RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

init: split access for systemd runtime units 

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-11-30 11:53:29 -05:00
parent 43d0b184b5
commit d9e660c3a9
3 changed files with 87 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/system/init.fc
View File

@ -34,7 +34,7 @@ ifdef(`distro_gentoo',`
/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0) /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) /usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_transient_unit_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)

77
policy/modules/system/init.if
View File

@ -3473,6 +3473,83 @@ interface(`init_reload_generic_units',`
allow $1 systemd_unit_t:service reload; allow $1 systemd_unit_t:service reload;
') ')
########################################
## <summary>
## Get status of transient systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_transient_units_status',`
gen_require(`
type systemd_transient_unit_t;
class service status;
')
allow $1 systemd_transient_unit_t:service status;
')
########################################
## <summary>
## Start transient systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_transient_units',`
gen_require(`
type systemd_transient_unit_t;
class service start;
')
allow $1 systemd_transient_unit_t:service start;
')
########################################
## <summary>
## Stop transient systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_stop_transient_units',`
gen_require(`
type systemd_transient_unit_t;
class service stop;
')
allow $1 systemd_transient_unit_t:service stop;
')
#######################################
## <summary>
## Reload transient systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload_transient_units',`
gen_require(`
type systemd_transient_unit_t;
class service reload;
')
allow $1 systemd_transient_unit_t:service reload;
')
######################################## ########################################
## <summary> ## <summary>
## Get status of all systemd units. ## Get status of all systemd units.

15
policy/modules/system/init.te
View File

@ -121,6 +121,9 @@ logging_log_file(initrc_var_log_t)
type systemd_unit_t; type systemd_unit_t;
init_unit_file(systemd_unit_t) init_unit_file(systemd_unit_t)
type systemd_transient_unit_t;
init_unit_file(systemd_transient_unit_t)
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
type rc_exec_t; type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t) domain_entry_file(initrc_t, rc_exec_t)
@ -311,11 +314,11 @@ ifdef(`init_systemd',`
allow init_t init_var_lib_t:file manage_file_perms; allow init_t init_var_lib_t:file manage_file_perms;
allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms; allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
manage_files_pattern(init_t, systemd_unit_t, systemdunit) manage_files_pattern(init_t, systemd_transient_unit_t, systemdunit)
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t) manage_dirs_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t) manage_lnk_files_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
allow init_t systemd_unit_t:dir relabel_dir_perms; allow init_t systemd_transient_unit_t:dir relabel_dir_perms;
kernel_dyntrans_to(init_t) kernel_dyntrans_to(init_t)
kernel_read_network_state(init_t) kernel_read_network_state(init_t)
@ -1055,8 +1058,8 @@ ifdef(`init_systemd',`
manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set) files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set)
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) create_dirs_pattern(initrc_t, systemd_transient_unit_t, systemd_transient_unit_t)
allow initrc_t systemd_unit_t:service reload; allow initrc_t systemd_transient_unit_t:service reload;
manage_files_pattern(initrc_t, systemdunit, systemdunit) manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)