## Systemd components (not PID 1) ######################################### ## ## Template for systemd --user per-role domains. ## ## ## ## Prefix for generated types ## ## ## ## ## The user role. ## ## ## ## ## The user domain for the role. ## ## # template(`systemd_role_template',` gen_require(` attribute systemd_user_session_type, systemd_log_parse_env_type; type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_run_exec_t, systemd_analyze_exec_t; ') ################################# # # Declarations # type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type; init_pgm_spec_user_daemon_domain($1_systemd_t) domain_user_exemption_target($1_systemd_t) ubac_constrained($1_systemd_t) role $2 types $1_systemd_t; ################################# # # Local policy # allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; # This domain is per-role because of the below transitions. # See the systemd --user section of systemd.te for the # remainder of the rules. allow $1_systemd_t $3:process { setsched rlimitinh }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; # systemctl --user stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) dbus_system_bus_client($1_systemd_t) ') ###################################### ## ## Make the specified type usable as an ## log parse environment type. ## ## ## ## Type to be used as a log parse environment type. ## ## # interface(`systemd_log_parse_environment',` gen_require(` attribute systemd_log_parse_env_type; ') typeattribute $1 systemd_log_parse_env_type; ') ###################################### ## ## Allow domain to use systemd's Name Service Switch (NSS) module. ## This module provides UNIX user and group name resolution for dynamic users ## and groups allocated through the DynamicUser= option in systemd unit files ## ## ## ## Domain allowed access ## ## # interface(`systemd_use_nss',` gen_require(` type systemd_conf_t; ') # Get attributes of /etc/systemd/dont-synthesize-nobody files_search_etc($1) allow $1 systemd_conf_t:file getattr; optional_policy(` dbus_system_bus_client($1) # For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager init_dbus_chat($1) ') ') ###################################### ## ## Allow domain to be used as a systemd service with a unit ## that uses PrivateDevices=yes in section [Service]. ## ## ## ## Domain allowed access ## ## # interface(`systemd_PrivateDevices',` # For services using PrivateDevices, systemd mounts a dedicated # tmpfs filesystem for the /dev, which gets label tmpfs_t. # Allow to traverse /dev and to read symlinks in /dev (for example /dev/log) fs_read_tmpfs_symlinks($1) ') ####################################### ## ## Allow domain to read udev hwdb file ## ## ## ## domain allowed access ## ## # interface(`systemd_read_hwdb',` gen_require(` type systemd_hwdb_t; ') read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) ') ####################################### ## ## Allow domain to map udev hwdb file ## ## ## ## domain allowed access ## ## # interface(`systemd_map_hwdb',` gen_require(` type systemd_hwdb_t; ') allow $1 systemd_hwdb_t:file map; ') ###################################### ## ## Read systemd_login PID files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_logind_pids',` refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.') systemd_read_logind_runtime_files($1) ') ###################################### ## ## Manage systemd_login PID pipes. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_logind_pid_pipes',` refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.') systemd_manage_logind_runtime_pipes($1) ') ###################################### ## ## Write systemd_login named pipe. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_logind_pid_pipes',` refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.') systemd_write_logind_runtime_pipes($1) ') ###################################### ## ## Read systemd-logind runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_logind_runtime_files',` gen_require(` type systemd_logind_runtime_t; ') files_search_runtime($1) allow $1 systemd_logind_runtime_t:dir list_dir_perms; allow $1 systemd_logind_runtime_t:file read_file_perms; ') ###################################### ## ## Manage systemd-logind runtime pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_logind_runtime_pipes',` gen_require(` type systemd_logind_runtime_t; ') files_search_runtime($1) manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t) ') ###################################### ## ## Write systemd-logind runtime named pipe. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_logind_runtime_pipes',` gen_require(` type systemd_logind_runtime_t; ') init_search_run($1) files_search_runtime($1) allow $1 systemd_logind_runtime_t:fifo_file { getattr write }; ') ###################################### ## ## Use inherited systemd ## logind file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_use_logind_fds',` gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; ') ###################################### ## ## Read logind sessions files. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_logind_sessions_files',` gen_require(` type systemd_sessions_runtime_t, systemd_logind_t; ') allow $1 systemd_logind_t:fd use; init_search_run($1) allow $1 systemd_sessions_runtime_t:dir list_dir_perms; read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t) ') ###################################### ## ## Write inherited logind sessions pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_inherited_logind_sessions_pipes',` gen_require(` type systemd_logind_t, systemd_sessions_runtime_t; ') allow $1 systemd_logind_t:fd use; allow $1 systemd_sessions_runtime_t:fifo_file write; allow systemd_logind_t $1:process signal; ') ###################################### ## ## Write inherited logind inhibit pipes. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_inherited_logind_inhibit_pipes',` gen_require(` type systemd_logind_inhibit_runtime_t; type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; allow $1 systemd_logind_inhibit_runtime_t:fifo_file write; ') ######################################## ## ## Send and receive messages from ## systemd logind over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_dbus_chat_logind',` gen_require(` type systemd_logind_t; class dbus send_msg; ') allow $1 systemd_logind_t:dbus send_msg; allow systemd_logind_t $1:dbus send_msg; ') ######################################## ## ## Get the system status information from systemd_login ## ## ## ## Domain allowed access. ## ## # interface(`systemd_status_logind',` gen_require(` type systemd_logind_t; class service status; ') allow $1 systemd_logind_t:service status; ') ######################################## ## ## Send systemd_login a null signal. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_signull_logind',` gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:process signull; ') ######################################## ## ## Manage systemd userdb runtime directories. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_userdb_runtime_dirs', ` gen_require(` type systemd_userdb_runtime_t; ') manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) ') ######################################## ## ## Manage socket files under /run/systemd/userdb . ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_userdb_runtime_sock_files', ` gen_require(` type systemd_userdb_runtime_t; ') manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t) ') ######################################## ## ## Connect to /run/systemd/userdb/io.systemd.DynamicUser . ## ## ## ## Domain allowed access. ## ## # interface(`systemd_stream_connect_userdb', ` gen_require(` type systemd_userdb_runtime_t; ') init_search_runtime($1) allow $1 systemd_userdb_runtime_t:dir list_dir_perms; allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; init_unix_stream_socket_connectto($1) ') ######################################## ## ## Allow reading /run/systemd/machines ## ## ## ## Domain that can access the machines files ## ## # interface(`systemd_read_machines',` gen_require(` type systemd_machined_runtime_t; ') allow $1 systemd_machined_runtime_t:dir list_dir_perms; allow $1 systemd_machined_runtime_t:file read_file_perms; ') ######################################## ## ## Send and receive messages from ## systemd hostnamed over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_dbus_chat_hostnamed',` gen_require(` type systemd_hostnamed_t; class dbus send_msg; ') allow $1 systemd_hostnamed_t:dbus send_msg; allow systemd_hostnamed_t $1:dbus send_msg; ') ######################################## ## ## allow systemd_passwd_agent to inherit fds ## ## ## ## Domain that owns the fds ## ## # interface(`systemd_use_passwd_agent_fds',` gen_require(` type systemd_passwd_agent_t; ') allow systemd_passwd_agent_t $1:fd use; ') ######################################## ## ## allow systemd_passwd_agent to be run by admin ## ## ## ## Domain that runs it ## ## ## ## ## role that it runs in ## ## # interface(`systemd_run_passwd_agent',` gen_require(` type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ') domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) allow systemd_passwd_agent_t $1:fd use; role $2 types systemd_passwd_agent_t; ') ####################################### ## ## Allow a systemd_passwd_agent_t process to interact with a daemon ## that needs a password from the sysadmin. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_use_passwd_agent',` gen_require(` type systemd_passwd_agent_t; type systemd_passwd_runtime_t; ') manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) allow systemd_passwd_agent_t $1:process signull; ps_process_pattern(systemd_passwd_agent_t, $1) allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; ') ######################################## ## ## Transition to systemd_passwd_runtime_t when creating dirs ## ## ## ## Domain allowed access. ## ## # interface(`systemd_filetrans_passwd_runtime_dirs',` gen_require(` type systemd_passwd_runtime_t; ') init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block") init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password") ') ######################################## ## ## Transition to systemd_userdb_runtime_t when ## creating the userdb directory inside an init runtime ## directory. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_filetrans_userdb_runtime_dirs', ` gen_require(` type systemd_userdb_runtime_t; ') init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb") ') ###################################### ## ## Allow to domain to create systemd-passwd symlink ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_passwd_runtime_symlinks',` gen_require(` type systemd_passwd_runtime_t; ') allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## manage systemd unit dirs and the files in them (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_all_units',` refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.') init_manage_all_unit_files($1) ') ######################################## ## ## Allow domain to read systemd_journal_t files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_journal_files',` gen_require(` type systemd_journal_t; ') list_dirs_pattern($1, systemd_journal_t, systemd_journal_t) mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t) ') ######################################## ## ## Allow domain to create/manage systemd_journal_t files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_journal_files',` gen_require(` type systemd_journal_t; ') manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) manage_files_pattern($1, systemd_journal_t, systemd_journal_t) allow $1 systemd_journal_t:file map; ') ######################################## ## ## Relabel to systemd-journald directory type. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_journal_dirs',` gen_require(` type systemd_journal_t; ') files_search_var($1) allow $1 systemd_journal_t:dir relabelto_dir_perms; ') ######################################## ## ## Relabel to systemd-journald file type. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_journal_files',` gen_require(` type systemd_journal_t; ') files_search_var($1) list_dirs_pattern($1,systemd_journal_t,systemd_journal_t) allow $1 systemd_journal_t:file relabelto_file_perms; ') ######################################## ## ## Allow domain to read systemd_networkd_t unit files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_read_networkd_units',` gen_require(` type systemd_networkd_unit_t; ') init_search_units($1) list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) ') ######################################## ## ## Allow domain to create/manage systemd_networkd_t unit files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_manage_networkd_units',` gen_require(` type systemd_networkd_unit_t; ') init_search_units($1) manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) ') ######################################## ## ## Allow specified domain to enable systemd-networkd units ## ## ## ## Domain allowed access. ## ## # interface(`systemd_enabledisable_networkd',` gen_require(` type systemd_networkd_unit_t; class service { enable disable }; ') allow $1 systemd_networkd_unit_t:service { enable disable }; ') ######################################## ## ## Allow specified domain to start systemd-networkd units ## ## ## ## Domain allowed access. ## ## # interface(`systemd_startstop_networkd',` gen_require(` type systemd_networkd_unit_t; class service { start stop }; ') allow $1 systemd_networkd_unit_t:service { start stop }; ') ######################################## ## ## Allow specified domain to get status of systemd-networkd ## ## ## ## Domain allowed access. ## ## # interface(`systemd_status_networkd',` gen_require(` type systemd_networkd_unit_t; class service status; ') allow $1 systemd_networkd_unit_t:service status; ') ####################################### ## ## Relabel systemd_networkd tun socket. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelfrom_networkd_tun_sockets',` gen_require(` type systemd_networkd_t; ') allow $1 systemd_networkd_t:tun_socket relabelfrom; ') ####################################### ## ## Read/Write from systemd_networkd netlink route socket. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_rw_networkd_netlink_route_sockets',` gen_require(` type systemd_networkd_t; ') allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms; ') ####################################### ## ## Allow domain to list dirs under /run/systemd/netif ## ## ## ## domain permitted the access ## ## # interface(`systemd_list_networkd_runtime',` gen_require(` type systemd_networkd_runtime_t; ') init_list_runtime($1) allow $1 systemd_networkd_runtime_t:dir list_dir_perms; ') ####################################### ## ## Watch directories under /run/systemd/netif ## ## ## ## Domain permitted the access ## ## # interface(`systemd_watch_networkd_runtime_dirs',` gen_require(` type systemd_networkd_runtime_t; ') allow $1 systemd_networkd_runtime_t:dir watch; ') ####################################### ## ## Allow domain to read files generated by systemd_networkd ## ## ## ## domain allowed access ## ## # interface(`systemd_read_networkd_runtime',` gen_require(` type systemd_networkd_runtime_t; ') list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) ') ######################################## ## ## Allow systemd_logind_t to read process state for cgroup file ## ## ## ## Domain systemd_logind_t may access. ## ## # interface(`systemd_read_logind_state',` gen_require(` type systemd_logind_t; ') allow systemd_logind_t $1:dir list_dir_perms; allow systemd_logind_t $1:file read_file_perms; ') ######################################## ## ## Allow specified domain to start power units ## ## ## ## Domain to not audit. ## ## # interface(`systemd_start_power_units',` gen_require(` type power_unit_t; class service start; ') allow $1 power_unit_t:service start; ') ######################################## ## ## Get the system status information about power units ## ## ## ## Domain allowed access. ## ## # interface(`systemd_status_power_units',` gen_require(` type power_unit_t; class service status; ') allow $1 power_unit_t:service status; ') ######################################## ## ## Allows connections to the systemd-socket-proxyd's socket. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_stream_connect_socket_proxyd', ` gen_require(` type systemd_socket_proxyd_t; ') allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto; ') ######################################## ## ## Make the specified type usable for ## systemd tmpfiles config files. ## ## ## ## Type to be used for systemd tmpfiles config files. ## ## # interface(`systemd_tmpfiles_conf_file',` gen_require(` attribute systemd_tmpfiles_conf_type; ') files_config_file($1) typeattribute $1 systemd_tmpfiles_conf_type; ') ######################################## ## ## Allow the specified domain to create ## the tmpfiles config directory with ## the correct context. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_tmpfiles_creator',` gen_require(` type systemd_tmpfiles_conf_t; ') files_runtime_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d") allow $1 systemd_tmpfiles_conf_t:dir create; ') ######################################## ## ## Create an object in the systemd tmpfiles config ## directory, with a private type ## using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`systemd_tmpfiles_conf_filetrans',` gen_require(` type systemd_tmpfiles_conf_t; ') files_search_runtime($1) filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4) ') ######################################## ## ## Allow domain to list systemd tmpfiles config directory ## ## ## ## Domain allowed access. ## ## # interface(`systemd_list_tmpfiles_conf',` gen_require(` type systemd_tmpfiles_conf_t; ') allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms; ') ######################################## ## ## Allow domain to relabel to systemd tmpfiles config directory ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_tmpfiles_conf_dirs',` gen_require(` type systemd_tmpfiles_conf_t; ') allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms; ') ######################################## ## ## Allow domain to relabel to systemd tmpfiles config files ## ## ## ## Domain allowed access. ## ## # interface(`systemd_relabelto_tmpfiles_conf_files',` gen_require(` attribute systemd_tmpfiles_conf_type; ') allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms; ') ####################################### ## ## Allow systemd_tmpfiles_t to manage filesystem objects ## ## ## ## type of object to manage ## ## ## ## ## object class to manage ## ## # interface(`systemd_tmpfilesd_managed',` gen_require(` type systemd_tmpfiles_t; ') allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') ######################################## ## ## Send and receive messages from ## systemd resolved over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_dbus_chat_resolved',` gen_require(` type systemd_resolved_t; class dbus send_msg; ') allow $1 systemd_resolved_t:dbus send_msg; allow systemd_resolved_t $1:dbus send_msg; ') ####################################### ## ## Allow domain to read resolv.conf file generated by systemd_resolved ## ## ## ## domain allowed access ## ## # interface(`systemd_read_resolved_runtime',` gen_require(` type systemd_resolved_runtime_t; ') read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) ') ####################################### ## ## Allow domain to getattr on .updated file (generated by systemd-update-done ## ## ## ## domain allowed access ## ## # interface(`systemd_getattr_updated_runtime',` gen_require(` type systemd_update_run_t; ') getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) ') ######################################## ## ## Search keys for the all systemd --user domains. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_search_all_user_keys',` gen_require(` attribute systemd_user_session_type; ') allow $1 systemd_user_session_type:key search; ') ######################################## ## ## Create keys for the all systemd --user domains. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_create_all_user_keys',` gen_require(` attribute systemd_user_session_type; ') allow $1 systemd_user_session_type:key create; ') ######################################## ## ## Write keys for the all systemd --user domains. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_write_all_user_keys',` gen_require(` attribute systemd_user_session_type; ') allow $1 systemd_user_session_type:key write; ') ######################################## ## ## Execute systemd-sysusers in the ## systemd sysusers domain. ## ## ## ## Domain allowed access. ## ## # interface(`systemd_domtrans_sysusers', ` gen_require(` type systemd_sysusers_t, systemd_sysusers_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, systemd_sysusers_exec_t, systemd_sysusers_t) ') ######################################## ## ## Run systemd-sysusers with a domain transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`systemd_run_sysusers', ` gen_require(` attribute_role systemd_sysusers_roles; ') systemd_domtrans_sysusers($1) roleattribute $2 systemd_sysusers_roles; ')