Allow systemd to relabel startup-important directories

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2020-02-24 08:24:18 +01:00 · 2020-02-24 08:24:18 +01:00 · b9470d408a
parent 5082648629
commit b9470d408a
2 changed files with 28 additions and 3 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -5076,6 +5076,25 @@ interface(`fs_relabel_tmpfs_blk_file',`
 	fs_relabel_tmpfs_blk_files($1)
 ')

+########################################
+## <summary>
+##	Relabel named pipes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_fifo_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write, create and delete generic
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -252,9 +252,10 @@ ifdef(`init_systemd',`

 	allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };

-	# for /run/systemd/inaccessible/{chr,blk}
-	allow init_t init_runtime_t:blk_file create_blk_file_perms;
-	allow init_t init_runtime_t:chr_file create_chr_file_perms;
+	# for /run/systemd/inaccessible/{chr,blk,fifo}
+	allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
+	allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
+	allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };

 	allow init_t systemprocess:process { dyntransition siginh };
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
@ -411,6 +412,9 @@ ifdef(`init_systemd',`
 	fs_remount_all_fs(init_t)
 	fs_relabelfrom_tmpfs_symlinks(init_t)
 	fs_unmount_all_fs(init_t)
+	fs_relabel_tmpfs_blk_files(init_t)
+	fs_relabel_tmpfs_chr_files(init_t)
+	fs_relabel_tmpfs_fifo_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@ -485,6 +489,8 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)

+	userdom_relabel_user_runtime_root_dirs(init_t)
+
 	tunable_policy(`init_mounton_non_security',`
 		files_mounton_non_security(init_t)
 	')