systemd: add policy for systemd-pcrphase

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-12-10 16:24:25 -05:00
parent 31bee5dc41
commit d4ee0d3c29
2 changed files with 27 additions and 0 deletions

View File

@ -36,6 +36,7 @@
/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-pcrphase -- gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
/usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)

View File

@ -215,6 +215,10 @@ files_runtime_file(systemd_nspawn_runtime_t)
type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)
type systemd_pcrphase_t;
type systemd_pcrphase_exec_t;
init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
type systemd_pstore_t;
type systemd_pstore_exec_t;
init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
@ -1360,6 +1364,28 @@ optional_policy(`
plymouthd_stream_connect(systemd_passwd_agent_t)
')
#########################################
#
# systemd-pcrphase local policy
#
allow systemd_pcrphase_t self:capability dac_override;
dontaudit systemd_pcrphase_t self:capability net_admin;
dev_rw_tpm(systemd_pcrphase_t)
dev_write_kmsg(systemd_pcrphase_t)
fs_read_efivarfs_files(systemd_pcrphase_t)
fs_getattr_cgroup(systemd_pcrphase_t)
fs_search_cgroup_dirs(systemd_pcrphase_t)
kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
kernel_read_kernel_sysctls(systemd_pcrphase_t)
kernel_read_system_state(systemd_pcrphase_t)
init_read_state(systemd_pcrphase_t)
logging_send_syslog_msg(systemd_pcrphase_t)
#########################################
#