## Systemd components (not PID 1)
#########################################
##
## Template for systemd --user per-role domains.
##
##
##
## Prefix for generated types
##
##
##
##
## The user role.
##
##
##
##
## The user domain for the role.
##
##
##
##
## The type for the user pty
##
##
#
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
type systemd_run_exec_t, systemd_analyze_exec_t;
type systemd_conf_home_t, systemd_data_home_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t, systemd_user_runtime_unit_t;
')
#################################
#
# Declarations
#
type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
init_pgm_spec_user_daemon_domain($1_systemd_t)
domain_user_exemption_target($1_systemd_t)
ubac_constrained($1_systemd_t)
role $2 types $1_systemd_t;
#################################
#
# Local policy
#
# This domain is per-role because of the below transitions.
# See the systemd --user section of systemd.te for the
# remainder of the rules.
allow $1_systemd_t self:process { getsched signal };
allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
# systemctl --user rules
allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file manage_sock_file_perms;
allow $1_systemd_t systemd_user_runtime_t:blk_file manage_blk_file_perms;
allow $1_systemd_t systemd_user_runtime_t:chr_file manage_chr_file_perms;
allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
allow $1_systemd_t systemd_user_runtime_t:fifo_file manage_fifo_file_perms;
allow $1_systemd_t systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
allow $1_systemd_t systemd_user_runtime_t:sock_file manage_sock_file_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file manage_lnk_file_perms;
allow $1_systemd_t $3:dir search_dir_perms;
allow $1_systemd_t $3:file read_file_perms;
allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
dev_read_urand($1_systemd_t)
files_search_home($1_systemd_t)
fs_manage_cgroup_files($1_systemd_t)
fs_watch_cgroup_files($1_systemd_t)
kernel_dontaudit_getattr_proc($1_systemd_t)
selinux_use_status_page($1_systemd_t)
init_linkable_keyring($1_systemd_t)
init_list_unit_dirs($1_systemd_t)
init_read_generic_units_files($1_systemd_t)
miscfiles_watch_localization($1_systemd_t)
mount_read_runtime_files($1_systemd_t)
mount_watch_runtime_files($1_systemd_t)
mount_watch_reads_runtime_files($1_systemd_t)
seutil_search_default_contexts($1_systemd_t)
seutil_read_file_contexts($1_systemd_t)
systemd_manage_conf_home_content($1_systemd_t)
systemd_manage_data_home_content($1_systemd_t)
systemd_search_user_runtime_unit_dirs($1_systemd_t)
systemd_search_user_runtime_unit_dirs($1_systemd_t)
systemd_read_user_unit_files($1_systemd_t)
dbus_system_bus_client($1_systemd_t)
dbus_spec_session_bus_client($1, $1_systemd_t)
# userdomain rules
allow $3 $1_systemd_t:process signal;
allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
# Allow using file descriptors for user environment generators
allow $3 $1_systemd_t:fd use;
allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
allow $3 $1_systemd_t:system { disable enable reload start stop status };
allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
allow $3 systemd_conf_home_t:service { reload start status stop };
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
init_dbus_chat($3)
systemd_list_journal_dirs($3)
systemd_read_journal_files($3)
systemd_manage_conf_home_content($3)
systemd_relabel_conf_home_content($3)
systemd_manage_data_home_content($3)
systemd_relabel_data_home_content($3)
systemd_read_user_unit_files($3)
systemd_list_user_runtime_unit_dirs($3)
systemd_read_user_runtime_units($3)
systemd_reload_user_runtime_units($3)
systemd_start_user_runtime_units($3)
systemd_status_user_runtime_units($3)
systemd_stop_user_runtime_units($3)
systemd_watch_passwd_runtime_dirs($3)
optional_policy(`
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
xdg_read_config_files($1_systemd_t)
xdg_read_data_files($1_systemd_t)
')
')
######################################
##
## Allow the specified domain to be started as a daemon by the
## specified systemd user instance.
##
##
##
## Prefix for the user domain.
##
##
##
##
## Entry point file type for the domain.
##
##
##
##
## Domain to allow the systemd user domain to run.
##
##
#
template(`systemd_user_daemon_domain',`
gen_require(`
type $1_systemd_t;
')
domtrans_pattern($1_systemd_t, $2, $3)
allow $1_systemd_t $3:process signal_perms;
allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
')
