init: split access for systemd runtime units
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
43d0b184b5
commit
d9e660c3a9
|
@ -34,7 +34,7 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_transient_unit_t,s0)
|
||||
|
||||
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
|
|
@ -3473,6 +3473,83 @@ interface(`init_reload_generic_units',`
|
|||
allow $1 systemd_unit_t:service reload;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get status of transient systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_transient_units_status',`
|
||||
gen_require(`
|
||||
type systemd_transient_unit_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 systemd_transient_unit_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start transient systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_start_transient_units',`
|
||||
gen_require(`
|
||||
type systemd_transient_unit_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 systemd_transient_unit_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Stop transient systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_stop_transient_units',`
|
||||
gen_require(`
|
||||
type systemd_transient_unit_t;
|
||||
class service stop;
|
||||
')
|
||||
|
||||
allow $1 systemd_transient_unit_t:service stop;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Reload transient systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_reload_transient_units',`
|
||||
gen_require(`
|
||||
type systemd_transient_unit_t;
|
||||
class service reload;
|
||||
')
|
||||
|
||||
allow $1 systemd_transient_unit_t:service reload;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get status of all systemd units.
|
||||
|
|
|
@ -121,6 +121,9 @@ logging_log_file(initrc_var_log_t)
|
|||
type systemd_unit_t;
|
||||
init_unit_file(systemd_unit_t)
|
||||
|
||||
type systemd_transient_unit_t;
|
||||
init_unit_file(systemd_transient_unit_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
type rc_exec_t;
|
||||
domain_entry_file(initrc_t, rc_exec_t)
|
||||
|
@ -311,11 +314,11 @@ ifdef(`init_systemd',`
|
|||
allow init_t init_var_lib_t:file manage_file_perms;
|
||||
allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
|
||||
manage_files_pattern(init_t, systemd_transient_unit_t, systemdunit)
|
||||
|
||||
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
||||
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
||||
allow init_t systemd_unit_t:dir relabel_dir_perms;
|
||||
manage_dirs_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
|
||||
manage_lnk_files_pattern(init_t, systemd_transient_unit_t, systemd_transient_unit_t)
|
||||
allow init_t systemd_transient_unit_t:dir relabel_dir_perms;
|
||||
|
||||
kernel_dyntrans_to(init_t)
|
||||
kernel_read_network_state(init_t)
|
||||
|
@ -1055,8 +1058,8 @@ ifdef(`init_systemd',`
|
|||
manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t)
|
||||
files_runtime_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set)
|
||||
|
||||
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
|
||||
allow initrc_t systemd_unit_t:service reload;
|
||||
create_dirs_pattern(initrc_t, systemd_transient_unit_t, systemd_transient_unit_t)
|
||||
allow initrc_t systemd_transient_unit_t:service reload;
|
||||
|
||||
manage_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
|
|
Loading…
Reference in New Issue