Merge pull request #566 from 0xC0ncord/various-20221207
Some more various fixes
This commit is contained in:
Chris PeBenito
GitHub
commit
50f2c7ad05
@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
|
||||
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
|
||||
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
|
||||
|
||||
allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
|
||||
allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms;
|
||||
fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
|
||||
|
||||
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
|
||||
|
||||
@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 apt_var_cache_t:dir manage_dir_perms;
|
||||
allow $1 apt_var_cache_t:file { manage_file_perms map };
|
||||
allow $1 apt_var_cache_t:file mmap_manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -36,6 +36,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
|
||||
allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
|
||||
dontaudit netutils_t self:capability { dac_override sys_tty_config };
|
||||
allow netutils_t self:process { getcap setcap signal_perms };
|
||||
# netlink_generic_socket for nmap.
|
||||
allow netutils_t self:netlink_generic_socket create_socket_perms;
|
||||
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow netutils_t self:netlink_socket create_socket_perms;
|
||||
# For tcpdump.
|
||||
@ -69,6 +71,8 @@ fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
domain_use_interactive_fds(netutils_t)
|
||||
|
||||
kernel_dontaudit_getattr_proc(netutils_t)
|
||||
|
||||
files_read_etc_files(netutils_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var(netutils_t)
|
||||
@ -154,6 +158,7 @@ optional_policy(`
|
||||
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
|
||||
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow traceroute_t self:process signal;
|
||||
allow traceroute_t self:netlink_generic_socket create_socket_perms;
|
||||
allow traceroute_t self:rawip_socket create_socket_perms;
|
||||
allow traceroute_t self:packet_socket { map create_socket_perms };
|
||||
allow traceroute_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
|
||||
allow mozilla_t mozilla_plugin_t:fd use;
|
||||
|
||||
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
|
||||
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
|
||||
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file mmap_manage_file_perms;
|
||||
allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
|
||||
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
|
||||
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
|
||||
|
||||
@ -45,7 +45,7 @@ template(`pulseaudio_role',`
|
||||
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
||||
|
||||
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
|
||||
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { mmap_manage_file_perms relabel_file_perms };
|
||||
|
||||
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
|
||||
|
||||
@ -58,7 +58,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
|
||||
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
|
||||
allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
|
||||
allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms;
|
||||
allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
|
||||
|
||||
@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
|
||||
create_chr_files_pattern($1, device_t, urandom_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set attributes on the urandom device (/dev/urandom).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_setattr_urand_dev',`
|
||||
gen_require(`
|
||||
type device_t, urandom_device_t;
|
||||
')
|
||||
|
||||
setattr_chr_files_pattern($1, device_t, urandom_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr generic the USB devices.
|
||||
|
||||
@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
|
||||
dontaudit $1 ramfs_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of directories on
|
||||
## a ramfs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_setattr_ramfs_dirs',`
|
||||
gen_require(`
|
||||
type ramfs_t;
|
||||
')
|
||||
|
||||
allow $1 ramfs_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
|
||||
@ -82,6 +82,12 @@ ifndef(`enable_mls',`
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
# Allow managing runtime units, for example mount units generated
|
||||
# from /etc/fstab.
|
||||
init_get_runtime_units_status(sysadm_t)
|
||||
init_start_runtime_units(sysadm_t)
|
||||
init_stop_runtime_units(sysadm_t)