######################################
##
## Associate the specified file type to be a type whose sock files
## can be managed by systemd user instances for socket activation.
##
##
##
## File type to be associated.
##
##
#
interface(`systemd_user_activated_sock_file',`
gen_require(`
attribute systemd_user_activated_sock_file_type;
')
typeattribute $1 systemd_user_activated_sock_file_type;
')
######################################
##
## Associate the specified domain to be a domain whose unix stream
## sockets and sock files can be managed by systemd user instances
## for socket activation.
##
##
##
## Domain to be associated.
##
##
##
##
## File type of the domain's sock files to be associated.
##
##
#
interface(`systemd_user_unix_stream_activated_socket',`
gen_require(`
attribute systemd_user_unix_stream_activated_socket_type;
')
typeattribute $1 systemd_user_unix_stream_activated_socket_type;
systemd_user_activated_sock_file($2)
')
######################################
##
## Allow the specified domain to search systemd config home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_search_conf_home_content',`
gen_require(`
type systemd_conf_home_t;
')
search_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
')
######################################
##
## Allow the specified domain to manage systemd config home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_conf_home_content',`
gen_require(`
type systemd_conf_home_t;
')
manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
')
######################################
##
## Allow the specified domain to relabel systemd config home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabel_conf_home_content',`
gen_require(`
type systemd_conf_home_t;
')
relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
')
######################################
##
## Allow the specified domain to search systemd data home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_search_data_home_content',`
gen_require(`
type systemd_data_home_t;
')
search_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
')
######################################
##
## Allow the specified domain to manage systemd data home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_data_home_content',`
gen_require(`
type systemd_data_home_t;
')
allow $1 systemd_data_home_t:dir manage_dir_perms;
allow $1 systemd_data_home_t:file manage_file_perms;
allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
')
######################################
##
## Allow the specified domain to relabel systemd data home
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabel_data_home_content',`
gen_require(`
type systemd_data_home_t;
')
relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
')
######################################
##
## Allow the specified domain to search systemd user runtime
## content.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_search_user_runtime',`
gen_require(`
type systemd_user_runtime_t;
')
search_dirs_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
')
######################################
##
## Allow the specified domain to read systemd user runtime files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_user_runtime_files',`
gen_require(`
type systemd_user_runtime_t;
')
read_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
')
######################################
##
## Allow the specified domain to read systemd user runtime lnk files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_user_runtime_lnk_files',`
gen_require(`
type systemd_user_runtime_t;
')
read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
')
######################################
##
## Allow the specified domain to read system-wide systemd
## user unit files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_user_unit_files',`
gen_require(`
type systemd_user_unit_t;
')
allow $1 systemd_user_unit_t:dir list_dir_perms;
allow $1 systemd_user_unit_t:file read_file_perms;
allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
')
######################################
##
## Allow the specified domain to read systemd user runtime unit files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
')
read_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
read_lnk_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
##
## Allow the specified domain to search systemd user runtime unit
## directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_search_user_runtime_unit_dirs',`
gen_require(`
type systemd_user_runtime_unit_t;
')
search_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
##
## Allow the specified domain to list the contents of systemd
## user runtime unit directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_list_user_runtime_unit_dirs',`
gen_require(`
type systemd_user_runtime_unit_t;
')
list_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
##
## Allow the specified domain to get the status of systemd user runtime units.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_status_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service status;
')
allow $1 systemd_user_runtime_unit_t:service status;
')
######################################
##
## Allow the specified domain to start systemd user runtime units.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_start_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service start;
')
allow $1 systemd_user_runtime_unit_t:service start;
')
######################################
##
## Allow the specified domain to stop systemd user runtime units.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_stop_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service stop;
')
allow $1 systemd_user_runtime_unit_t:service stop;
')
######################################
##
## Allow the specified domain to reload systemd user runtime units.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_reload_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service reload;
')
allow $1 systemd_user_runtime_unit_t:service reload;
')
######################################
##
## Make the specified type usable as an
## log parse environment type.
##
##
##
## Type to be used as a log parse environment type.
##
##
#
interface(`systemd_log_parse_environment',`
gen_require(`
attribute systemd_log_parse_env_type;
')
typeattribute $1 systemd_log_parse_env_type;
')
