From ada848b35254fb00c4264114c011df2047ba2fcb Mon Sep 17 00:00:00 2001 From: bauen1 Date: Thu, 4 Jun 2020 10:30:19 +0200 Subject: [PATCH] systemd: private type for /run/systemd/userdb Signed-off-by: bauen1 --- policy/modules/system/init.te | 3 ++ policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 56 ++++++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 3 ++ 4 files changed, 63 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ffd29be79..af237cd3b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -469,6 +469,9 @@ ifdef(`init_systemd',` systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_files(init_t) systemd_rw_networkd_netlink_route_sockets(init_t) + systemd_manage_userdb_runtime_sock_files(init_t) + systemd_manage_userdb_runtime_dirs(init_t) + systemd_filetrans_userdb_runtime_dirs(init_t) term_create_devpts_dirs(init_t) term_create_ptmx(init_t) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index b48612f19..29986a92f 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -70,6 +70,7 @@ /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) +/run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdb_runtime_t,s0) /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0) /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 262c26d18..895437e78 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -426,6 +426,42 @@ interface(`systemd_signull_logind',` allow $1 systemd_logind_t:process signull; ') +######################################## +## +## Manage systemd userdb runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_userdb_runtime_dirs', ` + gen_require(` + type systemd_userdb_runtime_t; + ') + + manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) +') + +######################################## +## +## Manage socket files under /run/systemd/userdb . +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_userdb_runtime_sock_files', ` + gen_require(` + type systemd_userdb_runtime_t; + ') + + manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) +') + ######################################## ## ## Allow reading /run/systemd/machines @@ -528,6 +564,26 @@ interface(`systemd_filetrans_passwd_runtime_dirs',` init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password") ') +######################################## +## +## Transition to systemd_userdb_runtime_t when +## creating the userdb directory inside an init runtime +## directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_filetrans_userdb_runtime_dirs', ` + gen_require(` + type systemd_userdb_runtime_t; + ') + + init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb") +') + ###################################### ## ## Allow to domain to create systemd-passwd symlink diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9843dd96e..2c169b554 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -242,6 +242,9 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t) type systemd_user_tmpfs_t; userdom_user_tmpfs_file(systemd_user_tmpfs_t) +type systemd_userdb_runtime_t; +files_runtime_file(systemd_userdb_runtime_t) + # # Unit file types #