585 lines
17 KiB
Plaintext
585 lines
17 KiB
Plaintext
policy_module(systemd, 1.3.8)
|
|
|
|
#########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Enable support for systemd-tmpfiles to manage all non-security files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_tmpfiles_manage_all, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-nspawn to create a labelled namespace with the same types
|
|
## as parent environment
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
|
|
|
attribute systemd_log_parse_env_type;
|
|
|
|
type systemd_activate_t;
|
|
type systemd_activate_exec_t;
|
|
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
|
|
|
|
type systemd_analyze_t;
|
|
type systemd_analyze_exec_t;
|
|
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
|
|
|
|
type systemd_backlight_t;
|
|
type systemd_backlight_exec_t;
|
|
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
|
|
|
|
type systemd_backlight_unit_t;
|
|
init_unit_file(systemd_backlight_unit_t)
|
|
|
|
type systemd_backlight_var_lib_t;
|
|
files_type(systemd_backlight_var_lib_t)
|
|
|
|
type systemd_binfmt_t;
|
|
type systemd_binfmt_exec_t;
|
|
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
|
|
|
|
type systemd_binfmt_unit_t;
|
|
init_unit_file(systemd_binfmt_unit_t)
|
|
|
|
type systemd_cgroups_t;
|
|
type systemd_cgroups_exec_t;
|
|
domain_type(systemd_cgroups_t)
|
|
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
|
|
role system_r types systemd_cgroups_t;
|
|
|
|
type systemd_cgroups_var_run_t;
|
|
files_pid_file(systemd_cgroups_var_run_t)
|
|
init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
|
|
|
|
type systemd_cgtop_t;
|
|
type systemd_cgtop_exec_t;
|
|
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
|
|
|
|
type systemd_coredump_t;
|
|
type systemd_coredump_exec_t;
|
|
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
|
|
|
|
type systemd_coredump_var_lib_t;
|
|
files_type(systemd_coredump_var_lib_t)
|
|
|
|
type systemd_detect_virt_t;
|
|
type systemd_detect_virt_exec_t;
|
|
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
|
|
|
|
type systemd_hostnamed_t;
|
|
type systemd_hostnamed_exec_t;
|
|
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
|
|
|
type systemd_journal_t;
|
|
files_type(systemd_journal_t)
|
|
logging_log_file(systemd_journal_t)
|
|
|
|
type systemd_locale_t;
|
|
type systemd_locale_exec_t;
|
|
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
|
|
|
|
type systemd_logind_t;
|
|
type systemd_logind_exec_t;
|
|
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
|
|
init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
|
|
|
|
type systemd_logind_var_lib_t;
|
|
files_type(systemd_logind_var_lib_t)
|
|
|
|
type systemd_logind_var_run_t;
|
|
files_pid_file(systemd_logind_var_run_t)
|
|
init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
|
|
|
|
type systemd_machined_t;
|
|
type systemd_machined_exec_t;
|
|
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
|
|
|
type systemd_machined_var_run_t;
|
|
files_pid_file(systemd_machined_var_run_t)
|
|
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
|
|
|
|
type systemd_notify_t;
|
|
type systemd_notify_exec_t;
|
|
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
|
|
|
|
type systemd_nspawn_t;
|
|
type systemd_nspawn_exec_t;
|
|
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
|
|
|
|
type systemd_nspawn_var_run_t;
|
|
files_pid_file(systemd_nspawn_var_run_t)
|
|
|
|
type systemd_resolved_t;
|
|
type systemd_resolved_exec_t;
|
|
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
|
|
|
type systemd_resolved_var_run_t;
|
|
files_pid_file(systemd_resolved_var_run_t)
|
|
|
|
type systemd_run_t;
|
|
type systemd_run_exec_t;
|
|
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
|
|
|
|
type systemd_stdio_bridge_t;
|
|
type systemd_stdio_bridge_exec_t;
|
|
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
|
|
|
|
type systemd_passwd_agent_t;
|
|
type systemd_passwd_agent_exec_t;
|
|
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
|
|
|
type systemd_passwd_var_run_t;
|
|
files_pid_file(systemd_passwd_var_run_t)
|
|
|
|
type systemd_sessions_t;
|
|
type systemd_sessions_exec_t;
|
|
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
|
|
|
|
type systemd_sessions_var_run_t;
|
|