######################################
##
## Allow domain to use systemd's Name Service Switch (NSS) module.
## This module provides UNIX user and group name resolution for dynamic users
## and groups allocated through the DynamicUser= option in systemd unit files
##
##
##
## Domain allowed access
##
##
#
interface(`systemd_use_nss',`
gen_require(`
type systemd_conf_t;
')
# Get attributes of /etc/systemd/dont-synthesize-nobody
files_search_etc($1)
allow $1 systemd_conf_t:file getattr;
optional_policy(`
dbus_system_bus_client($1)
# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
init_dbus_chat($1)
')
')
######################################
##
## Allow domain to be used as a systemd service with a unit
## that uses PrivateDevices=yes in section [Service].
##
##
##
## Domain allowed access
##
##
#
interface(`systemd_PrivateDevices',`
# For services using PrivateDevices, systemd mounts a dedicated
# tmpfs filesystem for the /dev, which gets label tmpfs_t.
# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
fs_read_tmpfs_symlinks($1)
')
#######################################
##
## Allow domain to read udev hwdb file
##
##
##
## domain allowed access
##
##
#
interface(`systemd_read_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
#######################################
##
## Allow domain to map udev hwdb file
##
##
##
## domain allowed access
##
##
#
interface(`systemd_map_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
allow $1 systemd_hwdb_t:file map;
')
######################################
##
## Read systemd_login PID files. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_logind_pids',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.')
systemd_read_logind_runtime_files($1)
')
######################################
##
## Manage systemd_login PID pipes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_logind_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.')
systemd_manage_logind_runtime_pipes($1)
')
######################################
##
## Write systemd_login named pipe. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_write_logind_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.')
systemd_write_logind_runtime_pipes($1)
')
######################################
##
## Read systemd-logind runtime files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_logind_runtime_files',`
gen_require(`
type systemd_logind_runtime_t;
')
files_search_runtime($1)
allow $1 systemd_logind_runtime_t:dir list_dir_perms;
allow $1 systemd_logind_runtime_t:file read_file_perms;
')
######################################
##
## Manage systemd-logind runtime pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_logind_runtime_pipes',`
gen_require(`
type systemd_logind_runtime_t;
')
files_search_runtime($1)
manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t)
')
######################################
##
## Write systemd-logind runtime named pipe.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_write_logind_runtime_pipes',`
gen_require(`
type systemd_logind_runtime_t;
')
init_search_run($1)
files_search_runtime($1)
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
')
######################################
##
## Use inherited systemd
## logind file descriptors.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_use_logind_fds',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
')
######################################
##
## Read logind sessions files.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_logind_sessions_files',`
gen_require(`
type systemd_sessions_runtime_t, systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
init_search_run($1)
allow $1 systemd_sessions_runtime_t:dir list_dir_perms;
read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
')
######################################
##
## Write inherited logind sessions pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
gen_require(`
type systemd_logind_t, systemd_sessions_runtime_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_sessions_runtime_t:fifo_file write;
allow systemd_logind_t $1:process signal;
')
######################################
##
## Write inherited logind inhibit pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_write_inherited_logind_inhibit_pipes',`
gen_require(`
type systemd_logind_inhibit_runtime_t;
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_logind_inhibit_runtime_t:fifo_file write;
')
########################################
##
## Send and receive messages from
## systemd logind over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_dbus_chat_logind',`
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
')
########################################
##
## Get the system status information from systemd_login
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_status_logind',`
gen_require(`
type systemd_logind_t;
class service status;
')
allow $1 systemd_logind_t:service status;
')
########################################
##
## Send systemd_login a null signal.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
##
## Manage systemd userdb runtime directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_userdb_runtime_dirs', `
gen_require(`
type systemd_userdb_runtime_t;
')
manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
')
########################################
##
## Manage socket files under /run/systemd/userdb .
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_userdb_runtime_sock_files', `
gen_require(`
type systemd_userdb_runtime_t;
')
manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
')
