Systemd-related changes from Russell Coker.

This commit is contained in:
Chris PeBenito 2017-04-06 17:37:50 -04:00
parent b690079a93
commit 73d8b3026c
20 changed files with 293 additions and 27 deletions

@ -1 +1 @@
Subproject commit ecfc24a33fa1c1e53f73960954d74887d9a80f93
Subproject commit 443f5abc9ca3e5f10ecbccde88dbf8d7906cab81

View File

@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')
########################################
## <summary>
## start etc_t service
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_start_etc_service',`
gen_require(`
type etc_t;
')
allow $1 etc_t:service start;
')
########################################
## <summary>
## stop etc_t service
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_stop_etc_service',`
gen_require(`
type etc_t;
')
allow $1 etc_t:service stop;
')
#######################################
## <summary>
## Relabel from and to generic files in /etc.

View File

@ -1,4 +1,4 @@
policy_module(files, 1.23.10)
policy_module(files, 1.23.11)
########################################
#

View File

@ -1,4 +1,4 @@
policy_module(sysadm, 2.11.3)
policy_module(sysadm, 2.11.4)
########################################
#
@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_get_system_status(sysadm_t)
init_disable(sysadm_t)
init_enable(sysadm_t)
init_reload(sysadm_t)
init_reboot_system(sysadm_t)
init_shutdown_system(sysadm_t)
init_start_generic_units(sysadm_t)
init_stop_generic_units(sysadm_t)
init_reload_generic_units(sysadm_t)
init_admin(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)

View File

@ -271,6 +271,10 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
optional_policy(`
systemd_read_logind_sessions_files($1_t)
')
')
########################################

View File

@ -1,4 +1,4 @@
policy_module(ssh, 2.9.2)
policy_module(ssh, 2.9.3)
########################################
#
@ -316,6 +316,11 @@ optional_policy(`
rssh_read_ro_content(sshd_t)
')
optional_policy(`
systemd_write_inherited_logind_sessions_pipes(sshd_t)
systemd_dbus_chat_logind(sshd_t)
')
optional_policy(`
unconfined_shell_domtrans(sshd_t)
')

View File

@ -1,4 +1,4 @@
policy_module(xserver, 3.13.6)
policy_module(xserver, 3.13.7)
gen_require(`
class x_drawable all_x_drawable_perms;
@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
allow xauth_t xdm_t:fd use;
allow xauth_t xdm_t:fifo_file { getattr read };
allow xauth_t xdm_t:unix_stream_socket { read write };
kernel_request_load_module(xauth_t)
domain_use_interactive_fds(xauth_t)

View File

@ -1,4 +1,4 @@
policy_module(fstools, 1.20.1)
policy_module(fstools, 1.20.2)
########################################
#
@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
init_rw_script_stream_sockets(fsadm_t)
logging_send_syslog_msg(fsadm_t)

View File

@ -1175,6 +1175,25 @@ interface(`init_search_pids',`
allow $1 init_var_run_t:dir search_dir_perms;
')
######################################
## <summary>
## Allow listing of the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_pids',`
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir list_dir_perms;
files_search_pids($1)
')
########################################
## <summary>
## Create files in an init PID directory.
@ -1575,6 +1594,25 @@ interface(`init_all_labeled_script_domtrans',`
init_labeled_script_domtrans($1, init_script_file_type)
')
########################################
## <summary>
## Allow getting service status of initrc_exec_t scripts
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_get_script_status',`
gen_require(`
type initrc_exec_t;
class service status;
')
allow $1 initrc_exec_t:service status;
')
########################################
## <summary>
## Allow the role to start and stop
@ -2823,6 +2861,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')
#######################################
## <summary>
## All perms on all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_all_units',`
gen_require(`
attribute systemdunit;
class service all_service_perms;
')
allow $1 systemdunit:service all_service_perms;
allow $1 systemdunit:file getattr;
')
########################################
## <summary>
## Start all systemd units.
@ -2879,3 +2937,39 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
########################################
## <summary>
## Allow unconfined access to send instructions to init
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_admin',`
gen_require(`
type initrc_exec_t;
class service status;
')
dev_manage_null_service($1)
init_disable($1)
init_enable($1)
init_get_all_units_status($1)
init_get_generic_units_status($1)
init_get_system_status($1)
init_manage_all_units($1)
init_manage_script_service($1)
init_reboot_system($1)
init_reload($1)
init_reload_all_units($1)
init_shutdown_system($1)
init_start_all_units($1)
init_start_generic_units($1)
init_stop_all_units($1)
init_stop_generic_units($1)
init_stop_system($1)
init_telinit($1)
')

