diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 07224b85d..e5646b0a7 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -227,12 +227,8 @@ ifdef(`distro_gentoo',` /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index f941e57ee..88dfee290 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -2924,6 +2924,24 @@ interface(`init_create_runtime_dirs',` create_dirs_pattern($1, init_runtime_t, init_runtime_t) ') +######################################## +## +## Read init_runtime_t files +## +## +## +## domain +## +## +# +interface(`init_read_runtime_files',` + gen_require(` + type init_runtime_t; + ') + + read_files_pattern($1, init_runtime_t, init_runtime_t) +') + ######################################## ## ## Rename init_runtime_t files @@ -2957,6 +2975,24 @@ interface(`init_rename_runtime_files',` rename_files_pattern($1, init_runtime_t, init_runtime_t) ') +######################################## +## +## Setattr init_runtime_t files +## +## +## +## domain +## +## +# +interface(`init_setattr_runtime_files',` + gen_require(` + type init_runtime_t; + ') + + setattr_files_pattern($1, init_runtime_t, init_runtime_t) +') + ######################################## ## ## Delete init_runtime_t files diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index b20362ca5..5ea4d5f5f 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -102,6 +102,35 @@ interface(`lvm_read_config',` read_files_pattern($1, lvm_etc_t, lvm_etc_t) ') +######################################## +## +## Map lvm config files. +## +## +##

+## Allow the specified domain to map lvm config files. +##

+##

+## Related interfaces: +##

+##
    +##
  • lvm_read_config()
    • +##
+## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_map_config',` + gen_require(` + type lvm_etc_t; + ') + + allow $1 lvm_etc_t:file map; +') + ######################################## ## ## Manage LVM configuration files. diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 43fdc9572..819c6ae13 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -18,8 +18,15 @@ /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) # Systemd generators -/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) -/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/system-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) +/usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) +/usr/lib/systemd/user-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) +/usr/lib/systemd/user-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) +/usr/lib/systemd/system-generators/lvm2-activation-generator -- gen_context(system_u:object_r:systemd_lvm2_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-efi-boot-generator -- gen_context(system_u:object_r:systemd_efi_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 917959d29..8f9c13654 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -60,6 +60,32 @@ template(`systemd_role_template',` allow $3 $1_systemd_t:fd use; ') +###################################### +## +## Make the specified type usable as a +## systemd generator +## +## +## +## Type to be used as a systemd generator type. +## +## +## +## +## Type of the program to be used as an entry point to the generator domain. +## +## +# +interface(`systemd_unit_generator',` + gen_require(` + attribute systemd_generator_type; + ') + + typeattribute $1 systemd_generator_type; + + init_system_domain($1, $2) +') + ###################################### ## ## Make the specified type usable as an diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e3892800a..1434ec9a7 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -29,6 +29,7 @@ gen_tunable(systemd_nspawn_labeled_namespace, false) ## gen_tunable(systemd_logind_get_bootloader, false) +attribute systemd_generator_type; attribute systemd_log_parse_env_type; attribute systemd_tmpfiles_conf_type; attribute systemd_user_session_type; @@ -61,13 +62,29 @@ init_unit_file(systemd_binfmt_unit_t) type systemd_conf_t; files_config_file(systemd_conf_t) +type systemd_generator_t; +type systemd_generator_exec_t; +systemd_unit_generator(systemd_generator_t, systemd_generator_exec_t) + +type systemd_efi_generator_t; +type systemd_efi_generator_exec_t; +systemd_unit_generator(systemd_efi_generator_t, systemd_efi_generator_exec_t) + type systemd_fstab_generator_t; type systemd_fstab_generator_exec_t; -init_system_domain(systemd_fstab_generator_t, systemd_fstab_generator_exec_t) +systemd_unit_generator(systemd_fstab_generator_t, systemd_fstab_generator_exec_t) type systemd_gpt_generator_t; type systemd_gpt_generator_exec_t; -init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t) +systemd_unit_generator(systemd_gpt_generator_t, systemd_gpt_generator_exec_t) + +type systemd_lvm2_generator_t; +type systemd_lvm2_generator_exec_t; +systemd_unit_generator(systemd_lvm2_generator_t, systemd_lvm2_generator_exec_t) + +type systemd_sysv_generator_t; +type systemd_sysv_generator_exec_t; +systemd_unit_generator(systemd_sysv_generator_t, systemd_sysv_generator_exec_t) type systemd_cgroups_t; type systemd_cgroups_exec_t; @@ -275,26 +292,52 @@ files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) +####################################### +# +# generic generator local policy +# + +corecmd_search_bin(systemd_generator_type) + +dev_read_sysfs(systemd_generator_type) +dev_write_kmsg(systemd_generator_type) + +files_read_etc_files(systemd_generator_type) +files_search_pids(systemd_generator_type) + +init_create_pid_files(systemd_generator_type) +init_manage_pid_dirs(systemd_generator_type) +init_manage_pid_symlinks(systemd_generator_type) +init_read_runtime_files(systemd_generator_type) +init_read_state(systemd_generator_type) +init_rename_runtime_files(systemd_generator_type) +init_search_pids(systemd_generator_type) +init_setattr_runtime_files(systemd_generator_type) +init_write_pid_files(systemd_generator_type) + +kernel_use_fds(systemd_generator_type) +kernel_read_system_state(systemd_generator_type) +kernel_read_kernel_sysctls(systemd_generator_type) + +####################################### +# +# efi generator local policy +# + +files_list_boot(systemd_efi_generator_t) +files_read_boot_files(systemd_efi_generator_t) + +fs_list_efivars(systemd_efi_generator_t) + ####################################### # # fstab generator local policy # -corecmd_search_bin(systemd_fstab_generator_t) - -files_read_etc_files(systemd_fstab_generator_t) -files_search_pids(systemd_fstab_generator_t) +dev_write_sysfs_dirs(systemd_fstab_generator_t) fstools_exec(systemd_fstab_generator_t) -init_create_pid_files(systemd_fstab_generator_t) -init_manage_pid_dirs(systemd_fstab_generator_t) -init_manage_pid_symlinks(systemd_fstab_generator_t) -init_search_pids(systemd_fstab_generator_t) -init_write_pid_files(systemd_fstab_generator_t) - -kernel_read_kernel_sysctls(systemd_fstab_generator_t) - systemd_log_parse_environment(systemd_fstab_generator_t) ####################################### @@ -302,16 +345,33 @@ systemd_log_parse_environment(systemd_fstab_generator_t) # GPT auto generator local policy # -kernel_read_kernel_sysctls(systemd_gpt_generator_t) - -dev_read_sysfs(systemd_gpt_generator_t) files_list_usr(systemd_gpt_generator_t) -files_read_etc_files(systemd_gpt_generator_t) fs_getattr_xattr_fs(systemd_gpt_generator_t) storage_raw_read_fixed_disk(systemd_gpt_generator_t) systemd_log_parse_environment(systemd_gpt_generator_t) +####################################### +# +# lvm2 activation generator local policy +# + +optional_policy(` + lvm_map_config(systemd_lvm2_generator_t) + lvm_read_config(systemd_lvm2_generator_t) +') + +####################################### +# +# sysv generator local policy +# + +corecmd_getattr_bin_files(systemd_sysv_generator_t) + +init_list_unit_dirs(systemd_sysv_generator_t) +init_read_generic_units_symlinks(systemd_sysv_generator_t) +init_read_script_files(systemd_sysv_generator_t) + ###################################### # # Cgroups local policy