Systemd fixes from Russell Coker.
This commit is contained in:
Chris PeBenito
parent
485929b762
commit
2087bde934
@ -1 +1 @@
|
||||
Subproject commit 68b74d9acfa5b2822e1446d70279ce2f3b842dc4
|
||||
Subproject commit 8360d93abb11ed6eaba302a8d3440f7a59210b98
|
||||
@ -152,6 +152,25 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow full relabeling (to and from) of all device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dev_relabel_all_dev_files',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1, device_t, device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List all of the device nodes in a device directory.
|
||||
@ -4204,6 +4223,24 @@ interface(`dev_rw_sysfs',`
|
||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel hardware state directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_relabel_sysfs_dirs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from/to all sysfs types.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(devices, 1.20.2)
|
||||
policy_module(devices, 1.20.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,6 +22,10 @@ files_associate_tmp(device_t)
|
||||
fs_xattr_type(device_t)
|
||||
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
|
||||
|
||||
optional_policy(`
|
||||
systemd_tmpfilesd_managed(device_t, fifo_file)
|
||||
')
|
||||
|
||||
#
|
||||
# Type for /dev/agpgart
|
||||
#
|
||||
|
||||
@ -6527,6 +6527,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
|
||||
dontaudit $1 pidfile:file ioctl;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage all pidfile directories
|
||||
## in the /var/run directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_all_pid_dirs',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all process ID files.
|
||||
@ -6549,6 +6568,42 @@ interface(`files_read_all_pids',`
|
||||
read_files_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute generic programs in /var/run in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_exec_generic_pid_files',`
|
||||
gen_require(`
|
||||
type var_run_t;
|
||||
')
|
||||
|
||||
exec_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relable all pid files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_all_pid_files',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete all process IDs.
|
||||
@ -6575,6 +6630,78 @@ interface(`files_delete_all_pids',`
|
||||
delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create all pid sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_all_pid_sockets',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
allow $1 pidfile:sock_file create_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create all pid named pipes
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_all_pid_pipes',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
allow $1 pidfile:fifo_file create_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create all spool sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_all_spool_sockets',`
|
||||
gen_require(`
|
||||
attribute spoolfile;
|
||||
')
|
||||
|
||||
allow $1 spoolfile:sock_file create_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete all spool sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_all_spool_sockets',`
|
||||
gen_require(`
|
||||
attribute spoolfile;
|
||||
')
|
||||
|
||||
allow $1 spoolfile:sock_file delete_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete all process ID directories.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(files, 1.23.4)
|
||||
policy_module(files, 1.23.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -174,6 +174,10 @@ type var_run_t;
|
||||
files_pid_file(var_run_t)
|
||||
files_mountpoint(var_run_t)
|
||||
|
||||
optional_policy(`
|
||||
systemd_tmpfilesd_managed(var_run_t, lnk_file)
|
||||
')
|
||||
|
||||
#
|
||||
# var_spool_t is the type of /var/spool
|
||||
#
|
||||
|
||||
@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
|
||||
seutil_read_config($1)
|
||||
seutil_read_default_contexts($1)
|
||||
|
||||
userdom_search_user_runtime($1)
|
||||
userdom_read_user_tmpfs_files($1)
|
||||
|
||||
tunable_policy(`allow_polyinstantiation',`
|
||||
files_polyinstantiate_all($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_read_logind_state($1)
|
||||
systemd_write_inherited_logind_sessions_pipes($1)
|
||||
systemd_use_passwd_agent_fds($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(authlogin, 2.10.1)
|
||||
policy_module(authlogin, 2.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -85,6 +85,10 @@ files_type(var_auth_t)
|
||||
type wtmp_t;
|
||||
logging_log_file(wtmp_t)
|
||||
|
||||
optional_policy(`
|
||||
systemd_tmpfilesd_managed(faillog_t, file)
|
||||
') systemd_tmpfilesd_managed(var_auth_t, dir)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Check password local policy
|
||||
|
||||
@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
|
||||
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
|
||||
/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
|
||||
|
||||
@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
|
||||
#
|
||||
interface(`init_daemon_domain',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
type init_t, initrc_t;
|
||||
role system_r;
|
||||
attribute daemon;
|
||||
')
|
||||
@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
|
||||
init_domain($1, $2)
|
||||
# this may be because of late labelling
|
||||
kernel_dgram_send($1)
|
||||
|
||||
allow $1 init_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -400,8 +402,10 @@ interface(`init_system_domain',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
role system_r;
|
||||
attribute systemprocess;
|
||||
')
|
||||
|
||||
typeattribute $1 systemprocess;
|
||||
application_domain($1, $2)
|
||||
|
||||
role system_r types $1;