########################################
##
## Connect to /run/systemd/userdb/io.systemd.DynamicUser .
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_stream_connect_userdb', `
gen_require(`
type systemd_userdb_runtime_t;
')
init_search_runtime($1)
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
init_unix_stream_socket_connectto($1)
')
########################################
##
## Allow reading /run/systemd/machines
##
##
##
## Domain that can access the machines files
##
##
#
interface(`systemd_read_machines',`
gen_require(`
type systemd_machined_runtime_t;
')
allow $1 systemd_machined_runtime_t:dir list_dir_perms;
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
########################################
##
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
##
##
##
## Domain that can access the socket
##
##
#
interface(`systemd_connect_machined',`
gen_require(`
type systemd_machined_t;
')
allow $1 systemd_machined_t:unix_stream_socket connectto;
')
########################################
##
## Send and receive messages from
## systemd hostnamed over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_dbus_chat_hostnamed',`
gen_require(`
type systemd_hostnamed_t;
class dbus send_msg;
')
allow $1 systemd_hostnamed_t:dbus send_msg;
allow systemd_hostnamed_t $1:dbus send_msg;
')
########################################
##
## allow systemd_passwd_agent to inherit fds
##
##
##
## Domain that owns the fds
##
##
#
interface(`systemd_use_passwd_agent_fds',`
gen_require(`
type systemd_passwd_agent_t;
')
allow systemd_passwd_agent_t $1:fd use;
')
########################################
##
## allow systemd_passwd_agent to be run by admin
##
##
##
## Domain that runs it
##
##
##
##
## role that it runs in
##
##
#
interface(`systemd_run_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')
domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
allow systemd_passwd_agent_t $1:fd use;
role $2 types systemd_passwd_agent_t;
')
#######################################
##
## Allow a systemd_passwd_agent_t process to interact with a daemon
## that needs a password from the sysadmin.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_use_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t;
type systemd_passwd_runtime_t;
')
manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
allow systemd_passwd_agent_t $1:process signull;
ps_process_pattern(systemd_passwd_agent_t, $1)
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
########################################
##
## Transition to systemd_passwd_runtime_t when creating dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_filetrans_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_runtime_t;
')
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block")
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
')
########################################
##
## Transition to systemd_userdb_runtime_t when
## creating the userdb directory inside an init runtime
## directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_filetrans_userdb_runtime_dirs', `
gen_require(`
type systemd_userdb_runtime_t;
')
init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
')
######################################
##
## Allow to domain to create systemd-passwd symlink
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_passwd_runtime_symlinks',`
gen_require(`
type systemd_passwd_runtime_t;
')
allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
')
########################################
##
## Allow a domain to watch systemd-passwd runtime dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_watch_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_runtime_t;
')
allow $1 systemd_passwd_runtime_t:dir watch;
')
########################################
##
## manage systemd unit dirs and the files in them (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_all_units',`
refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
init_manage_all_unit_files($1)
')
########################################
##
## Allow domain to list the contents of systemd_journal_t dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_list_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
')
########################################
##
## Allow domain to read systemd_journal_t files
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_journal_files',`
gen_require(`
type systemd_journal_t;
')
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
')
########################################
##
## Allow domain to create/manage systemd_journal_t files
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_journal_files',`
gen_require(`
type systemd_journal_t;
')
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
allow $1 systemd_journal_t:file map;
')
########################################
##
## Allow domain to add a watch on systemd_journal_t directories
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_watch_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
allow $1 systemd_journal_t:dir watch;
')
########################################
##
## Relabel to systemd-journald directory type.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabelto_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
allow $1 systemd_journal_t:dir relabelto_dir_perms;
')
########################################
##
## Relabel to systemd-journald file type.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabelto_journal_files',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
allow $1 systemd_journal_t:file relabelto_file_perms;
')
########################################
##
## Allow domain to read systemd_networkd_t unit files
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_read_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
##
## Allow domain to create/manage systemd_networkd_t unit files
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_manage_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
##
## Allow specified domain to enable systemd-networkd units
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_enabledisable_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { enable disable };
')
allow $1 systemd_networkd_unit_t:service { enable disable };
')
########################################
##
## Allow specified domain to start systemd-networkd units
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_startstop_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { start stop };
')
allow $1 systemd_networkd_unit_t:service { start stop };
')
########################################
##
## Allow specified domain to get status of systemd-networkd
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_status_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service status;
')
allow $1 systemd_networkd_unit_t:service status;
')
#######################################
##
## Relabel systemd_networkd tun socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabelfrom_networkd_tun_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:tun_socket relabelfrom;
')
#######################################
##
## Read/Write from systemd_networkd netlink route socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_rw_networkd_netlink_route_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
')
#######################################
##
## Allow domain to list dirs under /run/systemd/netif
##
##
##
## domain permitted the access
##
##
#
interface(`systemd_list_networkd_runtime',`
gen_require(`
type systemd_networkd_runtime_t;
')
init_list_runtime($1)
allow $1 systemd_networkd_runtime_t:dir list_dir_perms;
')
#######################################
##
## Watch directories under /run/systemd/netif
##
##
##
## Domain permitted the access
##
##
#
interface(`systemd_watch_networkd_runtime_dirs',`
gen_require(`
type systemd_networkd_runtime_t;
')
allow $1 systemd_networkd_runtime_t:dir watch;
')
#######################################
##
## Allow domain to read files generated by systemd_networkd
##
##
##
## domain allowed access
##
##
#
interface(`systemd_read_networkd_runtime',`
gen_require(`
type systemd_networkd_runtime_t;
')
list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
')
