1910 lines
45 KiB
Plaintext
1910 lines
45 KiB
Plaintext
## <summary>Systemd components (not PID 1)</summary>
|
|
|
|
#########################################
|
|
## <summary>
|
|
## Template for systemd --user per-role domains.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
## Prefix for generated types
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The user role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="userdomain">
|
|
## <summary>
|
|
## The user domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="pty_type">
|
|
## <summary>
|
|
## The type for the user pty
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`systemd_role_template',`
|
|
gen_require(`
|
|
attribute systemd_user_session_type, systemd_log_parse_env_type;
|
|
attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
|
|
type systemd_run_exec_t, systemd_analyze_exec_t;
|
|
type systemd_conf_home_t, systemd_data_home_t;
|
|
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
|
|
type systemd_user_unit_t, systemd_user_runtime_unit_t;
|
|
')
|
|
|
|
#################################
|
|
#
|
|
# Declarations
|
|
#
|
|
type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
|
|
init_pgm_spec_user_daemon_domain($1_systemd_t)
|
|
domain_user_exemption_target($1_systemd_t)
|
|
ubac_constrained($1_systemd_t)
|
|
role $2 types $1_systemd_t;
|
|
|
|
#################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# This domain is per-role because of the below transitions.
|
|
# See the systemd --user section of systemd.te for the
|
|
# remainder of the rules.
|
|
allow $1_systemd_t self:process { getsched signal };
|
|
allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
|
|
corecmd_shell_domtrans($1_systemd_t, $3)
|
|
corecmd_bin_domtrans($1_systemd_t, $3)
|
|
|
|
# systemctl --user rules
|
|
allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
|
|
allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
|
|
allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file manage_sock_file_perms;
|
|
|
|
allow $1_systemd_t systemd_user_runtime_t:blk_file manage_blk_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:chr_file manage_chr_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:fifo_file manage_fifo_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_t:sock_file manage_sock_file_perms;
|
|
|
|
allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
|
|
allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
|
|
allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file manage_lnk_file_perms;
|
|
|
|
allow $1_systemd_t $3:dir search_dir_perms;
|
|
allow $1_systemd_t $3:file read_file_perms;
|
|
allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
|
|
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.early")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.late")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "transient")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "user")
|
|
|
|
dev_read_urand($1_systemd_t)
|
|
|
|
files_search_home($1_systemd_t)
|
|
|
|
fs_manage_cgroup_files($1_systemd_t)
|
|
fs_watch_cgroup_files($1_systemd_t)
|
|
|
|
kernel_dontaudit_getattr_proc($1_systemd_t)
|
|
|
|
selinux_use_status_page($1_systemd_t)
|
|
|
|
init_linkable_keyring($1_systemd_t)
|
|
init_list_unit_dirs($1_systemd_t)
|
|
init_read_generic_units_files($1_systemd_t)
|
|
|
|
miscfiles_watch_localization($1_systemd_t)
|
|
|
|
mount_read_runtime_files($1_systemd_t)
|
|
mount_watch_runtime_files($1_systemd_t)
|
|
mount_watch_reads_runtime_files($1_systemd_t)
|
|
|
|
seutil_search_default_contexts($1_systemd_t)
|
|
seutil_read_file_contexts($1_systemd_t)
|
|
|
|
systemd_manage_conf_home_content($1_systemd_t)
|
|
systemd_manage_data_home_content($1_systemd_t)
|
|
|
|
systemd_search_user_runtime_unit_dirs($1_systemd_t)
|
|
|
|
systemd_search_user_runtime_unit_dirs($1_systemd_t)
|
|
systemd_read_user_unit_files($1_systemd_t)
|
|
|
|
dbus_system_bus_client($1_systemd_t)
|
|
dbus_spec_session_bus_client($1, $1_systemd_t)
|
|
|
|
# userdomain rules
|
|
allow $3 $1_systemd_t:process signal;
|
|
allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
|
|
# Allow using file descriptors for user environment generators
|
|
allow $3 $1_systemd_t:fd use;
|
|
allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
|
|
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
|
|
|
|
allow $3 $1_systemd_t:system { disable enable reload start stop status };
|
|
|
|
allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
|
|
allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
|
|
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
|
|
allow $3 systemd_user_unit_t:service { reload start status stop };
|
|
allow $3 systemd_conf_home_t:service { reload start status stop };
|
|
|
|
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
|
|
|
|
init_dbus_chat($3)
|
|
|
|
systemd_list_journal_dirs($3)
|
|
systemd_read_journal_files($3)