|
||||
|
||||
# Allow sysadm to resolve the username of dynamic users by calling
|
||||
# LookupDynamicUserByUID on org.freedesktop.systemd1.
|
||||
init_dbus_chat(sysadm_t)
|
||||
|
||||
@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
|
||||
allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms;
|
||||
allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map };
|
||||
allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms;
|
||||
allow aptcacher_t aptcacher_cache_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow aptcacher_t aptcacher_lib_t:file map;
|
||||
|
||||
@ -2518,7 +2518,7 @@ interface(`container_admin',`
|
||||
allow $1 container_engine_domain:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, container_engine_domain)
|
||||
|
||||
allow $1 self:cap_userns { kill sys_ptrace };
|
||||
allow $1 self:cap_userns { kill sys_ptrace sys_admin };
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, container_var_lib_t)
|
||||
|
||||
@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain)
|
||||
corenet_udp_sendrecv_generic_node(container_net_domain)
|
||||
corenet_tcp_bind_generic_node(container_net_domain)
|
||||
corenet_udp_bind_generic_node(container_net_domain)
|
||||
# for metallb BGP speakers
|
||||
corenet_raw_bind_generic_node(container_net_domain)
|
||||
|
||||
corenet_sendrecv_all_server_packets(container_net_domain)
|
||||
corenet_tcp_bind_all_ports(container_net_domain)
|
||||
@ -456,6 +458,8 @@ files_read_kernel_modules(container_t)
|
||||
|
||||
fs_mount_cgroup(container_t)
|
||||
fs_rw_cgroup_files(container_t)
|
||||
# for metallb BGP speakers
|
||||
fs_read_nsfs_files(container_t)
|
||||
|
||||
kernel_read_vm_overcommit_sysctl(container_t)
|
||||
|
||||
|
||||
@ -236,6 +236,7 @@ optional_policy(`
|
||||
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
|
||||
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
|
||||
systemd_connect_machined(system_dbusd_t)
|
||||
# for passing around terminal file handles for machinectl shell
|
||||
systemd_use_inherited_machined_ptys(system_dbusd_t)
|
||||
|
||||
|
||||
@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
|
||||
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute hddtemp in the hddtemp domain, and
|
||||
## allow the specified role the hdd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`hddtemp_run',`
|
||||
gen_require(`
|
||||
type hddtemp_t;
|
||||
')
|
||||
|
||||
hddtemp_domtrans($1)
|
||||
role $2 types hddtemp_t;
|
||||
')
|
||||
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute hddtemp in the caller domain.
|
||||
@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
|
||||
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
|
||||
')
|
||||
|
||||
hddtemp_run($1, $2)
|
||||
|
||||
allow $1 hddtemp_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, hddtemp_t)
|
||||
|
||||
|
||||
@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
|
||||
corenet_tcp_bind_hddtemp_port(hddtemp_t)
|
||||
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
|
||||
|
||||
domain_use_interactive_fds(hddtemp_t)
|
||||
|
||||
files_search_etc(hddtemp_t)
|
||||
files_read_usr_files(hddtemp_t)
|
||||
|
||||
@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
|
||||
logging_send_syslog_msg(hddtemp_t)
|
||||
|
||||
miscfiles_read_localization(hddtemp_t)
|
||||
|
||||
userdom_use_user_terminals(hddtemp_t)
|
||||
|
||||
@ -109,7 +109,7 @@ allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
|
||||
allow mailman_cgi_t mailman_archive_t:file read_file_perms;
|
||||
|
||||
allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
|
||||
allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
|
||||
allow mailman_cgi_t mailman_data_t:file mmap_manage_file_perms;
|
||||
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
|
||||
@ -123,7 +123,7 @@ allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
|
||||
allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms;
|
||||
|
||||
fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
|
||||
allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
|
||||
allow mailman_cgi_t mailman_cgi_tmpfs_t:file mmap_manage_file_perms;
|
||||
|
||||
kernel_read_net_sysctls(mailman_cgi_t)
|
||||
kernel_read_system_state(mailman_cgi_t)
|
||||
@ -283,7 +283,7 @@ allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
|
||||
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
|
||||
|
||||
allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
|
||||
allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
|
||||
allow mailman_queue_t mailman_data_t:file mmap_manage_file_perms;
|
||||
allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
|
||||
@ -293,7 +293,7 @@ allow mailman_queue_t mailman_log_t:dir list_dir_perms;
|
||||
allow mailman_queue_t mailman_log_t:file manage_file_perms;
|
||||
|
||||
fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
|
||||
allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
|
||||
allow mailman_queue_t mailman_queue_tmpfs_t:file mmap_manage_file_perms;
|
||||
|
||||
kernel_read_network_state(mailman_queue_t)
|
||||
kernel_read_system_state(mailman_queue_t)
|
||||
|
||||
@ -51,7 +51,7 @@ allow matrixd_t self:unix_dgram_socket create_socket_perms;
|
||||
# https://cffi.readthedocs.io/en/latest/using.html#callbacks
|
||||
allow matrixd_t self:process { getsched execmem };
|
||||
|
||||
allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
|
||||
allow matrixd_t matrixd_tmp_t:file mmap_manage_file_perms;
|
||||
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
|
||||
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ allow nsd_t nsd_conf_t:dir list_dir_perms;
|
||||
allow nsd_t nsd_conf_t:file read_file_perms;
|
||||
allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow nsd_t nsd_db_t:file { manage_file_perms map };
|
||||
allow nsd_t nsd_db_t:file mmap_manage_file_perms;
|
||||
filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
|
||||
|
||||
manage_files_pattern(nsd_t, nsd_runtime_t, nsd_runtime_t)
|
||||
|
||||
@ -69,6 +69,7 @@ ifdef(`init_systemd',`
|
||||
# containers get created as systemd transient units
|
||||
init_get_transient_units_status(podman_t)
|
||||
init_start_transient_units(podman_t)
|
||||
init_stop_transient_units(podman_t)
|
||||
|
||||
# podman can read logs from containers which are
|
||||
# sent to the system journal
|
||||
@ -212,6 +213,7 @@ container_manage_engine_tmp_sock_files(podman_conmon_t)
|
||||
ifdef(`init_systemd',`
|
||||
init_get_transient_units_status(podman_conmon_t)
|
||||
init_start_transient_units(podman_conmon_t)
|
||||
init_stop_transient_units(podman_conmon_t)
|
||||
init_start_system(podman_conmon_t)
|
||||
init_stop_system(podman_conmon_t)
|
||||
')
|
||||
|
||||
@ -134,7 +134,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
# for /run/systemd/machines
|
||||
systemd_connect_machined(policykit_t)
|
||||
systemd_read_machines(policykit_t)
|
||||
systemd_watch_machines_dirs(policykit_t)
|
||||
|
||||
# for /run/systemd/seats/seat*
|
||||
systemd_read_logind_sessions_files(policykit_t)
|
||||
|
||||
@ -207,7 +207,7 @@ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_data_t:file manage_file_perms;
|
||||
allow postfix_master_t postfix_data_t:file mmap_manage_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_keytab_t:file read_file_perms;
|
||||
|
||||
@ -508,7 +508,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
|
||||
allow postfix_map_t self:tcp_socket { accept listen };
|
||||
|
||||
allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
|
||||
allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
|
||||
allow postfix_map_t postfix_etc_t:file mmap_manage_file_perms;
|
||||
allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
|
||||
@ -839,6 +839,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
sasl_read_keytab(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
|
||||
|
||||
/etc/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_keytab_t,s0)
|
||||
|
||||
/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
|
||||
|
||||
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
|
||||
|
||||
@ -19,6 +19,25 @@ interface(`sasl_connect',`
|
||||
stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read SASL keytab files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sasl_read_keytab',`
|
||||
gen_require(`
|
||||
type saslauthd_keytab_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to
|
||||
|
||||
@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
|
||||
type virtlogd_t;
|
||||
type virtlogd_exec_t;
|
||||
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
|
||||
init_named_socket_activation(virtlogd_t, virt_runtime_t)
|
||||
|
||||
type virtlogd_run_t;
|
||||
files_runtime_file(virtlogd_run_t)
|
||||
@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
|
||||
|
||||
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
|
||||
dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
allow virtd_t self:capability2 { bpf perfmon };
|
||||
allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
|
||||
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
|
||||
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
|
||||
@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
|
||||
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
|
||||
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
|
||||
allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
|
||||
# relabel needed for qemu guest agent sockets
|
||||
allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
allow virtd_t virt_ptynode:chr_file rw_term_perms;
|
||||
|
||||
@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
|
||||
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_read_utmp(virtd_t)
|
||||
|
||||
systemd_dbus_chat_logind(virtd_t)
|
||||
|
||||
systemd_connect_machined(virtd_t)
|
||||
systemd_dbus_chat_machined(virtd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_fusefs',`
|
||||
fs_manage_fusefs_dirs(virtd_t)
|
||||
fs_manage_fusefs_files(virtd_t)
|
||||
|
||||
@ -3431,6 +3431,63 @@ interface(`init_reload_generic_units',`
|
||||
allow $1 systemd_unit_t:service reload;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the status of runtime systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_runtime_units_status',`
|
||||
gen_require(`
|
||||
type init_runtime_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 init_runtime_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start runtime systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_start_runtime_units',`
|
||||
gen_require(`
|
||||
type init_runtime_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 init_runtime_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Stop runtime systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_stop_runtime_units',`
|
||||
gen_require(`
|
||||
type init_runtime_t;
|
||||
class service stop;
|
||||
')
|
||||
|
||||
allow $1 init_runtime_t:service stop;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get status of transient systemd units.
