policy_module(systemd, 1.3.5) ######################################### # # Declarations # ## ##

## Enable support for systemd-tmpfiles to manage all non-security files. ##

##
gen_tunable(systemd_tmpfiles_manage_all, false) attribute systemd_log_parse_env_type; type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) type systemd_analyze_t; type systemd_analyze_exec_t; init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) type systemd_backlight_t; type systemd_backlight_exec_t; init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) type systemd_backlight_unit_t; init_unit_file(systemd_backlight_unit_t) type systemd_backlight_var_lib_t; files_type(systemd_backlight_var_lib_t) type systemd_binfmt_t; type systemd_binfmt_exec_t; init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) type systemd_binfmt_unit_t; init_unit_file(systemd_binfmt_unit_t) type systemd_cgroups_t; type systemd_cgroups_exec_t; domain_type(systemd_cgroups_t) domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t) role system_r types systemd_cgroups_t; type systemd_cgroups_var_run_t; files_pid_file(systemd_cgroups_var_run_t) init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups") type systemd_cgtop_t; type systemd_cgtop_exec_t; init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t) type systemd_coredump_t; type systemd_coredump_exec_t; init_system_domain(systemd_coredump_t, systemd_coredump_exec_t) type systemd_detect_virt_t; type systemd_detect_virt_exec_t; init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) type systemd_hostnamed_t; type systemd_hostnamed_exec_t; init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t) type systemd_locale_t; type systemd_locale_exec_t; init_system_domain(systemd_locale_t, systemd_locale_exec_t) type systemd_logind_t; type systemd_logind_exec_t; init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t) type systemd_logind_var_lib_t; files_type(systemd_logind_var_lib_t) type systemd_logind_var_run_t; files_pid_file(systemd_logind_var_run_t) init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind") type systemd_machined_t; type systemd_machined_exec_t; init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) type systemd_resolved_t; type systemd_resolved_exec_t; init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) type systemd_resolved_var_run_t; files_pid_file(systemd_resolved_var_run_t) type systemd_run_t; type systemd_run_exec_t; init_daemon_domain(systemd_run_t, systemd_run_exec_t) type systemd_stdio_bridge_t; type systemd_stdio_bridge_exec_t; init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t) type systemd_passwd_agent_t; type systemd_passwd_agent_exec_t; init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) type systemd_sessions_t; type systemd_sessions_exec_t; init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) type systemd_sessions_var_run_t; files_pid_file(systemd_sessions_var_run_t) init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions") type systemd_tmpfiles_t; type systemd_tmpfiles_exec_t; type systemd_kmod_conf_t; files_config_file(systemd_kmod_conf_t) init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) # # Unit file types # type power_unit_t; init_unit_file(power_unit_t) ###################################### # # systemd log parse enviroment # # Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function) dontaudit systemd_log_parse_env_type self:capability net_admin; kernel_read_system_state(systemd_log_parse_env_type) dev_write_kmsg(systemd_log_parse_env_type) term_use_console(systemd_log_parse_env_type) init_read_state(systemd_log_parse_env_type) logging_send_syslog_msg(systemd_log_parse_env_type) ###################################### # # Backlight local policy # allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) systemd_log_parse_environment(systemd_backlight_t) # Allow systemd-backlight to write to /sys/class/backlight/*/brightness dev_rw_sysfs(systemd_backlight_t) files_read_etc_files(systemd_backlight_t) udev_read_pid_files(systemd_backlight_t) ####################################### # # Binfmt local policy # systemd_log_parse_environment(systemd_binfmt_t) # Allow to read /etc/binfmt.d/ files files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) ###################################### # # Cgroups local policy # kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) kernel_dgram_send(systemd_cgroups_t) selinux_getattr_fs(systemd_cgroups_t) # write