|
|
|
|
systemd_manage_conf_home_content($3)
|
|
systemd_relabel_conf_home_content($3)
|
|
|
|
systemd_manage_data_home_content($3)
|
|
systemd_relabel_data_home_content($3)
|
|
|
|
systemd_read_user_unit_files($3)
|
|
systemd_list_user_runtime_unit_dirs($3)
|
|
systemd_read_user_runtime_units($3)
|
|
|
|
systemd_reload_user_runtime_units($3)
|
|
systemd_start_user_runtime_units($3)
|
|
systemd_status_user_runtime_units($3)
|
|
systemd_stop_user_runtime_units($3)
|
|
|
|
systemd_watch_passwd_runtime_dirs($3)
|
|
|
|
optional_policy(`
|
|
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
|
|
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
|
|
xdg_read_config_files($1_systemd_t)
|
|
xdg_read_data_files($1_systemd_t)
|
|
')
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to be started as a daemon by the
|
|
## specified systemd user instance.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
## Prefix for the user domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entry_point">
|
|
## <summary>
|
|
## Entry point file type for the domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to allow the systemd user domain to run.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`systemd_user_daemon_domain',`
|
|
gen_require(`
|
|
type $1_systemd_t;
|
|
')
|
|
|
|
domtrans_pattern($1_systemd_t, $2, $3)
|
|
|
|
allow $1_systemd_t $3:process signal_perms;
|
|
allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Associate the specified file type to be a type whose sock files
|
|
## can be managed by systemd user instances for socket activation.
|
|
## </summary>
|
|
## <param name="file_type">
|
|
## <summary>
|
|
## File type to be associated.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_user_activated_sock_file',`
|
|
gen_require(`
|
|
attribute systemd_user_activated_sock_file_type;
|
|
')
|
|
|
|
typeattribute $1 systemd_user_activated_sock_file_type;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Associate the specified domain to be a domain whose unix stream
|
|
## sockets and sock files can be managed by systemd user instances
|
|
## for socket activation.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to be associated.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="sock_file_type">
|
|
## <summary>
|
|
## File type of the domain's sock files to be associated.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_user_unix_stream_activated_socket',`
|
|
gen_require(`
|
|
attribute systemd_user_unix_stream_activated_socket_type;
|
|
')
|
|
|
|
typeattribute $1 systemd_user_unix_stream_activated_socket_type;
|
|
systemd_user_activated_sock_file($2)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to search systemd config home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_search_conf_home_content',`
|
|
gen_require(`
|
|
type systemd_conf_home_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to manage systemd config home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_conf_home_content',`
|
|
gen_require(`
|
|
type systemd_conf_home_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to relabel systemd config home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabel_conf_home_content',`
|
|
gen_require(`
|
|
type systemd_conf_home_t;
|
|
')
|
|
|
|
relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to search systemd data home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_search_data_home_content',`
|
|
gen_require(`
|
|
type systemd_data_home_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to manage systemd data home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_data_home_content',`
|
|
gen_require(`
|
|
type systemd_data_home_t;
|
|
')
|
|
|
|
allow $1 systemd_data_home_t:dir manage_dir_perms;
|
|
allow $1 systemd_data_home_t:file manage_file_perms;
|
|
allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to relabel systemd data home
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabel_data_home_content',`
|
|
gen_require(`
|
|
type systemd_data_home_t;
|
|
')
|
|
|
|
relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
|
|
relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
|
|
relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to search systemd user runtime
|
|
## content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_search_user_runtime',`
|
|
gen_require(`
|
|
type systemd_user_runtime_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to read systemd user runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_user_runtime_files',`
|
|
gen_require(`
|
|
type systemd_user_runtime_t;
|
|
')
|
|
|
|
read_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to read systemd user runtime lnk files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_user_runtime_lnk_files',`
|
|
gen_require(`
|
|
type systemd_user_runtime_t;
|
|
')
|
|
|
|
read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to read system-wide systemd