|
||||
@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
|
||||
')
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Allow domain dyntransition to init_t domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dyntrans',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
dyntrans_pattern($1, init_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mark the file type as a daemon pid file, allowing initrc_t
|
||||
@ -708,6 +730,7 @@ interface(`init_stream_connect',`
|
||||
|
||||
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
|
||||
files_search_pids($1)
|
||||
allow $1 init_t:unix_stream_socket getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
|
||||
#
|
||||
interface(`init_telinit',`
|
||||
gen_require(`
|
||||
type initctl_t;
|
||||
type initctl_t, init_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
ps_process_pattern($1, init_t)
|
||||
allow $1 init_t:process signal;
|
||||
# upstart uses a datagram socket instead of initctl pipe
|
||||
allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
allow $1 init_t:unix_dgram_socket sendto;
|
||||
#576913
|
||||
allow $1 init_t:unix_stream_socket connectto;
|
||||
|
||||
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
|
||||
|
||||
corecmd_exec_bin($1)
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
|
||||
init_exec($1)
|
||||
|
||||
tunable_policy(`init_upstart',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
# upstart uses a datagram socket instead of initctl pipe
|
||||
allow $1 self:unix_dgram_socket create_socket_perms;
|
||||
allow $1 init_t:unix_dgram_socket sendto;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1363,6 +1387,37 @@ interface(`init_domtrans_script',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute labelled init scripts with an automatic domain transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_domtrans_labeled_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
attribute init_script_file_type;
|
||||
attribute initrc_transition_domain;
|
||||
')
|
||||
|
||||
typeattribute $1 initrc_transition_domain;
|
||||
|
||||
files_list_etc($1)
|
||||
domtrans_pattern($1, init_script_file_type, initrc_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition $1 init_script_file_type:process s0;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a init script in a specified domain.
|
||||
@ -1435,8 +1490,10 @@ interface(`init_manage_script_service',`
|
||||
interface(`init_labeled_script_domtrans',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
attribute initrc_transition_domain;
|
||||
')
|
||||
|
||||
typeattribute $1 initrc_transition_domain;
|
||||
domtrans_pattern($1, $2, initrc_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
@ -1569,6 +1626,7 @@ interface(`init_run_daemon',`
|
||||
interface(`init_startstop_all_script_services',`
|
||||
gen_require(`
|
||||
attribute init_script_file_type;
|
||||
class service { start status stop };
|
||||
')
|
||||
|
||||
allow $1 init_script_file_type:service { start status stop };
|
||||
@ -1779,12 +1837,7 @@ interface(`init_read_script_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
read_files_pattern($1, initrc_t, initrc_t)
|
||||
read_lnk_files_pattern($1, initrc_t, initrc_t)
|
||||
list_dirs_pattern($1, initrc_t, initrc_t)
|
||||
|
||||
# should move this to separate interface
|
||||
allow $1 initrc_t:process getattr;
|
||||
ps_process_pattern($1, initrc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2368,7 +2421,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
|
||||
dontaudit $1 initrc_var_run_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2409,6 +2462,98 @@ interface(`init_pid_filetrans_utmp',`
|
||||
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create a directory in the /run/systemd directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_create_pid_dirs',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 init_var_run_t:dir list_dir_perms;
|
||||
create_dirs_pattern($1, init_var_run_t, init_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Rename init_var_run_t files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_rename_pid_files',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
rename_files_pattern($1, init_var_run_t, init_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Rename and de init_var_run_t files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_delete_pid_files',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
delete_files_pattern($1, init_var_run_t, init_var_run_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow the specified domain to write to
|
||||
## init sock file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_write_pid_socket',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 init_var_run_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read init unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_read_pid_pipes',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(init, 2.2.5)
|
||||
policy_module(init, 2.2.6)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -16,13 +16,22 @@ gen_require(`
|
||||
## </desc>
|
||||
gen_tunable(init_upstart, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow all daemons the ability to read/write terminals
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(init_daemons_use_tty, false)
|
||||
|
||||
attribute init_script_domain_type;
|
||||
attribute init_script_file_type;
|
||||
attribute init_run_all_scripts_domain;
|
||||
attribute systemdunit;
|
||||
attribute initrc_transition_domain;
|
||||
|
||||
# Mark process types as daemons
|
||||
attribute daemon;
|
||||
attribute systemprocess;
|
||||
|
||||
# Mark file type as a daemon pid file
|
||||
attribute daemonpidfile;
|
||||
@ -33,7 +42,7 @@ attribute daemonrundir;
|
||||
#
|
||||
# init_t is the domain of the init process.
|
||||
#
|
||||
type init_t;
|
||||
type init_t, initrc_transition_domain;
|
||||
type init_exec_t;
|
||||
domain_type(init_t)
|
||||
domain_entry_file(init_t, init_exec_t)
|
||||
@ -110,6 +119,7 @@ ifdef(`enable_mls',`
|
||||
|
||||
# Use capabilities. old rule:
|
||||
allow init_t self:capability ~sys_module;
|
||||
allow init_t self:capability2 { wake_alarm block_suspend };
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
|
||||
allow init_t init_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(init_t, init_var_run_t, file)
|
||||
|
||||
# for systemd to manage service file symlinks
|
||||
allow init_t init_var_run_t:file manage_lnk_file_perms;
|
||||
|
||||
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
||||
dev_filetrans(init_t, initctl_t, fifo_file)
|
||||
|
||||
@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
|
||||
|
||||
domain_getpgid_all_domains(init_t)
|
||||
domain_kill_all_domains(init_t)
|
||||
domain_getattr_all_domains(init_t)
|
||||
domain_signal_all_domains(init_t)
|
||||
domain_signull_all_domains(init_t)
|
||||
domain_sigstop_all_domains(init_t)
|
||||
@ -199,6 +213,10 @@ ifdef(`init_systemd',`
|
||||
# handle instances where an old labeled init script is encountered.
|
||||
typeattribute init_t init_run_all_scripts_domain;
|
||||
|
||||
allow init_t systemprocess:process { dyntransition siginh };
|
||||
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
|
||||
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
|
||||
allow init_t self:capability2 { audit_read block_suspend };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -206,6 +224,18 @@ ifdef(`init_systemd',`
|
||||
allow init_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow init_t self:unix_dgram_socket lock;
|
||||
|
||||
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
|
||||
allow init_t daemon:unix_dgram_socket create_socket_perms;
|
||||
allow init_t daemon:tcp_socket create_stream_socket_perms;
|
||||
allow init_t daemon:udp_socket create_socket_perms;
|
||||
allow daemon init_t:unix_dgram_socket sendto;
|
||||
|
||||
allow init_run_all_scripts_domain systemdunit:service { status start stop };
|
||||
|
||||
allow systemprocess init_t:unix_dgram_socket sendto;
|
||||
allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
|
||||
|
||||
allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
|
||||
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
@ -269,6 +299,9 @@ ifdef(`init_systemd',`
|
||||
# for network namespaces
|
||||
fs_read_nsfs_files(init_t)
|
||||
|
||||
# need write to /var/run/systemd/notify
|
||||
init_write_pid_socket(daemon)
|
||||
|
||||
# systemd_socket_activated policy
|
||||
mls_socket_write_all_levels(init_t)
|
||||
|
||||
@ -354,6 +387,11 @@ optional_policy(`
|
||||
sssd_stream_connect(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(init_t)
|
||||
udev_relabelto_db(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
|
||||
allow initrc_t daemon:process siginh;
|
||||
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
||||
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
|
||||
allow initrc_t initrc_tmp_t:dir relabelfrom;
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
dev_dontaudit_read_kmsg(initrc_t)
|
||||
dev_write_kmsg(initrc_t)
|
||||
dev_write_rand(initrc_t)
|
||||
dev_write_urand(initrc_t)
|
||||
@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_rw_lvm_control(initrc_t)
|
||||
dev_rw_generic_chr_files(initrc_t)
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
# Early devtmpfs
|
||||
dev_rw_generic_chr_files(initrc_t)
|
||||
dev_rw_xserver_misc(initrc_t)
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
domain_signull_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
domain_dontaudit_ptrace_all_domains(initrc_t)
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
domain_obj_id_change_exemption(initrc_t)
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
files_delete_all_locks(initrc_t)
|
||||
files_manage_all_locks(initrc_t)
|
||||
files_manage_boot_files(initrc_t)
|
||||
files_read_all_pids(initrc_t)
|
||||
files_delete_root_files(initrc_t)
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
|
||||
# cjp: not sure why these are here; should use mount policy
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
files_manage_mnt_dirs(initrc_t)
|
||||
files_manage_mnt_files(initrc_t)
|
||||
|
||||
fs_write_cgroup_files(initrc_t)
|
||||
fs_delete_cgroup_dirs(initrc_t)
|
||||
fs_list_cgroup_dirs(initrc_t)
|
||||
fs_rw_cgroup_files(initrc_t)
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
fs_search_all(initrc_t)
|
||||
fs_getattr_nfsd_files(initrc_t)
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
mcs_file_read_all(initrc_t)
|
||||
mcs_file_write_all(initrc_t)
|
||||
mcs_killall(initrc_t)
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
|
||||
mls_process_write_all_levels(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
mls_socket_write_to_clearance(initrc_t)
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
auth_use_nsswitch(initrc_t)
|
||||
|
||||
init_get_system_status(initrc_t)
|
||||
init_stream_connect(initrc_t)
|
||||
init_start_all_units(initrc_t)
|
||||
init_stop_all_units(initrc_t)
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
libs_exec_ld_so(initrc_t)
|
||||
@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
miscfiles_read_generic_certs(initrc_t)
|
||||
miscfiles_manage_generic_cert_files(initrc_t)
|
||||
|
||||
seutil_read_config(initrc_t)
|
||||
|
||||
@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
# started from init should be placed in their own domain.
|
||||
userdom_use_user_terminals(initrc_t)
|
||||
userdom_use_inherited_user_terminals(initrc_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
kernel_getattr_core_if(initrc_t)
|
||||
@ -642,6 +702,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_write_config(initrc_t)
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
abrt_manage_pid_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
kernel_dontaudit_use_fds(initrc_t)
|
||||
kernel_use_fds(initrc_t)
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@ -706,9 +770,26 @@ ifdef(`distro_redhat',`
|
||||
alsa_manage_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
abrt_manage_pid_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bind_manage_config_dirs(initrc_t)
|
||||
bind_write_config(initrc_t)
|
||||
bind_setattr_zone_dirs(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
devicekit_append_inherited_log_files(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_manage_gconf_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pulseaudio_stream_connect(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
optional_policy(`
|
||||
rpcbind_stream_connect(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_rw_dhcp_config(initrc_t)
|
||||
@ -734,7 +818,28 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`enabled_mls',`
|
||||
optional_policy(`
|
||||
# allow init scripts to su
|
||||
su_restricted_domain_template(initrc, initrc_t, system_r)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
allow init_t self:system { status reboot halt reload };
|
||||
|
||||
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow init_t self:process { setsockcreate setfscreate setrlimit };
|
||||
allow init_t self:process { getcap setcap };
|
||||
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
# Until systemd is fixed
|
||||
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
|
||||
allow init_t self:udp_socket create_socket_perms;
|
||||
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
|
||||
allow initrc_t init_t:system { status reboot halt reload };
|
||||
allow init_t self:capability2 audit_read;
|
||||
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
|
||||
files_lock_filetrans(initrc_t, initrc_lock_t, file)
|
||||
|
||||
@ -746,11 +851,25 @@ ifdef(`init_systemd',`
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
|
||||
|
||||
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
|
||||
allow initrc_t systemd_unit_t:service reload;
|
||||
|
||||
manage_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
allow initrc_t systemdunit:service reload;
|
||||
allow initrc_t init_script_file_type:service { stop start status reload };
|
||||
|
||||
kernel_dgram_send(initrc_t)
|
||||
kernel_list_unlabeled(init_t)
|
||||
kernel_read_network_state(init_t)
|
||||
kernel_rw_kernel_sysctl(init_t)
|
||||
kernel_rw_net_sysctls(init_t)
|
||||
kernel_read_all_sysctls(init_t)
|
||||
kernel_read_software_raid_state(init_t)
|
||||
kernel_unmount_debugfs(init_t)
|
||||
kernel_setsched(init_t)
|
||||
|
||||
auth_relabel_login_records(init_t)
|
||||
auth_relabel_pam_console_data_dirs(init_t)
|
||||
|
||||
# run systemd misc initializations
|
||||
# in the initrc_t domain, as would be
|
||||
@ -760,28 +879,83 @@ ifdef(`init_systemd',`
|
||||
corecmd_bin_domtrans(init_t, initrc_t)
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
|
||||
files_read_boot_files(initrc_t)
|
||||
dev_write_kmsg(init_t)
|
||||
dev_write_urand(init_t)
|
||||
dev_rw_lvm_control(init_t)
|
||||
dev_rw_autofs(init_t)
|
||||
dev_manage_generic_symlinks(init_t)
|
||||
dev_manage_generic_dirs(init_t)
|
||||
dev_manage_generic_files(init_t)
|
||||
dev_manage_null_service(initrc_t)
|
||||
dev_read_generic_chr_files(init_t)
|
||||
dev_relabel_generic_dev_dirs(init_t)
|
||||
dev_relabel_all_dev_nodes(init_t)
|
||||
dev_relabel_all_dev_files(init_t)
|
||||
dev_manage_sysfs_dirs(init_t)
|
||||
dev_relabel_sysfs_dirs(init_t)
|
||||
# systemd writes to /dev/watchdog on shutdown
|
||||
dev_write_watchdog(init_t)
