Systemd-related changes from Russell Coker.
This commit is contained in:
parent
b690079a93
commit
73d8b3026c
|
@ -1 +1 @@
|
|||
Subproject commit ecfc24a33fa1c1e53f73960954d74887d9a80f93
|
||||
Subproject commit 443f5abc9ca3e5f10ecbccde88dbf8d7906cab81
|
|
@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
|
|||
allow $1 etc_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## start etc_t service
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_start_etc_service',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## stop etc_t service
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_stop_etc_service',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:service stop;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel from and to generic files in /etc.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(files, 1.23.10)
|
||||
policy_module(files, 1.23.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(sysadm, 2.11.3)
|
||||
policy_module(sysadm, 2.11.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
|
|||
ubac_fd_exempt(sysadm_t)
|
||||
|
||||
init_exec(sysadm_t)
|
||||
init_get_system_status(sysadm_t)
|
||||
init_disable(sysadm_t)
|
||||
init_enable(sysadm_t)
|
||||
init_reload(sysadm_t)
|
||||
init_reboot_system(sysadm_t)
|
||||
init_shutdown_system(sysadm_t)
|
||||
init_start_generic_units(sysadm_t)
|
||||
init_stop_generic_units(sysadm_t)
|
||||
init_reload_generic_units(sysadm_t)
|
||||
init_admin(sysadm_t)
|
||||
|
||||
# Add/remove user home directories
|
||||
userdom_manage_user_home_dirs(sysadm_t)
|
||||
|
|
|
@ -271,6 +271,10 @@ template(`ssh_server_template', `
|
|||
files_read_var_lib_symlinks($1_t)
|
||||
nx_spec_domtrans_server($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_read_logind_sessions_files($1_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(ssh, 2.9.2)
|
||||
policy_module(ssh, 2.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -316,6 +316,11 @@ optional_policy(`
|
|||
rssh_read_ro_content(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_write_inherited_logind_sessions_pipes(sshd_t)
|
||||
systemd_dbus_chat_logind(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(xserver, 3.13.6)
|
||||
policy_module(xserver, 3.13.7)
|
||||
|
||||
gen_require(`
|
||||
class x_drawable all_x_drawable_perms;
|
||||
|
@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
|
|||
allow xdm_t xauth_home_t:file manage_file_perms;
|
||||
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
|
||||
|
||||
allow xauth_t xdm_t:fd use;
|
||||
allow xauth_t xdm_t:fifo_file { getattr read };
|
||||
allow xauth_t xdm_t:unix_stream_socket { read write };
|
||||
|
||||
kernel_request_load_module(xauth_t)
|
||||
|
||||
domain_use_interactive_fds(xauth_t)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(fstools, 1.20.1)
|
||||
policy_module(fstools, 1.20.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -146,6 +146,7 @@ term_use_console(fsadm_t)
|
|||
init_use_fds(fsadm_t)
|
||||
init_use_script_ptys(fsadm_t)
|
||||
init_dontaudit_getattr_initctl(fsadm_t)
|
||||
init_rw_script_stream_sockets(fsadm_t)
|
||||
|
||||
logging_send_syslog_msg(fsadm_t)
|
||||
|
||||
|
|
|
@ -1175,6 +1175,25 @@ interface(`init_search_pids',`
|
|||
allow $1 init_var_run_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Allow listing of the /run/systemd directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_list_pids',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 init_var_run_t:dir list_dir_perms;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files in an init PID directory.
|
||||
|
@ -1575,6 +1594,25 @@ interface(`init_all_labeled_script_domtrans',`
|
|||
init_labeled_script_domtrans($1, init_script_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow getting service status of initrc_exec_t scripts
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Target domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_script_status',`
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 initrc_exec_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the role to start and stop
|
||||
|
@ -2823,6 +2861,26 @@ interface(`init_get_all_units_status',`
|
|||
allow $1 { init_script_file_type systemdunit }:service status;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## All perms on all systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_manage_all_units',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
class service all_service_perms;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service all_service_perms;
|
||||
allow $1 systemdunit:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start all systemd units.
|
||||
|
@ -2879,3 +2937,39 @@ interface(`init_reload_all_units',`
|
|||
|
||||
allow $1 { init_script_file_type systemdunit }:service reload;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow unconfined access to send instructions to init
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Target domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_admin',`
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
dev_manage_null_service($1)
|
||||
init_disable($1)
|
||||
init_enable($1)
|
||||
init_get_all_units_status($1)
|
||||
init_get_generic_units_status($1)
|
||||
init_get_system_status($1)
|
||||
init_manage_all_units($1)
|
||||
init_manage_script_service($1)
|
||||
init_reboot_system($1)
|
||||
init_reload($1)
|
||||
init_reload_all_units($1)
|
||||
init_shutdown_system($1)
|
||||
init_start_all_units($1)
|
||||
init_start_generic_units($1)
|
||||
init_stop_all_units($1)
|
||||
init_stop_generic_units($1)
|
||||
init_stop_system($1)
|
||||
init_telinit($1)
|
||||
')
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(init, 2.2.15)
|
||||
policy_module(init, 2.2.16)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
|
|||
seutil_read_default_contexts(initrc_t)
|
||||
|
||||
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
|
||||
sysnet_create_config(initrc_t)
|
||||
sysnet_write_config(initrc_t)
|
||||
sysnet_setattr_config(initrc_t)
|
||||
sysnet_manage_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
abrt_manage_pid_files(initrc_t)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(locallogin, 1.15.3)
|
||||
policy_module(locallogin, 1.15.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -192,6 +192,11 @@ optional_policy(`
|
|||
nscd_use(local_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_logind(local_login_t)
|
||||
systemd_write_inherited_logind_sessions_pipes(local_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
|
|
@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
|
|||
|
||||
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(lvm, 1.19.7)
|
||||
policy_module(lvm, 1.19.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
|
|||
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
|
||||
files_search_mnt(lvm_t)
|
||||
|
||||
kernel_request_load_module(lvm_t)
|
||||
kernel_get_sysvipc_info(lvm_t)
|
||||
kernel_read_system_state(lvm_t)
|
||||
# Read system variables in /proc/sys
|
||||
|
@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
|
|||
# it has no reason to need this
|
||||
kernel_dontaudit_getattr_core_if(lvm_t)
|
||||
kernel_use_fds(lvm_t)
|
||||
# for systemd-cryptsetup
|
||||
kernel_read_crypto_sysctls(lvm_t)
|
||||
kernel_search_debugfs(lvm_t)
|
||||
|
||||
corecmd_exec_bin(lvm_t)
|
||||
|
@ -301,6 +304,8 @@ init_use_fds(lvm_t)
|
|||
init_dontaudit_getattr_initctl(lvm_t)
|
||||
init_use_script_ptys(lvm_t)
|
||||
init_read_script_state(lvm_t)
|
||||
# for systemd-cryptsetup to talk to /run/systemd/journal/socket
|
||||
init_stream_connect(lvm_t)
|
||||
|
||||
logging_send_syslog_msg(lvm_t)
|
||||
|
||||
|
|
|
@ -416,6 +416,25 @@ interface(`sysnet_create_config',`
|
|||
allow $1 net_conf_t:file create_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel network config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_relabel_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create files in /etc with the type used for
|
||||
|
@ -455,6 +474,7 @@ interface(`sysnet_manage_config',`
|
|||
type net_conf_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file manage_file_perms;
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(sysnetwork, 1.20.7)
|
||||
policy_module(sysnetwork, 1.20.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -58,6 +58,26 @@ interface(`systemd_manage_logind_pid_pipes',`
|
|||
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Write systemd_login named pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_write_logind_pid_pipes',`
|
||||
gen_require(`
|
||||
type systemd_logind_var_run_t;
|
||||
')
|
||||
|
||||
init_search_run($1)
|
||||
files_search_pids($1)
|
||||
allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Use inherited systemd
|
||||
|
@ -77,6 +97,27 @@ interface(`systemd_use_logind_fds',`
|
|||
allow $1 systemd_logind_t:fd use;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Read logind sessions files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_read_logind_sessions_files',`
|
||||
gen_require(`
|
||||
type systemd_sessions_var_run_t, systemd_logind_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:fd use;
|
||||
init_search_run($1)
|
||||
allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
|
||||
read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Write inherited logind sessions pipes.