|
|
## user unit files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_user_unit_files',`
|
|
gen_require(`
|
|
type systemd_user_unit_t;
|
|
')
|
|
|
|
allow $1 systemd_user_unit_t:dir list_dir_perms;
|
|
allow $1 systemd_user_unit_t:file read_file_perms;
|
|
allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to read systemd user runtime unit files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_user_runtime_units',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
')
|
|
|
|
read_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
|
|
read_lnk_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to search systemd user runtime unit
|
|
## directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_search_user_runtime_unit_dirs',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to list the contents of systemd
|
|
## user runtime unit directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_list_user_runtime_unit_dirs',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to get the status of systemd user runtime units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_status_user_runtime_units',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 systemd_user_runtime_unit_t:service status;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to start systemd user runtime units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_start_user_runtime_units',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
class service start;
|
|
')
|
|
|
|
allow $1 systemd_user_runtime_unit_t:service start;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to stop systemd user runtime units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_stop_user_runtime_units',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
class service stop;
|
|
')
|
|
|
|
allow $1 systemd_user_runtime_unit_t:service stop;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to reload systemd user runtime units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_reload_user_runtime_units',`
|
|
gen_require(`
|
|
type systemd_user_runtime_unit_t;
|
|
class service reload;
|
|
')
|
|
|
|
allow $1 systemd_user_runtime_unit_t:service reload;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Make the specified type usable as an
|
|
## log parse environment type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used as a log parse environment type.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_log_parse_environment',`
|
|
gen_require(`
|
|
attribute systemd_log_parse_env_type;
|
|
')
|
|
|
|
typeattribute $1 systemd_log_parse_env_type;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow domain to use systemd's Name Service Switch (NSS) module.
|
|
## This module provides UNIX user and group name resolution for dynamic users
|
|
## and groups allocated through the DynamicUser= option in systemd unit files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_use_nss',`
|
|
gen_require(`
|
|
type systemd_conf_t;
|
|
')
|
|
|
|
# Get attributes of /etc/systemd/dont-synthesize-nobody
|
|
files_search_etc($1)
|
|
allow $1 systemd_conf_t:file getattr;
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client($1)
|
|
# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
|
|
init_dbus_chat($1)
|
|
')
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow domain to be used as a systemd service with a unit
|
|
## that uses PrivateDevices=yes in section [Service].
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_PrivateDevices',`
|
|
# For services using PrivateDevices, systemd mounts a dedicated
|
|
# tmpfs filesystem for the /dev, which gets label tmpfs_t.
|
|
# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
|
|
fs_read_tmpfs_symlinks($1)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to read udev hwdb file
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_hwdb',`
|
|
gen_require(`
|
|
type systemd_hwdb_t;
|
|
')
|
|
|
|
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to map udev hwdb file
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_map_hwdb',`
|
|
gen_require(`
|
|
type systemd_hwdb_t;
|
|
')
|
|
|
|
allow $1 systemd_hwdb_t:file map;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Read systemd_login PID files. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_logind_pids',`
|
|
refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.')
|
|
systemd_read_logind_runtime_files($1)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Manage systemd_login PID pipes. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_logind_pid_pipes',`
|
|
refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.')
|
|
systemd_manage_logind_runtime_pipes($1)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Write systemd_login named pipe. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_write_logind_pid_pipes',`
|
|
refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.')
