systemd: private type for /run/systemd/userdb
Signed-off-by: bauen1 <j2468h@gmail.com>
This commit is contained in:
bauen1
parent
ab47695bdb
commit
ada848b352
|
|
@ -469,6 +469,9 @@ ifdef(`init_systemd',`
|
|||
systemd_relabelto_journal_dirs(init_t)
|
||||
systemd_relabelto_journal_files(init_t)
|
||||
systemd_rw_networkd_netlink_route_sockets(init_t)
|
||||
systemd_manage_userdb_runtime_sock_files(init_t)
|
||||
systemd_manage_userdb_runtime_dirs(init_t)
|
||||
systemd_filetrans_userdb_runtime_dirs(init_t)
|
||||
|
||||
term_create_devpts_dirs(init_t)
|
||||
term_create_ptmx(init_t)
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@
|
|||
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
|
||||
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
|
||||
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
|
||||
/run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
|
||||
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
|
||||
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
|
||||
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
|
||||
|
|
|
|||
|
|
@ -426,6 +426,42 @@ interface(`systemd_signull_logind',`
|
|||
allow $1 systemd_logind_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage systemd userdb runtime directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_manage_userdb_runtime_dirs', `
|
||||
gen_require(`
|
||||
type systemd_userdb_runtime_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage socket files under /run/systemd/userdb .
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_manage_userdb_runtime_sock_files', `
|
||||
gen_require(`
|
||||
type systemd_userdb_runtime_t;
|
||||
')
|
||||
|
||||
manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow reading /run/systemd/machines
|
||||
|
|
@ -528,6 +564,26 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
|
|||
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to systemd_userdb_runtime_t when
|
||||
## creating the userdb directory inside an init runtime
|
||||
## directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_filetrans_userdb_runtime_dirs', `
|
||||
gen_require(`
|
||||
type systemd_userdb_runtime_t;
|
||||
')
|
||||
|
||||
init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Allow to domain to create systemd-passwd symlink
|
||||
|
|
|
|||
|
|
@ -242,6 +242,9 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
|
|||
type systemd_user_tmpfs_t;
|
||||
userdom_user_tmpfs_file(systemd_user_tmpfs_t)
|
||||
|
||||
type systemd_userdb_runtime_t;
|
||||
files_runtime_file(systemd_userdb_runtime_t)
|
||||
|
||||
#
|
||||
# Unit file types
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue