systemd: add policy for systemd-machine-id-setup
systemd-machine-id-setup's role is to commit the host's machine id to /etc/machine-id. The behavior of this process has changed slightly, whereby a tmpfs is temporarily created on top of /etc/machine-id during boot which is then read by systemd-machine-id-setup and written directly to the underlying file. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge
0xC0ncord
parent
8b26a7ccf3
commit
489051ff99
@ -10,6 +10,7 @@
|
||||
/usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
|
||||
/usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
|
||||
/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hw_exec_t,s0)
|
||||
/usr/bin/systemd-machine-id-setup -- gen_context(system_u:object_r:systemd_machine_id_setup_exec_t,s0)
|
||||
/usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
|
||||
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
|
||||
/usr/bin/systemd-sysusers -- gen_context(system_u:object_r:systemd_sysusers_exec_t,s0)
|
||||
|
||||
@ -193,6 +193,10 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t;
|
||||
files_runtime_file(systemd_machined_runtime_t)
|
||||
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
|
||||
|
||||
type systemd_machine_id_setup_t;
|
||||
type systemd_machine_id_setup_exec_t;
|
||||
init_system_domain(systemd_machine_id_setup_t, systemd_machine_id_setup_exec_t)
|
||||
|
||||
type systemd_modules_load_t;
|
||||
type systemd_modules_load_exec_t;
|
||||
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
|
||||
@ -1110,6 +1114,30 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
#########################################
|
||||
#
|
||||
# machine-id-setup local policy
|
||||
#
|
||||
|
||||
allow systemd_machine_id_setup_t self:capability { setgid sys_admin sys_chroot };
|
||||
|
||||
files_list_var(systemd_machine_id_setup_t)
|
||||
files_mounton_root(systemd_machine_id_setup_t)
|
||||
files_rw_etc_runtime_files(systemd_machine_id_setup_t)
|
||||
|
||||
fs_getattr_cgroup(systemd_machine_id_setup_t)
|
||||
fs_search_cgroup_dirs(systemd_machine_id_setup_t)
|
||||
fs_getattr_tmpfs(systemd_machine_id_setup_t)
|
||||
fs_read_nsfs_files(systemd_machine_id_setup_t)
|
||||
fs_unmount_tmpfs(systemd_machine_id_setup_t)
|
||||
|
||||
kernel_dontaudit_getattr_proc(systemd_machine_id_setup_t)
|
||||
kernel_read_kernel_sysctls(systemd_machine_id_setup_t)
|
||||
kernel_read_system_state(systemd_machine_id_setup_t)
|
||||
|
||||
init_read_runtime_files(systemd_machine_id_setup_t)
|
||||
init_read_state(systemd_machine_id_setup_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# modules-load local policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user