|
|
systemd_write_logind_runtime_pipes($1)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Read systemd-logind runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_logind_runtime_files',`
|
|
gen_require(`
|
|
type systemd_logind_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
allow $1 systemd_logind_runtime_t:dir list_dir_perms;
|
|
allow $1 systemd_logind_runtime_t:file read_file_perms;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Manage systemd-logind runtime pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_logind_runtime_pipes',`
|
|
gen_require(`
|
|
type systemd_logind_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Write systemd-logind runtime named pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_write_logind_runtime_pipes',`
|
|
gen_require(`
|
|
type systemd_logind_runtime_t;
|
|
')
|
|
|
|
init_search_run($1)
|
|
files_search_runtime($1)
|
|
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Use inherited systemd
|
|
## logind file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_use_logind_fds',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:fd use;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Read logind sessions files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_logind_sessions_files',`
|
|
gen_require(`
|
|
type systemd_sessions_runtime_t, systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:fd use;
|
|
init_search_run($1)
|
|
allow $1 systemd_sessions_runtime_t:dir list_dir_perms;
|
|
read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Write inherited logind sessions pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_write_inherited_logind_sessions_pipes',`
|
|
gen_require(`
|
|
type systemd_logind_t, systemd_sessions_runtime_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:fd use;
|
|
allow $1 systemd_sessions_runtime_t:fifo_file write;
|
|
allow systemd_logind_t $1:process signal;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Write inherited logind inhibit pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_write_inherited_logind_inhibit_pipes',`
|
|
gen_require(`
|
|
type systemd_logind_inhibit_runtime_t;
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:fd use;
|
|
allow $1 systemd_logind_inhibit_runtime_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## systemd logind over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_dbus_chat_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:dbus send_msg;
|
|
allow systemd_logind_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the system status information from systemd_login
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_status_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send systemd_login a null signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_signull_logind',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow $1 systemd_logind_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage systemd userdb runtime directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_userdb_runtime_dirs', `
|
|
gen_require(`
|
|
type systemd_userdb_runtime_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage socket files under /run/systemd/userdb .
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_userdb_runtime_sock_files', `
|
|
gen_require(`
|
|
type systemd_userdb_runtime_t;
|
|
')
|
|
|
|
manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to /run/systemd/userdb/io.systemd.DynamicUser .
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_stream_connect_userdb', `
|
|
gen_require(`
|
|
type systemd_userdb_runtime_t;
|
|
')
|
|
|
|
init_search_runtime($1)
|
|
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
|
|
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
|
|
init_unix_stream_socket_connectto($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow reading /run/systemd/machines
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain that can access the machines files
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_machines',`
|
|
gen_require(`
|
|
type systemd_machined_runtime_t;
|
|
')
|
|
|
|
allow $1 systemd_machined_runtime_t:dir list_dir_perms;
|
|
allow $1 systemd_machined_runtime_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain that can access the socket
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_connect_machined',`
|
|
gen_require(`
|
|
type systemd_machined_t;
|
|
')
|
|
|
|
allow $1 systemd_machined_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## systemd hostnamed over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_dbus_chat_hostnamed',`
|
|
gen_require(`
|
|
type systemd_hostnamed_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 systemd_hostnamed_t:dbus send_msg;
|
|
allow systemd_hostnamed_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow systemd_passwd_agent to inherit fds
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain that owns the fds
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_use_passwd_agent_fds',`
|
|
gen_require(`
|
|
type systemd_passwd_agent_t;
|
|
')
|
|
|
|
allow systemd_passwd_agent_t $1:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow systemd_passwd_agent to be run by admin
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain that runs it
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## role that it runs in
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_run_passwd_agent',`
|
|
gen_require(`
|
|
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
|
|
allow systemd_passwd_agent_t $1:fd use;
|
|
role $2 types systemd_passwd_agent_t;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow a systemd_passwd_agent_t process to interact with a daemon
|
|
## that needs a password from the sysadmin.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_use_passwd_agent',`
|
|
gen_require(`
|
|
type systemd_passwd_agent_t;
|
|
type systemd_passwd_runtime_t;
|
|
')
|
|
|
|
manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
|
|
allow systemd_passwd_agent_t $1:process signull;
|
|
ps_process_pattern(systemd_passwd_agent_t, $1)
|
|
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Transition to systemd_passwd_runtime_t when creating dirs
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_filetrans_passwd_runtime_dirs',`
|
|
gen_require(`
|
|
type systemd_passwd_runtime_t;
|
|
')
|
|
|
|
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block")
|
|
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Transition to systemd_userdb_runtime_t when
|
|
## creating the userdb directory inside an init runtime
|
|
## directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_filetrans_userdb_runtime_dirs', `
|
|
gen_require(`
|
|
