## Systemd components (not PID 1) ###################################### ## ## Make the specified type usable as an ## log parse environment type. ## ## ## ## Type to be used as a log parse environment type. ## ## # interface(`systemd_log_parse_environment',` gen_require(` attribute systemd_log_parse_env_type; ') typeattribute $1 systemd_log_parse_env_type; ') ####################################### ## ## Allow domain to read udev hwdb file ## ## ## ## domain allowed access ## ## # interface(`systemd_read_hwdb',` gen_require(` type systemd_hwdb_t; ') read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) ') ###################################### ## ## Read systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_logind_pids',` gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) allow $1 systemd_logind_var_run_t:dir list_dir_perms; allow $1 systemd_logind_var_run_t:file read_file_perms; ') ###################################### ## ## Manage systemd_login PID pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_logind_pid_pipes',` gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ') ###################################### ## ## Write systemd_login named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_logind_pid_pipes',` gen_require(` type systemd_logind_var_run_t; ') init_search_run($1) files_search_pids($1) allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; ') ###################################### ## ## Use inherited systemd ## logind file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_use_logind_fds',` gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; ') ###################################### ## ## Read logind sessions files. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_logind_sessions_files',` gen_require(` type systemd_sessions_var_run_t, systemd_logind_t; ') allow $1 systemd_logind_t:fd use; init_search_run($1) allow $1 systemd_sessions_var_run_t:dir list_dir_perms; read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) ') ###################################### ## ## Write inherited logind sessions pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_inherited_logind_sessions_pipes',` gen_require(` type systemd_logind_t, systemd_sessions_var_run_t; ') allow $1 systemd_logind_t:fd use; allow $1 systemd_sessions_var_run_t:fifo_file write; allow systemd_logind_t $1:process signal; ') ###################################### ## ## Write inherited logind inhibit pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_inherited_logind_inhibit_pipes',` gen_require(` type systemd_logind_inhibit_var_run_t; type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; ') ######################################## ## ## Send and receive messages from ## systemd logind over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_dbus_chat_logind',` gen_require(` type systemd_logind_t; class dbus send_msg; ') allow $1 systemd_logind_t:dbus send_msg; allow systemd_logind_t $1:dbus send_msg; ') ######################################## ## ## Allow process to write to systemd_kmod_conf_t. ## ## ## ## Domain allowed access. ## ## ## # interface(`systemd_write_kmod_files',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Get the system status information from systemd_login ## ## ## ## Domain allowed access. ## ## # interface(`systemd_status_logind',` gen_require(` type systemd_logind_t; class service status; ') allow $1 systemd_logind_t:service status; ') ######################################## ## ## Send systemd_login a null signal. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_signull_logind',` gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:process signull; ') ######################################## ## ## Allow reading /run/systemd/machines ## ## ## ## Domain that can access the machines files ## ## # interface(`systemd_read_machines',` gen_require(` type systemd_machined_var_run_t; ') allow $1 systemd_machined_var_run_t:dir list_dir_perms; allow $1 systemd_machined_var_run_t:file read_file_perms; ') ######################################## ## ## allow systemd_passwd_agent to inherit fds ## ## ## ## Domain that owns the fds ## ## # interface(`systemd_use_passwd_agent_fds',` gen_require(` type systemd_passwd_agent_t; ') allow systemd_passwd_agent_t $1:fd use; ') ####################################### ## ## Allow a systemd_passwd_agent_t process to interact with a daemon ## that needs a password from the sysadmin. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_use_passwd_agent',` gen_require(` type systemd_passwd_agent_t; type systemd_passwd_var_run_t; ') manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) allow systemd_passwd_agent_t $1:process signull; allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; ') ######################################## ## ## Transition to systemd_passwd_var_run_t when creating dirs ## ## ## ## Domain allowed access. ## ## # interface(`systemd_filetrans_passwd_runtime_dirs',` gen_require(` type systemd_passwd_var_run_t; ') init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") ') ###################################### ## ## Allow to domain to create systemd-passwd symlink ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_passwd_runtime_symlinks',` gen_require(` type systemd_passwd_var_run_t; ') allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## manage systemd unit dirs and the files in them ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_all_units',` gen_require(` attribute systemdunit; ') manage_dirs_pattern($1, systemdunit, systemdunit) manage_files_pattern($1, systemdunit, systemdunit) manage_lnk_files_pattern($1, systemdunit, systemdunit) ') ######################################## ## ## Allow domain to create/manage systemd_journal_t files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_journal_files',` gen_require(` type systemd_journal_t; ') manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) manage_files_pattern($1, systemd_journal_t, systemd_journal_t) allow $1 systemd_journal_t:file map; ') ######################################## ## ## Relabel to systemd-journald directory type. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_journal_dirs',` gen_require(` type systemd_journal_t; ') files_search_var($1) allow $1 systemd_journal_t:dir relabelto_dir_perms; ') ######################################## ## ## Relabel to systemd-journald file type. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_journal_files',` gen_require(` type systemd_journal_t; ') files_search_var($1) list_dirs_pattern($1,systemd_journal_t,systemd_journal_t) allow $1 systemd_journal_t:file relabelto_file_perms; ') ######################################## ## ## Allow domain to read systemd_networkd_t unit files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_networkd_units',` gen_require(` type systemd_networkd_t; ') init_search_units($1) list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) ') ######################################## ## ## Allow domain to create/manage systemd_networkd_t unit files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_networkd_units',` gen_require(` type systemd_networkd_unit_t; ') init_search_units($1) manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) ') ######################################## ## ## Allow specified domain to start systemd-networkd units ## ## ## ## Domain allowed access. ## ## # interface(`systemd_startstop_networkd',` gen_require(` type systemd_networkd_unit_t; class service { start stop }; ') allow $1 systemd_networkd_unit_t:service { start stop }; ') ######################################## ## ## Allow specified domain to get status of systemd-networkd ## ## ## ## Domain allowed access. ## ## # interface(`systemd_status_networkd',` gen_require(` type systemd_networkd_unit_t; class service status; ') allow $1 systemd_networkd_unit_t:service status; ') ####################################### ## ## Relabel systemd_networkd tun socket. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelfrom_networkd_tun_sockets',` gen_require(` type systemd_networkd_t; ') allow $1 systemd_networkd_t:tun_socket relabelfrom; ') ####################################### ## ## Read/Write from systemd_networkd netlink route socket. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_rw_networkd_netlink_route_sockets',` gen_require(` type systemd_networkd_t; ') allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms; ') ####################################### ## ## Allow domain to read files generated by systemd_networkd ## ## ## ## domain allowed access ## ## # interface(`systemd_read_networkd_runtime',` gen_require(` type systemd_networkd_var_run_t; ') list_dirs_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t) read_files_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t) ') ######################################## ## ## Allow systemd_logind_t to read process state for cgroup file ## ## ## ## Domain systemd_logind_t may access. ## ## # interface(`systemd_read_logind_state',` gen_require(` type systemd_logind_t; ') allow systemd_logind_t $1:dir list_dir_perms; allow systemd_logind_t $1:file read_file_perms; ') ######################################## ## ## Allow specified domain to start power units ## ## ## ## Domain to not audit. ## ## # interface(`systemd_start_power_units',` gen_require(` type power_unit_t; class service start; ') allow $1 power_unit_t:service start; ') ######################################## ## ## Make the specified type usable for ## systemd tmpfiles config files. ## ## ## ## Type to be used for systemd tmpfiles config files. ## ## # interface(`systemd_tmpfiles_conf_file',` gen_require(` attribute systemd_tmpfiles_conf_type; ') files_config_file($1) typeattribute $1 systemd_tmpfiles_conf_type; ') ######################################## ## ## Allow the specified domain to create ## the tmpfiles config directory with ## the correct context. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_tmpfiles_creator',` gen_require(` type systemd_tmpfiles_conf_t; ') files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d") allow $1 systemd_tmpfiles_conf_t:dir create; ') ######################################## ## ## Create an object in the systemd tmpfiles config ## directory, with a private type ## using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`systemd_tmpfiles_conf_filetrans',` gen_require(` type systemd_tmpfiles_conf_t; ') files_search_pids($1) filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4) ') ######################################## ## ## Allow domain to list systemd tmpfiles config directory ## ## ## ## Domain allowed access. ## ## # interface(`systemd_list_tmpfiles_conf',` gen_require(` type systemd_tmpfiles_conf_t; ') allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms; ') ######################################## ## ## Allow domain to relabel to systemd tmpfiles config directory ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_tmpfiles_conf_dirs',` gen_require(` type systemd_tmpfiles_conf_t; ') allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms; ') ######################################## ## ## Allow domain to relabel to systemd tmpfiles config files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_tmpfiles_conf_files',` gen_require(` attribute systemd_tmpfiles_conf_type; ') allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms; ') ####################################### ## ## Allow systemd_tmpfiles_t to manage filesystem objects ## ## ## ## type of object to manage ## ## ## ## ## object class to manage ## ## # interface(`systemd_tmpfilesd_managed',` gen_require(` type systemd_tmpfiles_t; ') allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') ####################################### ## ## Allow domain to read resolv.conf file generated by systemd_resolved ## ## ## ## domain allowed access ## ## # interface(`systemd_read_resolved_runtime',` gen_require(` type systemd_resolved_var_run_t; ') read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) ') ####################################### ## ## Allow domain to getattr on .updated file (generated by systemd-update-done ## ## ## ## domain allowed access ## ## # interface(`systemd_getattr_updated_runtime',` gen_require(` type systemd_update_run_t; ') getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) ')