RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

systemd: add an interface to use nss-systemd 

systemd's Name Service Switch (NSS) module provides UNIX user and group
name resolution for dynamic users and groups allocated through options
such as DynamicUser= in systemd unit files, according to its man page,
https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml.

If systemd compiled without NOLEGACY, commit
24eccc3414
("nss-systemd,user-util: add a way how synthesizing "nobody" can be
turned off") implemented a way to tweak nss-systemd's behavior by
checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this
access.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2020-01-15 21:46:40 +01:00
parent 1037d2ac8e
commit 8426d24740
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
3 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/systemd.fc
View File

@ -1,5 +1,6 @@
/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)
/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0)
/etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0)
/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)

28
policy/modules/system/systemd.if
View File

@ -79,6 +79,34 @@ interface(`systemd_log_parse_environment',`
typeattribute $1 systemd_log_parse_env_type;
')
######################################
## <summary>
## Allow domain to use systemd's Name Service Switch (NSS) module.
## This module provides UNIX user and group name resolution for dynamic users
## and groups allocated through the DynamicUser= option in systemd unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_use_nss',`
gen_require(`
type systemd_conf_t;
')
# Get attributes of /etc/systemd/dont-synthesize-nobody
files_search_etc($1)
allow $1 systemd_conf_t:file getattr;
optional_policy(`
dbus_system_bus_client($1)
# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
init_dbus_chat($1)
')
')
######################################
## <summary>
## Allow domain to be used as a systemd service with a unit

3
policy/modules/system/systemd.te
View File

@ -49,6 +49,9 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
type systemd_conf_t;
files_config_file(systemd_conf_t)
type systemd_gpt_generator_t;
type systemd_gpt_generator_exec_t;
init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)