machined
This patch is for systemd-machined. Some of it will probably need discussion but some is obviously good, so Chris maybe you could take the bits you like for this release? Signed-off-by: Russell Coker <russell@coker.com.au>
This commit is contained in:
Russell Coker
Chris PeBenito
parent
eae12d8418
commit
ab0367b4b6
|
|
@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t)
|
|||
seutil_read_config(system_dbusd_t)
|
||||
seutil_read_default_contexts(system_dbusd_t)
|
||||
|
||||
# for machinectl shell
|
||||
term_use_ptmx(system_dbusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
|
||||
# read a file in ~/.local/share
|
||||
|
|
@ -184,6 +187,9 @@ optional_policy(`
|
|||
systemd_read_logind_runtime_files(system_dbusd_t)
|
||||
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
|
||||
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
|
||||
# for passing around terminal file handles for machinectl shell
|
||||
systemd_use_machined_devpts(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -265,9 +265,10 @@ ifdef(`distro_debian',`
|
|||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
auth_use_pam_systemd(sshd_t)
|
||||
init_dbus_chat(sshd_t)
|
||||
systemd_dbus_chat_logind(sshd_t)
|
||||
init_rw_stream_sockets(sshd_t)
|
||||
systemd_write_inherited_logind_sessions_pipes(sshd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
|
|
@ -309,11 +310,6 @@ optional_policy(`
|
|||
rssh_read_ro_content(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_write_inherited_logind_sessions_pipes(sshd_t)
|
||||
systemd_dbus_chat_logind(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_domtrans_xauth(sshd_t)
|
||||
xserver_link_xdm_keys(sshd_t)
|
||||
|
|
|
|||
|
|
@ -91,6 +91,7 @@ interface(`auth_use_pam',`
|
|||
#
|
||||
interface(`auth_use_pam_systemd',`
|
||||
dbus_system_bus_client($1)
|
||||
systemd_connect_machined($1)
|
||||
systemd_dbus_chat_logind($1)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ ifdef(`init_systemd',`
|
|||
auth_manage_faillog(local_login_t)
|
||||
|
||||
init_dbus_chat(local_login_t)
|
||||
systemd_connect_machined(local_login_t)
|
||||
systemd_dbus_chat_logind(local_login_t)
|
||||
systemd_use_logind_fds(local_login_t)
|
||||
systemd_manage_logind_runtime_pipes(local_login_t)
|
||||
|
|
|
|||
|
|
@ -19,12 +19,18 @@
|
|||
## The user domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="pty_type">
|
||||
## <summary>
|
||||
## The type for the user pty
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`systemd_role_template',`
|
||||
gen_require(`
|
||||
attribute systemd_user_session_type, systemd_log_parse_env_type;
|
||||
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
|
||||
type systemd_run_exec_t, systemd_analyze_exec_t;
|
||||
type systemd_machined_t;
|
||||
')
|
||||
|
||||
#################################
|
||||
|
|
@ -56,9 +62,13 @@ template(`systemd_role_template',`
|
|||
allow $1_systemd_t $3:process { setsched rlimitinh };
|
||||
corecmd_shell_domtrans($1_systemd_t, $3)
|
||||
corecmd_bin_domtrans($1_systemd_t, $3)
|
||||
allow $1_systemd_t self:process signal;
|
||||
|
||||
files_search_home($1_systemd_t)
|
||||
|
||||
# Allow using file descriptors for user environment generators
|
||||
allow $3 $1_systemd_t:fd use;
|
||||
allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
|
||||
|
||||
# systemctl --user
|
||||
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
|
||||
|
|
@ -66,6 +76,10 @@ template(`systemd_role_template',`
|
|||
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
|
||||
|
||||
dbus_system_bus_client($1_systemd_t)
|
||||
|
||||
selinux_use_status_page($1_systemd_t)
|
||||
seutil_read_file_contexts($1_systemd_t)
|
||||
seutil_search_default_contexts($1_systemd_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
|
|
@ -487,6 +501,24 @@ interface(`systemd_read_machines',`
|
|||
allow $1 systemd_machined_runtime_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain that can access the socket
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_connect_machined',`
|
||||
gen_require(`
|
||||
type systemd_machined_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
|
|
@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', `
|
|||
systemd_domtrans_sysusers($1)
|
||||
roleattribute $2 systemd_sysusers_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## receive and use a systemd_machined_devpts_t file handle
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`systemd_use_machined_devpts', `
|
||||
gen_require(`
|
||||
type systemd_machined_t, systemd_machined_devpts_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_t:fd use;
|
||||
allow $1 systemd_machined_devpts_t:chr_file { read write };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t;
|
|||
files_runtime_file(systemd_machined_runtime_t)
|
||||
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
|
||||
|
||||
type systemd_machined_devpts_t;
|
||||
term_login_pty(systemd_machined_devpts_t)
|
||||
|
||||
type systemd_modules_load_t;
|
||||
type systemd_modules_load_exec_t;
|
||||
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
|
||||
|
|
@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
|
|||
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
|
||||
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
|
||||
|
||||
# for /run/systemd/userdb/io.systemd.Machine
|
||||
allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
|
||||
|
||||
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
||||
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
||||
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
|
||||
|
|
@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
|
|||
kernel_read_kernel_sysctls(systemd_machined_t)
|
||||
kernel_read_system_state(systemd_machined_t)
|
||||
|
||||
dev_getattr_fs(systemd_machined_t)
|
||||
|
||||
files_read_etc_files(systemd_machined_t)
|
||||
|
||||
fs_getattr_cgroup(systemd_machined_t)
|
||||
|
|
@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t)
|
|||
|
||||
seutil_search_default_contexts(systemd_machined_t)
|
||||
|
||||
term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
|
||||
allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
|
||||
term_getattr_pty_fs(systemd_machined_t)
|
||||
|
||||
optional_policy(`
|
||||
init_dbus_chat(systemd_machined_t)
|
||||
init_dbus_send_script(systemd_machined_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue