RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

systemd-sysusers: add policy 

On systems without the unconfined module this service needs additional
privileges.

Signed-off-by: bauen1 <j2468h@gmail.com>
This commit is contained in:
bauen1 2020-05-29 20:00:53 +02:00
parent e01cd6c98b
commit 8f782ae820
No known key found for this signature in database
GPG Key ID: FF0AAF5E0812BA9C
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/systemd.fc
View File

@ -13,6 +13,7 @@
/usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
/usr/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-sysusers -- gen_context(system_u:object_r:systemd_sysusers_exec_t,s0)
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)

27
policy/modules/system/systemd.te
View File

@ -223,6 +223,10 @@ type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
files_pid_file(systemd_sessions_runtime_t)
init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
type systemd_sysusers_t;
type systemd_sysusers_exec_t;
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
@ -1158,6 +1162,29 @@ seutil_read_file_contexts(systemd_sessions_t)
systemd_log_parse_environment(systemd_sessions_t)
#########################################
#
# Sysusers local policy
#
allow systemd_sysusers_t self:capability { chown fsetid };
allow systemd_sysusers_t self:process setfscreate;
allow systemd_sysusers_t self:unix_dgram_socket sendto;
files_manage_etc_files(systemd_sysusers_t)
kernel_read_kernel_sysctls(systemd_sysusers_t)
auth_manage_shadow(systemd_sysusers_t)
auth_etc_filetrans_shadow(systemd_sysusers_t)
auth_use_nsswitch(systemd_sysusers_t)
seutil_libselinux_linked(systemd_sysusers_t)
seutil_read_file_contexts(systemd_sysusers_t)
systemd_log_parse_environment(systemd_sysusers_t)
#########################################
#
# Tmpfiles local policy