type systemd_userdb_runtime_t;
|
|
')
|
|
|
|
init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow to domain to create systemd-passwd symlink
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_passwd_runtime_symlinks',`
|
|
gen_require(`
|
|
type systemd_passwd_runtime_t;
|
|
')
|
|
|
|
allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow a domain to watch systemd-passwd runtime dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_watch_passwd_runtime_dirs',`
|
|
gen_require(`
|
|
type systemd_passwd_runtime_t;
|
|
')
|
|
|
|
allow $1 systemd_passwd_runtime_t:dir watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## manage systemd unit dirs and the files in them (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_all_units',`
|
|
refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
|
|
init_manage_all_unit_files($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to list the contents of systemd_journal_t dirs
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_list_journal_dirs',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to read systemd_journal_t files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_journal_files',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
|
|
mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to create/manage systemd_journal_t files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_journal_files',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
|
|
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
|
|
allow $1 systemd_journal_t:file map;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to add a watch on systemd_journal_t directories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_watch_journal_dirs',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
allow $1 systemd_journal_t:dir watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel to systemd-journald directory type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabelto_journal_dirs',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
allow $1 systemd_journal_t:dir relabelto_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel to systemd-journald file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabelto_journal_files',`
|
|
gen_require(`
|
|
type systemd_journal_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
|
|
allow $1 systemd_journal_t:file relabelto_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to read systemd_networkd_t unit files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_networkd_units',`
|
|
gen_require(`
|
|
type systemd_networkd_unit_t;
|
|
')
|
|
|
|
init_search_units($1)
|
|
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
|
|
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to create/manage systemd_networkd_t unit files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_manage_networkd_units',`
|
|
gen_require(`
|
|
type systemd_networkd_unit_t;
|
|
')
|
|
|
|
init_search_units($1)
|
|
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
|
|
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to enable systemd-networkd units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_enabledisable_networkd',`
|
|
gen_require(`
|
|
type systemd_networkd_unit_t;
|
|
class service { enable disable };
|
|
')
|
|
|
|
allow $1 systemd_networkd_unit_t:service { enable disable };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to start systemd-networkd units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_startstop_networkd',`
|
|
gen_require(`
|
|
type systemd_networkd_unit_t;
|
|
class service { start stop };
|
|
')
|
|
|
|
allow $1 systemd_networkd_unit_t:service { start stop };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to get status of systemd-networkd
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_status_networkd',`
|
|
gen_require(`
|
|
type systemd_networkd_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 systemd_networkd_unit_t:service status;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Relabel systemd_networkd tun socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabelfrom_networkd_tun_sockets',`
|
|
gen_require(`
|
|
type systemd_networkd_t;
|
|
')
|
|
|
|
allow $1 systemd_networkd_t:tun_socket relabelfrom;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read/Write from systemd_networkd netlink route socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_rw_networkd_netlink_route_sockets',`
|
|
gen_require(`
|
|
type systemd_networkd_t;
|
|
')
|
|
|
|
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to list dirs under /run/systemd/netif
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain permitted the access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_list_networkd_runtime',`
|
|
gen_require(`
|
|
type systemd_networkd_runtime_t;
|
|
')
|
|
|
|
init_list_runtime($1)
|
|
allow $1 systemd_networkd_runtime_t:dir list_dir_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Watch directories under /run/systemd/netif
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain permitted the access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_watch_networkd_runtime_dirs',`
|
|
gen_require(`
|
|
type systemd_networkd_runtime_t;
|
|
')
|
|
|
|
allow $1 systemd_networkd_runtime_t:dir watch;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to read files generated by systemd_networkd
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
|
|
interface(`systemd_read_networkd_runtime',`
|
|
gen_require(`
|
|
type systemd_networkd_runtime_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow systemd_logind_t to read process state for cgroup file
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain systemd_logind_t may access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_logind_state',`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
allow systemd_logind_t $1:dir list_dir_perms;
|
|
allow systemd_logind_t $1:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to start power units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_start_power_units',`
|
|
gen_require(`
|
|
type power_unit_t;
|
|
class service start;
|
|
')
|
|
|
|
allow $1 power_unit_t:service start;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the system status information about power units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_status_power_units',`
|
|
gen_require(`
|
|
type power_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 power_unit_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allows connections to the systemd-socket-proxyd's socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_stream_connect_socket_proxyd', `
|
|
gen_require(`
|
|
type systemd_socket_proxyd_t;
|
|
')