|
||||
|
||||
# Allow initrc_t to check /etc/fstab "service." It appears that
|
||||
# systemd is conflating files and services.
|
||||
files_create_all_pid_pipes(init_t)
|
||||
files_create_all_pid_sockets(init_t)
|
||||
files_create_all_spool_sockets(init_t)
|
||||
files_create_lock_dirs(init_t)
|
||||
files_delete_all_pids(init_t)
|
||||
files_delete_all_spool_sockets(init_t)
|
||||
files_exec_generic_pid_files(init_t)
|
||||
files_get_etc_unit_status(initrc_t)
|
||||
files_list_locks(init_t)
|
||||
files_list_spool(init_t)
|
||||
files_list_var(init_t)
|
||||
files_manage_all_pid_dirs(init_t)
|
||||
files_manage_generic_tmp_dirs(init_t)
|
||||
files_manage_urandom_seed(init_t)
|
||||
files_mounton_all_mountpoints(init_t)
|
||||
files_read_boot_files(initrc_t)
|
||||
files_relabel_all_lock_dirs(init_t)
|
||||
files_relabel_all_pid_dirs(init_t)
|
||||
files_relabel_all_pid_files(init_t)
|
||||
files_search_all(init_t)
|
||||
files_setattr_pid_dirs(initrc_t)
|
||||
files_unmount_all_file_type_fs(init_t)
|
||||
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
fs_getattr_all_fs(init_t)
|
||||
fs_list_auto_mountpoints(init_t)
|
||||
fs_manage_cgroup_dirs(init_t)
|
||||
fs_manage_cgroup_files(init_t)
|
||||
fs_manage_hugetlbfs_dirs(init_t)
|
||||
fs_manage_tmpfs_dirs(init_t)
|
||||
fs_mount_all_fs(init_t)
|
||||
fs_remount_all_fs(init_t)
|
||||
fs_unmount_all_fs(init_t)
|
||||
fs_search_cgroup_dirs(daemon)
|
||||
|
||||
init_stream_connect(initrc_t)
|
||||
init_manage_var_lib_files(initrc_t)
|
||||
init_rw_stream_sockets(initrc_t)
|
||||
init_get_all_units_status(initrc_t)
|
||||
init_manage_var_lib_files(initrc_t)
|
||||
init_read_script_state(init_t)
|
||||
init_rw_stream_sockets(initrc_t)
|
||||
init_stop_all_units(initrc_t)
|
||||
init_stream_connect(initrc_t)
|
||||
|
||||
# Create /etc/audit.rules.prev after firstboot remediation
|
||||
logging_manage_audit_config(initrc_t)
|
||||
|
||||
selinux_compute_create_context(init_t)
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
selinux_unmount_fs(init_t)
|
||||
selinux_validate_context(init_t)
|
||||
# lvm2-activation-generator checks file labels
|
||||
seutil_read_file_contexts(initrc_t)
|
||||
seutil_read_file_contexts(init_t)
|
||||
|
||||
storage_getattr_removable_dev(init_t)
|
||||
systemd_manage_all_units(init_t)
|
||||
systemd_start_power_units(initrc_t)
|
||||
|
||||
term_relabel_pty_dirs(init_t)
|
||||
|
||||
optional_policy(`
|
||||
# create /var/lock/lvm/
|
||||
lvm_create_lock_dirs(initrc_t)
