Allow systemd to relabel startup-important directories

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2020-02-24 08:24:18 +01:00 · 2020-02-24 08:24:18 +01:00 · b9470d408a
parent 5082648629
commit b9470d408a
2 changed files with 28 additions and 3 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -5076,6 +5076,25 @@ interface(`fs_relabel_tmpfs_blk_file',`
 	fs_relabel_tmpfs_blk_files($1)
 ')
 ########################################
 ## <summary>
 ##	Relabel named pipes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_relabel_tmpfs_fifo_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 	allow $1 tmpfs_t:dir list_dir_perms;
 	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write, create and delete generic
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -252,9 +252,10 @@ ifdef(`init_systemd',`
 	allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
-	# for /run/systemd/inaccessible/{chr,blk}
+	# for /run/systemd/inaccessible/{chr,blk,fifo}
-	allow init_t init_runtime_t:blk_file create_blk_file_perms;
+	allow init_t init_runtime_t:blk_file { create_blk_file_perms relabelto };
-	allow init_t init_runtime_t:chr_file create_chr_file_perms;
+	allow init_t init_runtime_t:chr_file { create_chr_file_perms relabelto };
 	allow init_t init_runtime_t:fifo_file { create_fifo_file_perms relabelto };
 	allow init_t systemprocess:process { dyntransition siginh };
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
@ -411,6 +412,9 @@ ifdef(`init_systemd',`
 	fs_remount_all_fs(init_t)
 	fs_relabelfrom_tmpfs_symlinks(init_t)
 	fs_unmount_all_fs(init_t)
 	fs_relabel_tmpfs_blk_files(init_t)
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@ -485,6 +489,8 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 	userdom_relabel_user_runtime_root_dirs(init_t)
 	tunable_policy(`init_mounton_non_security',`
 		files_mounton_non_security(init_t)
 	')