|
|
|
|
allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified type usable for
|
|
## systemd tmpfiles config files.
|
|
## </summary>
|
|
## <param name="type">
|
|
## <summary>
|
|
## Type to be used for systemd tmpfiles config files.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_tmpfiles_conf_file',`
|
|
gen_require(`
|
|
attribute systemd_tmpfiles_conf_type;
|
|
')
|
|
|
|
files_config_file($1)
|
|
typeattribute $1 systemd_tmpfiles_conf_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to create
|
|
## the tmpfiles config directory with
|
|
## the correct context.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_tmpfiles_creator',`
|
|
gen_require(`
|
|
type systemd_tmpfiles_conf_t;
|
|
')
|
|
|
|
files_runtime_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
|
|
allow $1 systemd_tmpfiles_conf_t:dir create;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create an object in the systemd tmpfiles config
|
|
## directory, with a private type
|
|
## using a type transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="private type">
|
|
## <summary>
|
|
## The type of the object to be created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object">
|
|
## <summary>
|
|
## The object class of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_tmpfiles_conf_filetrans',`
|
|
gen_require(`
|
|
type systemd_tmpfiles_conf_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to list systemd tmpfiles config directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_list_tmpfiles_conf',`
|
|
gen_require(`
|
|
type systemd_tmpfiles_conf_t;
|
|
')
|
|
|
|
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to relabel to systemd tmpfiles config directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
|
|
gen_require(`
|
|
type systemd_tmpfiles_conf_t;
|
|
')
|
|
|
|
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to relabel to systemd tmpfiles config files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_relabelto_tmpfiles_conf_files',`
|
|
gen_require(`
|
|
attribute systemd_tmpfiles_conf_type;
|
|
')
|
|
|
|
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow systemd_tmpfiles_t to manage filesystem objects
|
|
## </summary>
|
|
## <param name="type">
|
|
## <summary>
|
|
## type of object to manage
|
|
## </summary>
|
|
## </param>
|
|
## <param name="class">
|
|
## <summary>
|
|
## object class to manage
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_tmpfilesd_managed',`
|
|
gen_require(`
|
|
type systemd_tmpfiles_t;
|
|
')
|
|
|
|
allow systemd_tmpfiles_t $1:dir list_dir_perms;
|
|
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## systemd resolved over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_dbus_chat_resolved',`
|
|
gen_require(`
|
|
type systemd_resolved_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 systemd_resolved_t:dbus send_msg;
|
|
allow systemd_resolved_t $1:dbus send_msg;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to read resolv.conf file generated by systemd_resolved
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_read_resolved_runtime',`
|
|
gen_require(`
|
|
type systemd_resolved_runtime_t;
|
|
')
|
|
|
|
read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to getattr on .updated file (generated by systemd-update-done
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_getattr_updated_runtime',`
|
|
gen_require(`
|
|
type systemd_update_run_t;
|
|
')
|
|
|
|
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search keys for the all systemd --user domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_search_all_user_keys',`
|
|
gen_require(`
|
|
attribute systemd_user_session_type;
|
|
')
|
|
|
|
allow $1 systemd_user_session_type:key search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create keys for the all systemd --user domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_create_all_user_keys',`
|
|
gen_require(`
|
|
attribute systemd_user_session_type;
|
|
')
|
|
|
|
allow $1 systemd_user_session_type:key create;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write keys for the all systemd --user domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_write_all_user_keys',`
|
|
gen_require(`
|
|
attribute systemd_user_session_type;
|
|
')
|
|
|
|
allow $1 systemd_user_session_type:key write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute systemd-sysusers in the
|
|
## systemd sysusers domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`systemd_domtrans_sysusers', `
|
|
gen_require(`
|
|
type systemd_sysusers_t, systemd_sysusers_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, systemd_sysusers_exec_t, systemd_sysusers_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Run systemd-sysusers with a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`systemd_run_sysusers', `
|
|
gen_require(`
|
|
attribute_role systemd_sysusers_roles;
|
|
')
|
|
|
|
systemd_domtrans_sysusers($1)
|
|
roleattribute $2 systemd_sysusers_roles;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## receive and use a systemd_machined_devpts_t file handle
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`systemd_use_inherited_machined_ptys', `
|
|
gen_require(`
|
|
type systemd_machined_t, systemd_machined_devpts_t;
|
|
')
|
|
|
|
allow $1 systemd_machined_t:fd use;
|
|
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
|
|
')
|