|
||||
@ -800,6 +974,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
# webmin seems to cause this.
|
||||
apache_search_sys_content(daemon)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -821,6 +997,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
domain_setpriority_all_domains(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -836,6 +1013,12 @@ optional_policy(`
|
||||
dev_getattr_cpu_dev(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_read_pipes(initrc_t)
|
||||
# managing /etc/cron.d/mailman content
|
||||
cron_manage_system_spool(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
@ -853,9 +1036,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
dbus_manage_lib_files(initrc_t)
|
||||
|
||||
init_dbus_chat(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(initrc_t)
|
||||
consolekit_manage_log(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -896,6 +1083,11 @@ optional_policy(`
|
||||
modutils_read_module_deps(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(initrc_t)
|
||||
modutils_domtrans_insmod(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
@ -937,6 +1129,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
lpd_manage_spool(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -960,6 +1153,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
mta_read_config(initrc_t)
|
||||
mta_write_config(initrc_t)
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@ -981,6 +1175,10 @@ optional_policy(`
|
||||
openvpn_read_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
plymouthd_stream_connect(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
@ -1024,8 +1222,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -1043,11 +1239,6 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# allow init scripts to su
|
||||
su_restricted_domain_template(initrc, initrc_t, system_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
ssh_setattr_key_files(initrc_t)
|
||||
@ -1062,7 +1253,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_rw_db(initrc_t)
|
||||
udev_manage_pid_files(initrc_t)
|
||||
udev_manage_pid_dirs(initrc_t)
|
||||
udev_manage_rules_files(initrc_t)
|
||||
@ -1078,6 +1268,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
domain_role_change_exemption(initrc_t)
|
||||
|
||||
mcs_file_read_all(initrc_t)
|
||||
mcs_file_write_all(initrc_t)
|
||||
mcs_killall(initrc_t)
|
||||
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -1088,6 +1284,15 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rtkit_scheduled(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_read_db(initrc_t)
|
||||
rpm_delete_db(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -1113,3 +1318,63 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules applied to all daemons
|
||||
#
|
||||
|
||||
domain_dontaudit_use_interactive_fds(daemon)
|
||||
|
||||
# daemons started from init will
|
||||
# inherit fds from init for the console
|
||||
term_dontaudit_use_console(daemon)
|
||||
|
||||
init_dontaudit_use_fds(daemon)
|
||||
# init script ptys are the stdin/out/err
|
||||
# when using run_init
|
||||
init_use_script_ptys(daemon)
|
||||
|
||||
tunable_policy(`init_daemons_use_tty',`
|
||||
term_use_unallocated_ttys(daemon)
|
||||
term_use_generic_ptys(daemon)
|
||||
term_use_all_ttys(daemon)
|
||||
term_use_all_ptys(daemon)
|
||||
',`
|
||||
term_dontaudit_use_unallocated_ttys(daemon)
|
||||
term_dontaudit_use_generic_ptys(daemon)
|
||||
term_dontaudit_use_all_ttys(daemon)
|
||||
term_dontaudit_use_all_ptys(daemon)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_dontaudit_rw_nfs_files(daemon)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_dontaudit_rw_cifs_files(daemon)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_pipes(daemon)
|
||||
unconfined_dontaudit_rw_stream_sockets(daemon)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userdom_dontaudit_rw_all_users_stream_sockets(daemon)
|
||||
userdom_dontaudit_read_user_tmp_files(daemon)
|
||||
userdom_dontaudit_write_user_tmp_files(daemon)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules applied to all system processes
|
||||
#
|
||||
|
||||
dontaudit systemprocess init_t:unix_stream_socket getattr;
|
||||
|
||||
optional_policy(`
|
||||
userdom_dontaudit_search_user_home_dirs(systemprocess)
|
||||
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
||||
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
||||
')
|
||||
|
||||
@ -8,8 +8,9 @@
|
||||
|
||||
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
|
||||
/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
|
||||
@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
|
||||
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
')
|
||||
|
||||
/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
|
||||
/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
|
||||
@ -820,6 +820,24 @@ interface(`logging_append_all_logs',`
|
||||
append_files_pattern($1, var_log_t, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to all log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_append_all_inherited_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
')
|
||||
|
||||
allow $1 logfile:file { getattr append ioctl lock };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all log files.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(logging, 1.25.2)
|
||||
policy_module(logging, 1.25.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
|
||||
|
||||
# create/append log files.
|
||||
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
# for systemd but can not be conditional
|
||||
files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
|
||||
|
||||
# manage temporary files
|
||||
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
|
||||
# manage pid file
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
|
||||
allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
|
||||
|
||||
kernel_read_system_state(syslogd_t)
|
||||
kernel_read_network_state(syslogd_t)
|
||||
@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
|
||||
|
||||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
seutil_read_config(syslogd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(syslogd_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
# systemd-journald permissions
|
||||
|
||||
allow syslogd_t self:capability { chown setgid setuid };
|
||||
# for systemd-journal
|
||||
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
