms; +') + ######################################## ## ## Delete system configuration files in /etc. diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 09c3f0fd6..e605e7830 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -57,6 +57,8 @@ /usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0) /usr/lib/systemd/system/systemd-socket-proxyd\.service -- gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0) +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_factory_conf_t,s0) + /var/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0) /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 5d34e6d2e..ed2bce80b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false) ## gen_tunable(systemd_socket_proxyd_connect_any, false) +## +##

+## Allow systemd-tmpfilesd to populate missing configuration files from factory +## template directory. +##

+## +gen_tunable(systemd_tmpfilesd_factory, false) + attribute systemd_log_parse_env_type; attribute systemd_tmpfiles_conf_type; attribute systemd_user_session_type; @@ -104,6 +112,9 @@ type systemd_detect_virt_t; type systemd_detect_virt_exec_t; init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) +type systemd_factory_conf_t; +systemd_tmpfiles_conf_file(systemd_factory_conf_t) + type systemd_generator_t; type systemd_generator_exec_t; typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t }; @@ -1283,6 +1294,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms; allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; +allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; kernel_getattr_proc(systemd_tmpfiles_t) @@ -1377,6 +1389,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',` files_relabel_non_security_files(systemd_tmpfiles_t) ') +tunable_policy(`systemd_tmpfilesd_factory', ` + allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms; + allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; + + files_manage_etc_files(systemd_tmpfiles_t) +',` + dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms; + dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; + + files_dontaudit_manage_etc_files(systemd_tmpfiles_t) +') + optional_policy(` dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t)