systemd: Misc fixes.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-05-02 15:39:07 +00:00 · 2022-05-02 15:39:07 +00:00 · 39657b7f61
commit 39657b7f61
parent ca0d6b74b5
3 changed files with 26 additions and 3 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -3382,6 +3382,24 @@ interface(`init_list_unit_dirs',`
 	init_search_units($1)
 ')

+########################################
+## <summary>
+##	Get the attributes of systemd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_generic_units_files',`
+	gen_require(`
+		type systemd_unit_t;
+	')
+
+	allow $1 systemd_unit_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read systemd unit files
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -560,6 +560,7 @@ ifdef(`init_systemd',`
 	logging_send_syslog_msg(syslogd_t)

 	systemd_manage_journal_files(syslogd_t)
+	systemd_watch_journal_dirs(syslogd_t)

 	udev_read_runtime_files(syslogd_t)

--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -492,6 +492,7 @@ init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
 init_list_unit_dirs(systemd_generator_t)
+init_getattr_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)

@ -1006,6 +1007,9 @@ dev_read_sysfs(systemd_modules_load_t)
 files_mmap_read_kernel_modules(systemd_modules_load_t)
 files_read_etc_files(systemd_modules_load_t)

+fs_getattr_all_fs(systemd_modules_load_t)
+fs_search_all(systemd_modules_load_t)
+
 modutils_read_module_config(systemd_modules_load_t)
 modutils_read_module_deps(systemd_modules_load_t)

@ -1484,8 +1488,8 @@ systemd_log_parse_environment(systemd_sessions_t)

 # sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
 # sys_ptrace for kernel.yama.ptrace_scope
-allow systemd_sysctl_t self:capability { sys_admin sys_ptrace };
-dontaudit systemd_sysctl_t self:capability net_admin;
+# net_admin for network sysctls
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace };

 kernel_read_kernel_sysctls(systemd_sysctl_t)
 kernel_request_load_module(systemd_sysctl_t)
@ -1504,7 +1508,7 @@ systemd_log_parse_environment(systemd_sysctl_t)
 # Sysusers local policy
 #

-allow systemd_sysusers_t self:capability { chown fsetid };
+allow systemd_sysusers_t self:capability { dac_read_search chown fsetid };
 allow systemd_sysusers_t self:process setfscreate;
 allow systemd_sysusers_t self:unix_dgram_socket sendto;