||||
allow syslogd_t self:capability2 audit_read;
|
||||
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
||||
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
|
||||
allow syslogd_t init_var_run_t:file { read write create open };
|
||||
allow syslogd_t var_run_t:dir create;
|
||||
|
||||
kernel_use_fds(syslogd_t)
|
||||
kernel_getattr_dgram_sockets(syslogd_t)
|
||||
kernel_rw_unix_dgram_sockets(syslogd_t)
|
||||
kernel_read_ring_buffer(syslogd_t)
|
||||
kernel_rw_stream_sockets(syslogd_t)
|
||||
kernel_rw_unix_dgram_sockets(syslogd_t)
|
||||
kernel_use_fds(syslogd_t)
|
||||
|
||||
dev_read_kmsg(syslogd_t)
|
||||
dev_read_urand(syslogd_t)
|
||||
dev_write_kmsg(syslogd_t)
|
||||
|
||||
domain_read_all_domains_state(syslogd_t)
|
||||
|
||||
init_create_pid_dirs(syslogd_t)
|
||||
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
|
||||
init_rename_pid_files(syslogd_t)
|
||||
init_delete_pid_files(syslogd_t)
|
||||
init_dgram_send(syslogd_t)
|
||||
init_read_pid_pipes(syslogd_t)
|
||||
init_read_state(syslogd_t)
|
||||
|
||||
systemd_manage_journal_files(syslogd_t)
|
||||
|
||||
udev_read_pid_files(syslogd_t)
|
||||
')
|
||||
|
||||
@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
|
||||
files_add_entry_lock_dirs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a lvm unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lvm_rw_inherited_pid_pipes',`
|
||||
gen_require(`
|
||||
type lvm_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clvmd.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(lvm, 1.19.2)
|
||||
policy_module(lvm, 1.19.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(miscfiles, 1.12.0)
|
||||
policy_module(miscfiles, 1.12.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,6 +41,10 @@ files_type(locale_t)
|
||||
type man_t alias catman_t;
|
||||
files_type(man_t)
|
||||
|
||||
optional_policy(`
|
||||
systemd_tmpfilesd_managed(man_t, dir)
|
||||
')
|
||||
|
||||
type man_cache_t;
|
||||
files_type(man_cache_t)
|
||||
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
|
||||
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
|
||||
@ -32,15 +33,21 @@
|
||||
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
|
||||
|
||||
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
|
||||
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
|
||||
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
|
||||
|
||||
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
|
||||
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
|
||||
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
|
||||
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
|
||||
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
|
||||
|
||||
/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
|
||||
/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
|
||||
|
||||
@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
allow $1 systemd_logind_var_run_t:dir list_dir_perms;
|
||||
allow $1 systemd_logind_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
|
||||
allow $1 systemd_logind_t:fd use;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Write inherited logind sessions pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_write_inherited_logind_sessions_pipes',`
|
||||
gen_require(`
|
||||
type systemd_logind_t, systemd_sessions_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:fd use;
|
||||
allow $1 systemd_sessions_var_run_t:fifo_file write;
|
||||
allow systemd_logind_t $1:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
|
||||
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow systemd_tmpfiles_t to manage filesystem objects
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## type of object to manage
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## object class to manage
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_tmpfilesd_managed',`
|
||||
gen_require(`
|
||||
type systemd_tmpfiles_t;
|
||||
')
|
||||
|
||||
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to relabel to systemd_kmod_conf_t.
|
||||
@ -135,6 +179,82 @@ interface(`systemd_relabelto_kmod_files',`
|
||||
allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## allow systemd_passwd_agent to inherit fds
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain that owns the fds
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_use_passwd_agent_fds',`
|
||||
gen_require(`
|
||||
type systemd_passwd_agent_t;
|
||||
')
|
||||
|
||||
allow systemd_passwd_agent_t $1:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to systemd_passwd_var_run_t when creating dirs
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_filetrans_passwd_runtime_dirs',`
|
||||
gen_require(`
|
||||
type systemd_passwd_var_run_t;
|
||||
')
|
||||
|
||||
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
|
||||
init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage systemd unit dirs and the files in them
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_manage_all_units',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, systemdunit, systemdunit)
|
||||
manage_files_pattern($1, systemdunit, systemdunit)
|
||||
manage_lnk_files_pattern($1, systemdunit, systemdunit)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to create/manage systemd_journal_t files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_manage_journal_files',`
|
||||
gen_require(`
|
||||
type systemd_logind_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
|
||||
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow systemd_logind_t to read process state for cgroup file
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(systemd, 1.3.5)
|
||||
policy_module(systemd, 1.3.6)
|
||||
|
||||
#########################################
|
||||
#
|
||||
@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
|
||||
## </desc>
|
||||
gen_tunable(systemd_tmpfiles_manage_all, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow systemd-nspawn to create a labelled namespace with the same types
|
||||
## as parent environment
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
||||
|
||||
attribute systemd_log_parse_env_type;
|
||||
|
||||
type systemd_activate_t;
|
||||
@ -57,6 +65,9 @@ type systemd_coredump_t;
|
||||
type systemd_coredump_exec_t;
|
||||
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
|
||||
|
||||
type systemd_coredump_var_lib_t;
|
||||
files_type(systemd_coredump_var_lib_t)
|
||||
|
||||
type systemd_detect_virt_t;
|
||||
type systemd_detect_virt_exec_t;
|
||||
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
|
||||
@ -65,6 +76,10 @@ type systemd_hostnamed_t;
|
||||
type systemd_hostnamed_exec_t;
|
||||
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
||||
|
||||
type systemd_journal_t;
|
||||
files_type(systemd_journal_t)
|
||||
logging_log_file(systemd_journal_t)
|
||||
|
||||
type systemd_locale_t;
|
||||
type systemd_locale_exec_t;
|
||||
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
|
||||
@ -85,10 +100,21 @@ type systemd_machined_t;
|
||||
type systemd_machined_exec_t;
|
||||
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
||||
|
||||
type systemd_machined_var_run_t;
|
||||
files_pid_file(systemd_machined_var_run_t)
|
||||
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
|
||||
|
||||
type systemd_notify_t;
|
||||
type systemd_notify_exec_t;
|
||||
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
|
||||
|
||||
type systemd_nspawn_t;
|
||||
type systemd_nspawn_exec_t;
|
||||
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
|
||||
|
||||
type systemd_nspawn_var_run_t;
|
||||
files_pid_file(systemd_nspawn_var_run_t)
|
||||
|
||||
type systemd_resolved_t;
|
||||
type systemd_resolved_exec_t;
|
||||
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
||||
@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
|
||||
type systemd_passwd_agent_exec_t;
|
||||
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
||||
|
||||
type systemd_passwd_var_run_t;
|
||||
files_pid_file(systemd_passwd_var_run_t)
|
||||
|
||||
type systemd_sessions_t;
|
||||
type systemd_sessions_exec_t;
|
||||
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
|
||||
@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
|
||||
# Backlight local policy
|
||||
#
|
||||
|
||||
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
|
||||
|
||||
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
|
||||
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
|
||||
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
|
||||
@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
|
||||
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
|
||||
dev_rw_sysfs(systemd_backlight_t)
|
||||
|
||||
# for udev.conf
|
||||
files_read_etc_files(systemd_backlight_t)
|
||||
|
||||
# for /run/udev/data/+backlight*
|
||||
udev_read_pid_files(systemd_backlight_t)
|
||||
|
||||
#######################################
|
||||
@ -292,6 +325,14 @@ optional_policy(`
|
||||
dbus_connect_system_bus(systemd_logind_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Nspawn local policy
|
||||
#
|
||||
|
||||
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
|
||||
|
||||
|
||||
#########################################
|
||||
#
|
||||
# Resolved local policy
|
||||
@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
|
||||
|
||||
kernel_read_crypto_sysctls(systemd_resolved_t)
|
||||
kernel_read_kernel_sysctls(systemd_resolved_t)
|
||||
kernel_read_system_state(systemd_resolved_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(systemd_resolved_t)
|
||||
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
||||
@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
|
||||
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
|
||||
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
||||
|
||||
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
||||
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
||||
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
|
||||
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
|
||||
|
||||
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||||
|
||||
@ -241,6 +241,26 @@ interface(`udev_rw_db',`
|
||||
allow $1 udev_tbl_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to relabelto udev database
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_relabelto_db',`
|
||||
gen_require(`
|
||||
type udev_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 udev_var_run_t:file relabelto_file_perms;
|
||||
allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search through udev pid content
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(udev, 1.21.2)
|
||||
policy_module(udev, 1.21.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -481,6 +481,25 @@ interface(`unconfined_stream_connect',`
|
||||
allow $1 unconfined_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write
|
||||
## unconfined domain stream.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_dontaudit_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or write
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(unconfined, 3.9.0)
|
||||
policy_module(unconfined, 3.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template', `
|
||||
optional_policy(`
|
||||
setroubleshoot_stream_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_logind($1_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -3229,6 +3233,35 @@ interface(`userdom_use_user_ptys',`
|
||||
allow $1 user_devpts_t:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a inherited user TTYs and PTYs.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to read and write inherited user
|
||||
## TTYs and PTYs. This will allow the domain to
|
||||
## interact with the user via the terminal. Typically
|
||||
## all interactive applications will require this
|
||||
## access.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`userdom_use_inherited_user_terminals',`
|
||||
gen_require(`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
|
||||
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a user TTYs and PTYs.
|
||||
@ -3671,6 +3704,25 @@ interface(`userdom_write_user_tmp_files',`
|
||||
allow $1 user_tmp_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write users
|
||||
## temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_write_user_tmp_files',`
|
||||
gen_require(`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_tmp_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use user ttys.
|
||||
@ -3835,3 +3887,22 @@ interface(`userdom_dbus_send_all_users',`
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write
|
||||
## unserdomain stream.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(userdomain, 4.13.1)
|
||||
policy_module(userdomain, 4.13.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user