to /run/systemd/cgroups-agent init_dgram_send(systemd_cgroups_t) init_stream_connect(systemd_cgroups_t) systemd_log_parse_environment(systemd_cgroups_t) ####################################### # # locale local policy # kernel_read_kernel_sysctls(systemd_locale_t) files_read_etc_files(systemd_locale_t) seutil_read_file_contexts(systemd_locale_t) systemd_log_parse_environment(systemd_locale_t) optional_policy(` dbus_connect_system_bus(systemd_locale_t) dbus_system_bus_client(systemd_locale_t) ') ####################################### # # Hostnamed policy # kernel_read_kernel_sysctls(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) seutil_read_file_contexts(systemd_hostnamed_t) systemd_log_parse_environment(systemd_hostnamed_t) optional_policy(` dbus_system_bus_client(systemd_hostnamed_t) dbus_connect_system_bus(systemd_hostnamed_t) ') ######################################### # # Logind local policy # allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; allow systemd_logind_t self:process getcap; allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_logind_t self:unix_dgram_socket create_socket_perms; allow systemd_logind_t self:fifo_file rw_fifo_file_perms; allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) files_search_pids(systemd_logind_t) kernel_read_kernel_sysctls(systemd_logind_t) auth_manage_faillog(systemd_logind_t) dev_rw_sysfs(systemd_logind_t) dev_rw_input_dev(systemd_logind_t) dev_getattr_dri_dev(systemd_logind_t) dev_setattr_dri_dev(systemd_logind_t) dev_getattr_sound_dev(systemd_logind_t) dev_setattr_sound_dev(systemd_logind_t) files_read_etc_files(systemd_logind_t) fs_read_efivarfs_files(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t) storage_getattr_removable_dev(systemd_logind_t) storage_setattr_removable_dev(systemd_logind_t) storage_getattr_scsi_generic_dev(systemd_logind_t) storage_setattr_scsi_generic_dev(systemd_logind_t) term_use_unallocated_ttys(systemd_logind_t) init_get_all_units_status(systemd_logind_t) init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) init_service_status(systemd_logind_t) init_service_start(systemd_logind_t) locallogin_read_state(systemd_logind_t) systemd_log_parse_environment(systemd_logind_t) systemd_start_power_units(systemd_logind_t) udev_read_db(systemd_logind_t) udev_read_pid_files(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) optional_policy(` dbus_system_bus_client(systemd_logind_t) dbus_connect_system_bus(systemd_logind_t) ') ######################################### # # Resolved local policy # allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; allow systemd_resolved_t self:tcp_socket { accept listen }; manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) kernel_read_crypto_sysctls(systemd_resolved_t) kernel_read_kernel_sysctls(systemd_resolved_t) kernel_read_system_state(systemd_resolved_t) corenet_tcp_bind_generic_node(systemd_resolved_t) corenet_tcp_bind_llmnr_port(systemd_resolved_t) corenet_udp_bind_generic_node(systemd_resolved_t) corenet_udp_bind_llmnr_port(systemd_resolved_t) auth_use_nsswitch(systemd_resolved_t) seutil_read_file_contexts(systemd_resolved_t) systemd_log_parse_environment(systemd_resolved_t) optional_policy(` dbus_system_bus_client(systemd_resolved_t) ') ######################################### # # Sessions local policy # allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) systemd_log_parse_environment(systemd_sessions_t) ######################################### # # Tmpfiles local policy # allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; allow systemd_tmpfiles_t self:process { setfscreate getcap }; kernel_read_kernel_sysctls(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) files_relabel_all_lock_dirs(systemd_tmpfiles_t) files_relabel_all_pid_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t) auth_manage_var_auth(systemd_tmpfiles_t) auth_manage_login_records(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) # for /run/tmpfiles.d/kmod.conf modutils_read_var_run_files(systemd_tmpfiles_t) seutil_read_file_contexts(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_tmpfiles_t) tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this. files_manage_non_security_dirs(systemd_tmpfiles_t) files_manage_non_security_files(systemd_tmpfiles_t) files_relabel_non_security_dirs(systemd_tmpfiles_t) files_relabel_non_security_files(systemd_tmpfiles_t) ')