|
||||
|
||||
@ -472,6 +472,8 @@ ifdef(`init_systemd',`
|
||||
fs_create_pstore_dirs(init_t)
|
||||
# for network namespaces
|
||||
fs_read_nsfs_files(init_t)
|
||||
# needed by systemd-creds
|
||||
fs_setattr_ramfs_dirs(init_t)
|
||||
|
||||
init_manage_all_unit_files(init_t)
|
||||
init_read_script_state(init_t)
|
||||
|
||||
@ -703,6 +703,7 @@ interface(`logging_send_syslog_msg',`
|
||||
allow syslogd_t $1:process signull;
|
||||
|
||||
kernel_dgram_send($1)
|
||||
kernel_stream_connect($1)
|
||||
')
|
||||
|
||||
')
|
||||
|
||||
@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
|
||||
allow $1 systemd_machined_runtime_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow watching /run/systemd/machines
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_watch_machines_dirs',`
|
||||
gen_require(`
|
||||
type systemd_machined_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_runtime_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
|
||||
|
||||
@ -996,15 +996,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
|
||||
|
||||
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
|
||||
kernel_getattr_proc(systemd_machined_t)
|
||||
kernel_read_kernel_sysctls(systemd_machined_t)
|
||||
kernel_read_system_state(systemd_machined_t)
|
||||
|
||||
dev_getattr_fs(systemd_machined_t)
|
||||
dev_setattr_urand_dev(systemd_machined_t)
|
||||
|
||||
files_read_etc_files(systemd_machined_t)
|
||||
|
||||
fs_getattr_cgroup(systemd_machined_t)
|
||||
fs_getattr_tmpfs(systemd_machined_t)
|
||||
fs_getattr_xattr_fs(systemd_machined_t)
|
||||
fs_read_nsfs_files(systemd_machined_t)
|
||||
|
||||
selinux_getattr_fs(systemd_machined_t)
|
||||
@ -1019,6 +1022,9 @@ init_stop_system(systemd_machined_t)
|
||||
init_get_generic_units_status(systemd_machined_t)
|
||||
init_start_generic_units(systemd_machined_t)
|
||||
init_stop_generic_units(systemd_machined_t)
|
||||
init_get_transient_units_status(systemd_machined_t)
|
||||
init_start_transient_units(systemd_machined_t)
|
||||
init_stop_transient_units(systemd_machined_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_machined_t)
|
||||
|
||||
|
||||
@ -1343,6 +1343,7 @@ template(`userdom_admin_user_template',`
|
||||
allow $1_t self:cap_userns sys_ptrace;
|
||||
allow $1_t self:process { setexec setfscreate };
|
||||
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
allow $1_t self:tun_socket create;
|
||||
# Set password information for other users.
|
||||
allow $1_t self:passwd { passwd chfn chsh };
|
||||
|
||||
@ -167,6 +167,7 @@ define(`create_file_perms',`{ getattr create open }')
|
||||
define(`rename_file_perms',`{ getattr rename }')
|
||||
define(`delete_file_perms',`{ getattr unlink }')
|
||||
define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
|
||||
define(`mmap_manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
|
||||
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
|
||||
define(`relabelto_file_perms',`{ getattr relabelto }')
|
||||
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user