View File

@ -1,4 +1,4 @@
policy_module(init, 2.2.15)
policy_module(init, 2.2.16)
gen_require(`
class passwd rootok;
@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
sysnet_create_config(initrc_t)
sysnet_write_config(initrc_t)
sysnet_setattr_config(initrc_t)
sysnet_manage_config(initrc_t)
optional_policy(`
abrt_manage_pid_files(initrc_t)

View File

@ -1,4 +1,4 @@
policy_module(locallogin, 1.15.3)
policy_module(locallogin, 1.15.4)
########################################
#
@ -192,6 +192,11 @@ optional_policy(`
nscd_use(local_login_t)
')
optional_policy(`
systemd_dbus_chat_logind(local_login_t)
systemd_write_inherited_logind_sessions_pipes(local_login_t)
')
optional_policy(`
unconfined_shell_domtrans(local_login_t)
')

View File

@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)

View File

@ -1,4 +1,4 @@
policy_module(lvm, 1.19.7)
policy_module(lvm, 1.19.8)
########################################
#
@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
# for systemd-cryptsetup
kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
# for systemd-cryptsetup to talk to /run/systemd/journal/socket
init_stream_connect(lvm_t)
logging_send_syslog_msg(lvm_t)

View File

@ -416,6 +416,25 @@ interface(`sysnet_create_config',`
allow $1 net_conf_t:file create_file_perms;
')
#######################################
## <summary>
## Relabel network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file { relabelfrom relabelto };
')
#######################################
## <summary>
## Create files in /etc with the type used for
@ -455,6 +474,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`

View File

@ -1,4 +1,4 @@
policy_module(sysnetwork, 1.20.7)
policy_module(sysnetwork, 1.20.8)
########################################
#

View File

@ -58,6 +58,26 @@ interface(`systemd_manage_logind_pid_pipes',`
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
')
######################################
## <summary>
## Write systemd_login named pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_logind_pid_pipes',`
gen_require(`
type systemd_logind_var_run_t;
')
init_search_run($1)
files_search_pids($1)
allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
')
######################################
## <summary>
## Use inherited systemd
@ -77,6 +97,27 @@ interface(`systemd_use_logind_fds',`
allow $1 systemd_logind_t:fd use;
')
######################################
## <summary>
## Read logind sessions files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_sessions_files',`
gen_require(`
type systemd_sessions_var_run_t, systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
init_search_run($1)
allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
')
######################################
## <summary>
## Write inherited logind sessions pipes.
@ -170,6 +211,25 @@ interface(`systemd_signull_logind',`
allow $1 systemd_logind_t:process signull;
')
########################################
## <summary>
## Allow reading /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain that can access the machines files
## </summary>
## </param>
#
interface(`systemd_read_machines',`
gen_require(`
type systemd_machined_var_run_t;
')
allow $1 systemd_machined_var_run_t:dir list_dir_perms;
allow $1 systemd_machined_var_run_t:file read_file_perms;
')
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',`
allow systemd_passwd_agent_t $1:fd use;
')
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
## that needs a password from the sysadmin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t;
type systemd_passwd_var_run_t;
')
manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs

View File

@ -1,4 +1,4 @@
policy_module(systemd, 1.3.15)
policy_module(systemd, 1.3.16)
#########################################
#
@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
sysnet_create_config(systemd_tmpfiles_t)
sysnet_manage_config(systemd_tmpfiles_t)
sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)

View File

@ -1,4 +1,4 @@
policy_module(udev, 1.21.6)
policy_module(udev, 1.21.7)
########################################
#
@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:capability2 block_suspend;
allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
# systemd-udevd searches /run/systemd
init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
init_start_all_units(udev_t)
init_stop_all_units(udev_t)
# for hdparm init script run by udev
init_get_script_status(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@ -228,6 +235,7 @@ ifdef(`init_systemd',`
init_dgram_send(udev_t)
systemd_read_logind_sessions_files(udev_t)
systemd_read_logind_pids(udev_t)
',`
fs_manage_tmpfs_dirs(udev_t)

View File

@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
class service all_service_perms;
')
# Use most Linux capabilities
@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
files_get_etc_unit_status($1)
files_start_etc_service($1)
files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.

View File

@ -1,4 +1,4 @@
policy_module(unconfined, 3.9.2)
policy_module(unconfined, 3.9.3)
########################################
#
@ -95,6 +95,10 @@ optional_policy(`
hadoop_role(unconfined_r, unconfined_t)
')
optional_policy(`
init_admin(unconfined_t)
')
optional_policy(`
inn_domtrans(unconfined_t)
')