|
||||
|
@ -170,6 +211,25 @@ interface(`systemd_signull_logind',`
|
|||
allow $1 systemd_logind_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow reading /run/systemd/machines
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain that can access the machines files
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_read_machines',`
|
||||
gen_require(`
|
||||
type systemd_machined_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_var_run_t:dir list_dir_perms;
|
||||
allow $1 systemd_machined_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## allow systemd_passwd_agent to inherit fds
|
||||
|
@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',`
|
|||
allow systemd_passwd_agent_t $1:fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow a systemd_passwd_agent_t process to interact with a daemon
|
||||
## that needs a password from the sysadmin.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_use_passwd_agent',`
|
||||
gen_require(`
|
||||
type systemd_passwd_agent_t;
|
||||
type systemd_passwd_var_run_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
|
||||
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
|
||||
|
||||
allow systemd_passwd_agent_t $1:process signull;
|
||||
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to systemd_passwd_var_run_t when creating dirs
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(systemd, 1.3.15)
|
||||
policy_module(systemd, 1.3.16)
|
||||
|
||||
#########################################
|
||||
#
|
||||
|
@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
|
|||
seutil_read_config(systemd_tmpfiles_t)
|
||||
seutil_read_file_contexts(systemd_tmpfiles_t)
|
||||
|
||||
sysnet_create_config(systemd_tmpfiles_t)
|
||||
sysnet_manage_config(systemd_tmpfiles_t)
|
||||
sysnet_relabel_config(systemd_tmpfiles_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_tmpfiles_t)
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(udev, 1.21.6)
|
||||
policy_module(udev, 1.21.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
|
|||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
|
||||
dontaudit udev_t self:capability sys_tty_config;
|
||||
allow udev_t self:capability2 block_suspend;
|
||||
allow udev_t self:capability2 { wake_alarm block_suspend };
|
||||
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
|
@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
|||
files_read_usr_files(udev_t)
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
files_read_etc_files(udev_t)
|
||||
files_read_kernel_modules(udev_t)
|
||||
files_exec_etc_files(udev_t)
|
||||
files_getattr_generic_locks(udev_t)
|
||||
files_search_mnt(udev_t)
|
||||
|
@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t)
|
|||
auth_use_nsswitch(udev_t)
|
||||
|
||||
init_read_utmp(udev_t)
|
||||
# systemd-udevd searches /run/systemd
|
||||
init_search_run(udev_t)
|
||||
init_dontaudit_write_utmp(udev_t)
|
||||
init_getattr_initctl(udev_t)
|
||||
init_start_all_units(udev_t)
|
||||
init_stop_all_units(udev_t)
|
||||
# for hdparm init script run by udev
|
||||
init_get_script_status(udev_t)
|
||||
|
||||
logging_search_logs(udev_t)
|
||||
logging_send_syslog_msg(udev_t)
|
||||
|
@ -228,6 +235,7 @@ ifdef(`init_systemd',`
|
|||
|
||||
init_dgram_send(udev_t)
|
||||
|
||||
systemd_read_logind_sessions_files(udev_t)
|
||||
systemd_read_logind_pids(udev_t)
|
||||
',`
|
||||
fs_manage_tmpfs_dirs(udev_t)
|
||||
|
|
|
@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
|
|||
class dbus all_dbus_perms;
|
||||
class nscd all_nscd_perms;
|
||||
class passwd all_passwd_perms;
|
||||
class service all_service_perms;
|
||||
')
|
||||
|
||||
# Use most Linux capabilities
|
||||
|
@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
|
|||
files_unconfined($1)
|
||||
fs_unconfined($1)
|
||||
selinux_unconfined($1)
|
||||
files_get_etc_unit_status($1)
|
||||
files_start_etc_service($1)
|
||||
files_stop_etc_service($1)
|
||||
|
||||
tunable_policy(`allow_execheap',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(unconfined, 3.9.2)
|
||||
policy_module(unconfined, 3.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -95,6 +95,10 @@ optional_policy(`
|
|||
hadoop_role(unconfined_r, unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
init_admin(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inn_domtrans(unconfined_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue