nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

systemd-tmpfiles: refactor runtime configs

Browse Source 
handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
This commit is contained in:
cgzones 2017-02-18 22:16:30 +01:00
parent 94311b1c20
commit 4d0d7cfc6f
7 changed files with 156 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/init.te
View File

@ -324,7 +324,6 @@ ifdef(`init_systemd',`
')
optional_policy(`
systemd_relabelto_kmod_files(init_t)
systemd_dbus_chat_logind(init_t)
')

4
policy/modules/system/modutils.fc
View File

@ -8,7 +8,9 @@ ifdef(`distro_gentoo',`
/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
')
/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:kmod_var_run_t,s0)
ifdef(`init_systemd',`
/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')
/usr/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0)

6
policy/modules/system/modutils.if
View File

@ -376,9 +376,5 @@ interface(`modutils_exec_update_mods',`
## </param>
#
interface(`modutils_read_var_run_files',`
gen_require(`
type kmod_var_run_t;
')
allow $1 kmod_var_run_t:file read_file_perms;
refpolicywarn(`$0($*) has been deprecated.')
')

24
policy/modules/system/modutils.te
View File

@ -23,8 +23,12 @@ files_type(modules_conf_t)
type modules_dep_t;
files_type(modules_dep_t)
type kmod_var_run_t;
files_pid_file(kmod_var_run_t)
ifdef(`init_systemd',`
type kmod_tmpfiles_conf_t;
typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
')
########################################
#
@ -68,11 +72,6 @@ kernel_dontaudit_search_unlabeled(kmod_t)
corecmd_exec_bin(kmod_t)
corecmd_exec_shell(kmod_t)
# for /run/tmpfiles.d/kmod.conf
files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
allow kmod_t kmod_var_run_t:dir manage_dir_perms;
allow kmod_t kmod_var_run_t:file manage_file_perms;
dev_rw_sysfs(kmod_t)
dev_search_usbfs(kmod_t)
dev_rw_mtrr(kmod_t)
@ -115,9 +114,12 @@ userdom_use_user_terminals(kmod_t)
userdom_dontaudit_search_user_home_dirs(kmod_t)
ifdef(`init_systemd',`
init_rw_stream_sockets(kmod_t)
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
systemd_tmpfiles_creator(kmod_t)
systemd_write_kmod_files(kmod_t)
init_rw_stream_sockets(kmod_t)
')
optional_policy(`
@ -158,10 +160,6 @@ optional_policy(`
xserver_dontaudit_write_log(kmod_t)
xserver_stream_connect(kmod_t)
xserver_dontaudit_rw_stream_sockets(kmod_t)
ifdef(`hide_broken_symptoms',`
xserver_dontaudit_rw_tcp_sockets(kmod_t)
')
')
optional_policy(`

4
policy/modules/system/systemd.fc
View File

@ -47,7 +47,9 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)

208
policy/modules/system/systemd.if
View File

@ -130,53 +130,44 @@ interface(`systemd_dbus_chat_logind',`
## <rolecap/>
#
interface(`systemd_write_kmod_files',`
gen_require(`
type systemd_kmod_conf_t;
')
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
')
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
## <summary>
## object class to manage
## </summary>
## </param>
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Allow process to relabel to systemd_kmod_conf_t.
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_relabelto_kmod_files',`
interface(`systemd_status_logind',`
gen_require(`
type systemd_kmod_conf_t;
type systemd_logind_t;
class service status;
')
allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
allow $1 systemd_logind_t:service status;
')
########################################
## <summary>
## Send systemd_login a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
@ -276,49 +267,12 @@ interface(`systemd_read_logind_state',`
########################################
## <summary>
## Get the system status information from systemd_login
## Allow specified domain to start power units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_logind',`
gen_require(`
type systemd_logind_t;
class service status;
')
allow $1 systemd_logind_t:service status;
')
########################################
## <summary>
## Send systemd_login a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
## <summary>
## Allow specified domain to start power units
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`systemd_start_power_units',`
@ -329,3 +283,103 @@ interface(`systemd_start_power_units',`
allow $1 power_unit_t:service start;
')
########################################
## <summary>
## Make the specified type usable for
## systemd tmpfiles config files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd tmpfiles config files.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
files_config_file($1)
typeattribute $1 systemd_tmpfiles_conf_type;
')
########################################
## <summary>
## Allow the specified domain to create
## the tmpfiles config directory with
## the correct context.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
allow $1 systemd_tmpfiles_conf_t:dir create;
')
########################################
## <summary>
## Create an object in the systemd tmpfiles config
## directory, with a private type
## using a type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_filetrans',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_search_pids($1)
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
## <summary>
## object class to manage
## </summary>
## </param>
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')

12
policy/modules/system/systemd.te
View File

@ -21,6 +21,7 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
gen_tunable(systemd_nspawn_labeled_namespace, false)
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
type systemd_activate_t;
type systemd_activate_exec_t;
@ -147,10 +148,11 @@ init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
type systemd_kmod_conf_t;
files_config_file(systemd_kmod_conf_t)
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)
#
# Unit file types
#
@ -551,6 +553,9 @@ manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
@ -567,9 +572,6 @@ auth_manage_login_records(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
# for /run/tmpfiles.d/kmod.conf
modutils_read_var_run_files(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)