files_pid_file(systemd_sessions_var_run_t)
|
|
init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
|
|
|
|
type systemd_tmpfiles_t;
|
|
type systemd_tmpfiles_exec_t;
|
|
type systemd_kmod_conf_t;
|
|
files_config_file(systemd_kmod_conf_t)
|
|
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
|
|
|
|
#
|
|
# Unit file types
|
|
#
|
|
|
|
type power_unit_t;
|
|
init_unit_file(power_unit_t)
|
|
|
|
######################################
|
|
#
|
|
# Backlight local policy
|
|
#
|
|
|
|
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
|
|
|
|
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
|
|
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
|
|
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
|
|
|
|
systemd_log_parse_environment(systemd_backlight_t)
|
|
|
|
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
|
|
dev_rw_sysfs(systemd_backlight_t)
|
|
|
|
# for udev.conf
|
|
files_read_etc_files(systemd_backlight_t)
|
|
|
|
# for /run/udev/data/+backlight*
|
|
udev_read_pid_files(systemd_backlight_t)
|
|
|
|
#######################################
|
|
#
|
|
# Binfmt local policy
|
|
#
|
|
|
|
systemd_log_parse_environment(systemd_binfmt_t)
|
|
|
|
# Allow to read /etc/binfmt.d/ files
|
|
files_read_etc_files(systemd_binfmt_t)
|
|
|
|
fs_register_binary_executable_type(systemd_binfmt_t)
|
|
|
|
######################################
|
|
#
|
|
# Cgroups local policy
|
|
#
|
|
|
|
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
|
|
kernel_dgram_send(systemd_cgroups_t)
|
|
|
|
selinux_getattr_fs(systemd_cgroups_t)
|
|
|
|
# write to /run/systemd/cgroups-agent
|
|
init_dgram_send(systemd_cgroups_t)
|
|
init_stream_connect(systemd_cgroups_t)
|
|
|
|
systemd_log_parse_environment(systemd_cgroups_t)
|
|
|
|
######################################
|
|
#
|
|
# coredump local policy
|
|
#
|
|
|
|
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
|
|
allow systemd_coredump_t self:capability { setgid setuid setpcap };
|
|
allow systemd_coredump_t self:process { getcap setcap setfscreate };
|
|
|
|
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_coredump_t)
|
|
kernel_read_system_state(systemd_coredump_t)
|
|
kernel_rw_pipes(systemd_coredump_t)
|
|
kernel_use_fds(systemd_coredump_t)
|
|
|
|
corecmd_exec_bin(systemd_coredump_t)
|
|
corecmd_read_all_executables(systemd_coredump_t)
|
|
|
|
dev_write_kmsg(systemd_coredump_t)
|
|
|
|
files_read_etc_files(systemd_coredump_t)
|
|
files_search_var_lib(systemd_coredump_t)
|
|
|
|
fs_getattr_xattr_fs(systemd_coredump_t)
|
|
|
|
selinux_getattr_fs(systemd_coredump_t)
|
|
|
|
init_list_var_lib_dirs(systemd_coredump_t)
|
|
init_read_state(systemd_coredump_t)
|
|
init_search_pids(systemd_coredump_t)
|
|
init_write_pid_socket(systemd_coredump_t)
|
|
|
|
logging_send_syslog_msg(systemd_coredump_t)
|
|
|
|
seutil_search_default_contexts(systemd_coredump_t)
|
|
|
|
|
|
#######################################
|
|
#
|
|
# Hostnamed policy
|
|
#
|
|
|
|
kernel_read_kernel_sysctls(systemd_hostnamed_t)
|
|
|
|
files_read_etc_files(systemd_hostnamed_t)
|
|
|
|
seutil_read_file_contexts(systemd_hostnamed_t)
|
|
|
|
systemd_log_parse_environment(systemd_hostnamed_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_hostnamed_t)
|
|
dbus_connect_system_bus(systemd_hostnamed_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# locale local policy
|
|
#
|
|
|
|
kernel_read_kernel_sysctls(systemd_locale_t)
|
|
|
|
files_read_etc_files(systemd_locale_t)
|
|
|
|
seutil_read_file_contexts(systemd_locale_t)
|
|
|
|
systemd_log_parse_environment(systemd_locale_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(systemd_locale_t)
|
|
dbus_system_bus_client(systemd_locale_t)
|
|
')
|
|
|
|
######################################
|
|
#
|
|
# systemd log parse enviroment
|
|
#
|
|
|
|
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
|
|
dontaudit systemd_log_parse_env_type self:capability net_admin;
|
|
|
|
kernel_read_system_state(systemd_log_parse_env_type)
|
|
|
|
dev_write_kmsg(systemd_log_parse_env_type)
|
|
|
|
term_use_console(systemd_log_parse_env_type)
|
|
|
|
init_read_state(systemd_log_parse_env_type)
|
|
|
|
logging_send_syslog_msg(systemd_log_parse_env_type)
|
|
|
|
#########################################
|
|
#
|
|
# Logind local policy
|
|
#
|
|
|
|
allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
|
|
allow systemd_logind_t self:process getcap;
|
|
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
|
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
|
|
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
|
|
|
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
|
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
|
files_search_pids(systemd_logind_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_logind_t)
|
|
|
|
auth_manage_faillog(systemd_logind_t)
|
|
|
|
dev_rw_sysfs(systemd_logind_t)
|
|
dev_rw_input_dev(systemd_logind_t)
|
|
dev_getattr_dri_dev(systemd_logind_t)
|
|
dev_setattr_dri_dev(systemd_logind_t)
|
|
dev_getattr_sound_dev(systemd_logind_t)
|
|
dev_setattr_sound_dev(systemd_logind_t)
|
|
|
|
files_read_etc_files(systemd_logind_t)
|
|
|
|
fs_read_efivarfs_files(systemd_logind_t)
|
|
|
|
fs_getattr_tmpfs(systemd_logind_t)
|
|
|
|
storage_getattr_removable_dev(systemd_logind_t)
|
|
storage_setattr_removable_dev(systemd_logind_t)
|
|
storage_getattr_scsi_generic_dev(systemd_logind_t)
|
|
storage_setattr_scsi_generic_dev(systemd_logind_t)
|
|
|
|
term_use_unallocated_ttys(systemd_logind_t)
|
|
|
|
init_get_all_units_status(systemd_logind_t)
|
|
init_start_all_units(systemd_logind_t)
|
|
init_stop_all_units(systemd_logind_t)
|
|
init_service_status(systemd_logind_t)
|
|
init_service_start(systemd_logind_t)
|
|
|
|
locallogin_read_state(systemd_logind_t)
|
|
|
|
systemd_log_parse_environment(systemd_logind_t)
|
|
systemd_start_power_units(systemd_logind_t)
|
|
|
|
udev_read_db(systemd_logind_t)
|
|
udev_read_pid_files(systemd_logind_t)
|
|
|
|
userdom_use_user_ttys(systemd_logind_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_logind_t)
|
|
dbus_connect_system_bus(systemd_logind_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# machined local policy
|
|
#
|
|
|
|
allow systemd_machined_t self:capability sys_ptrace;
|
|
allow systemd_machined_t self:process setfscreate;
|
|
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
|
|
|
|
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
|
allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(systemd_machined_t)
|
|
kernel_read_system_state(systemd_machined_t)
|
|
|
|
files_read_etc_files(systemd_machined_t)
|
|
|
|
fs_getattr_cgroup(systemd_machined_t)
|
|
fs_getattr_tmpfs(systemd_machined_t)
|
|
|
|
selinux_getattr_fs(systemd_machined_t)
|
|
|
|
init_read_script_state(systemd_machined_t)
|
|
init_get_system_status(systemd_machined_t)
|
|
init_read_state(systemd_machined_t)
|
|
init_service_start(systemd_machined_t)
|
|
init_service_status(systemd_machined_t)
|
|
init_start_system(systemd_machined_t)
|
|
init_stop_system(systemd_machined_t)
|
|
|
|
logging_send_syslog_msg(systemd_machined_t)
|
|
|
|
seutil_search_default_contexts(systemd_machined_t)
|
|
|
|
optional_policy(`
|
|
init_dbus_chat(systemd_machined_t)
|
|
init_dbus_send_script(systemd_machined_t)
|
|
|
|
dbus_connect_system_bus(systemd_machined_t)
|
|
dbus_system_bus_client(systemd_machined_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# systemd_notify local policy
|
|
#
|
|
allow systemd_notify_t self:capability chown;
|
|
allow systemd_notify_t self:process { setfscreate setsockcreate };
|
|
|
|
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
|
|
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
domain_use_interactive_fds(systemd_notify_t)
|
|
|
|
files_read_etc_files(systemd_notify_t)
|
|
files_read_usr_files(systemd_notify_t)
|
|
|
|
fs_getattr_cgroup_files(systemd_notify_t)
|
|
|
|
auth_use_nsswitch(systemd_notify_t)
|
|
|
|
init_rw_stream_sockets(systemd_notify_t)
|
|
|
|
miscfiles_read_localization(systemd_notify_t)
|
|
|
|
########################################
|
|
#
|
|
# Nspawn local policy
|
|
#
|
|
|
|
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
|
|
|
|
#######################################
|
|
#
|
|
# systemd_passwd_agent_t local policy
|
|
#
|
|
|
|
allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
|
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
|
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
|
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
|
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
|
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
|
init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
|
|
|
|
kernel_read_system_state(systemd_passwd_agent_t)
|
|
kernel_stream_connect(systemd_passwd_agent_t)
|
|
|
|
dev_create_generic_dirs(systemd_passwd_agent_t)
|
|
dev_read_generic_files(systemd_passwd_agent_t)
|
|
dev_write_generic_sock_files(systemd_passwd_agent_t)
|
|
dev_write_kmsg(systemd_passwd_agent_t)
|
|
|
|
files_read_etc_files(systemd_passwd_agent_t)
|
|
|
|
fs_getattr_xattr_fs(systemd_passwd_agent_t)
|
|
|
|
selinux_get_enforce_mode(systemd_passwd_agent_t)
|
|
selinux_getattr_fs(systemd_passwd_agent_t)
|
|
|
|
term_read_console(systemd_passwd_agent_t)
|
|
|
|
auth_use_nsswitch(systemd_passwd_agent_t)
|
|
|
|
init_create_pid_dirs(systemd_passwd_agent_t)
|
|
init_read_pid_pipes(systemd_passwd_agent_t)
|
|
init_read_state(systemd_passwd_agent_t)
|
|
init_read_utmp(systemd_passwd_agent_t)
|
|
init_stream_connect(systemd_passwd_agent_t)
|
|
|
|
logging_send_syslog_msg(systemd_passwd_agent_t)
|
|
|
|
miscfiles_read_localization(systemd_passwd_agent_t)
|
|
|
|
seutil_search_default_contexts(systemd_passwd_agent_t)
|
|
|
|
userdom_use_user_ptys(systemd_passwd_agent_t)
|
|
|
|
optional_policy(`
|
|
getty_use_fds(systemd_passwd_agent_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_signull(systemd_passwd_agent_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
plymouthd_stream_connect(systemd_passwd_agent_t)
|
|
')
|
|
|
|
|
|
#########################################
|
|
#
|
|
# Resolved local policy
|
|
#
|
|
|
|
allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
|
|
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
|
|
|
|
allow systemd_resolved_t self:tcp_socket { accept listen };
|
|
|
|
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
|
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
|
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
|
|
|
|
kernel_read_crypto_sysctls(systemd_resolved_t)
|
|
kernel_read_kernel_sysctls(systemd_resolved_t)
|
|
|
|
corenet_tcp_bind_generic_node(systemd_resolved_t)
|
|
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
|
corenet_udp_bind_generic_node(systemd_resolved_t)
|
|
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
|
|
|
auth_use_nsswitch(systemd_resolved_t)
|
|
|
|
seutil_read_file_contexts(systemd_resolved_t)
|
|
|
|
systemd_log_parse_environment(systemd_resolved_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_resolved_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# Sessions local policy
|
|
#
|
|
|
|
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
|
|
|
|
systemd_log_parse_environment(systemd_sessions_t)
|
|
|
|
#########################################
|
|
#
|
|
# Tmpfiles local policy
|
|
#
|
|
|
|
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
|
|
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
|
|
|
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
|
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
|
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
|
|
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
|
|
|
|
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
|
|
|
|
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
|
dev_read_urand(systemd_tmpfiles_t)
|
|
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
|
|
|
files_read_etc_files(systemd_tmpfiles_t)
|
|
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
|
|
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
|
|
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
auth_manage_var_auth(systemd_tmpfiles_t)
|
|
auth_manage_login_records(systemd_tmpfiles_t)
|
|
auth_relabel_login_records(systemd_tmpfiles_t)
|
|
auth_setattr_login_records(systemd_tmpfiles_t)
|
|
|
|
# for /run/tmpfiles.d/kmod.conf
|
|
modutils_read_var_run_files(systemd_tmpfiles_t)
|
|
|
|
seutil_read_file_contexts(systemd_tmpfiles_t)
|
|
|
|
systemd_log_parse_environment(systemd_tmpfiles_t)
|
|
|
|
tunable_policy(`systemd_tmpfiles_manage_all',`
|
|
# systemd-tmpfiles can be configured to manage anything.
|
|
# have a last-resort option for users to do this.
|
|
files_manage_non_security_dirs(systemd_tmpfiles_t)
|
|
files_manage_non_security_files(systemd_tmpfiles_t)
|
|
files_relabel_non_security_dirs(systemd_tmpfiles_t)
|
|
files_relabel_non_security_files(systemd_tmpfiles_t)
|
|
')
|