########################################
##
## Allow systemd_logind_t to read process state for cgroup file
##
##
##
## Domain systemd_logind_t may access.
##
##
#
interface(`systemd_read_logind_state',`
gen_require(`
type systemd_logind_t;
')
allow systemd_logind_t $1:dir list_dir_perms;
allow systemd_logind_t $1:file read_file_perms;
')
########################################
##
## Allow specified domain to start power units
##
##
##
## Domain to not audit.
##
##
#
interface(`systemd_start_power_units',`
gen_require(`
type power_unit_t;
class service start;
')
allow $1 power_unit_t:service start;
')
########################################
##
## Get the system status information about power units
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_status_power_units',`
gen_require(`
type power_unit_t;
class service status;
')
allow $1 power_unit_t:service status;
')
########################################
##
## Allows connections to the systemd-socket-proxyd's socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_stream_connect_socket_proxyd', `
gen_require(`
type systemd_socket_proxyd_t;
')
allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
')
########################################
##
## Make the specified type usable for
## systemd tmpfiles config files.
##
##
##
## Type to be used for systemd tmpfiles config files.
##
##
#
interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
files_config_file($1)
typeattribute $1 systemd_tmpfiles_conf_type;
')
########################################
##
## Allow the specified domain to create
## the tmpfiles config directory with
## the correct context.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_tmpfiles_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_runtime_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
allow $1 systemd_tmpfiles_conf_t:dir create;
')
########################################
##
## Create an object in the systemd tmpfiles config
## directory, with a private type
## using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`systemd_tmpfiles_conf_filetrans',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_search_runtime($1)
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
########################################
##
## Allow domain to list systemd tmpfiles config directory
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_list_tmpfiles_conf',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
')
########################################
##
## Allow domain to relabel to systemd tmpfiles config directory
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
')
########################################
##
## Allow domain to relabel to systemd tmpfiles config files
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_relabelto_tmpfiles_conf_files',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
')
#######################################
##
## Allow systemd_tmpfiles_t to manage filesystem objects
##
##
##
## Type of object to manage
##
##
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:dir { manage_dir_perms relabel_dir_perms };
allow systemd_tmpfiles_t $1:file { create setattr unlink write_file_perms relabel_file_perms };
allow systemd_tmpfiles_t $1:lnk_file { create setattr unlink relabel_lnk_file_perms };
allow systemd_tmpfiles_t $1:fifo_file { create setattr unlink relabel_fifo_file_perms };
ifelse(`$2',`',`',`
refpolicywarn(`$0($*) second parameter is deprecated.')
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
')
########################################
##
## Send and receive messages from
## systemd resolved over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_dbus_chat_resolved',`
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
allow systemd_resolved_t $1:dbus send_msg;
')
#######################################
##
## Allow domain to read resolv.conf file generated by systemd_resolved
##
##
##
## domain allowed access
##
##
#
interface(`systemd_read_resolved_runtime',`
gen_require(`
type systemd_resolved_runtime_t;
')
read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
')
#######################################
##
## Allow domain to getattr on .updated file (generated by systemd-update-done
##
##
##
## domain allowed access
##
##
#
interface(`systemd_getattr_updated_runtime',`
gen_require(`
type systemd_update_run_t;
')
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
########################################
##
## Search keys for the all systemd --user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_search_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key search;
')
########################################
##
## Create keys for the all systemd --user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_create_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key create;
')
########################################
##
## Write keys for the all systemd --user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_write_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key write;
')
########################################
##
## Execute systemd-sysusers in the
## systemd sysusers domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`systemd_domtrans_sysusers', `
gen_require(`
type systemd_sysusers_t, systemd_sysusers_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, systemd_sysusers_exec_t, systemd_sysusers_t)
')
########################################
##
## Run systemd-sysusers with a domain transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`systemd_run_sysusers', `
gen_require(`
attribute_role systemd_sysusers_roles;
')
systemd_domtrans_sysusers($1)
roleattribute $2 systemd_sysusers_roles;
')
########################################
##
## receive and use a systemd_machined_devpts_t file handle
##
##
##
## Domain allowed access.
##
##
##
#
interface(`systemd_use_inherited_machined_ptys', `
gen_require(`
type systemd_machined_t, systemd_machined_devpts_t;
')
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')