diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te index 0c80a32ad..94f7eabd2 100644 --- a/policy/modules/admin/cloudinit.te +++ b/policy/modules/admin/cloudinit.te @@ -9,6 +9,13 @@ gen_require(` # Declarations # +## +##

+## Enable support for the cloud-init-growpart module. +##

+## +gen_tunable(cloudinit_growpart, false) + ## ##

## Enable support for cloud-init to manage all non-security files. @@ -128,6 +135,8 @@ ssh_setattr_home_dirs(cloud_init_t) # Read public keys ssh_read_server_keys(cloud_init_t) +storage_raw_read_fixed_disk_cond(cloud_init_t, cloudinit_growpart) + sysnet_run_ifconfig(cloud_init_t, system_r) term_write_console(cloud_init_t) diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 8cdca1855..ca88fdc49 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -14,14 +14,15 @@ /sys/fs/bpf(/.*)? <> /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/sys/fs/cgroup/.* <> -/sys/fs/cgroup/[^/]+ -l gen_context(system_u:object_r:cgroup_t,s0) +/sys/fs/cgroup/.* gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) /sys/fs/pstore/.* <> /sys/kernel/tracing(/.*)? <> +/sys/fs/cgroup/.*/memory\.pressure -- gen_context(system_u:object_r:memory_pressure_t,s0) + ifdef(`distro_debian',` /run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /run/shm/.* <> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index c5b6573f6..b40cb5f6c 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -95,6 +95,7 @@ files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) +allow cgroup_types cgroup_t:filesystem associate; # When running under systemd, the cgroup file memory.pressure will have this # separate label, to allow unprivileged process to access it without accessing # the rest of the cgroup tree. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index bc3a34d98..4b880e160 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1201,6 +1201,10 @@ ifdef(`init_systemd',` # create /var/lock/lvm/ lvm_create_lock_dirs(initrc_t) ') + + optional_policy(` + systemd_dbus_chat_homed(initrc_t) + ') ') optional_policy(` diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 4ad1b4484..6c57d4869 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1113,6 +1113,27 @@ interface(`systemd_PrivateDevices',` fs_read_tmpfs_symlinks($1) ') +######################################## +##

+## Send and receive messages from +## systemd homed over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_homed',` + gen_require(` + type systemd_homed_t; + class dbus send_msg; + ') + + allow $1 systemd_homed_t:dbus send_msg; + allow systemd_homed_t $1:dbus send_msg; +') + ###################################### ## ## Read and write systemd-homework semaphores. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 623556ff4..840682e46 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -362,6 +362,29 @@ userdom_user_runtime_content(systemd_user_transient_unit_t) type power_unit_t; init_unit_file(power_unit_t) +###################################### +# +# Analyze local policy +# + +files_get_etc_unit_status(systemd_analyze_t) + +init_stream_connect(systemd_analyze_t) +init_get_all_units_status(systemd_analyze_t) +init_service_status(systemd_analyze_t) +init_get_system_status(systemd_analyze_t) + +kernel_read_kernel_sysctls(systemd_analyze_t) +kernel_dontaudit_getattr_proc(systemd_analyze_t) + +miscfiles_read_localization(systemd_analyze_t) + +seutil_libselinux_linked(systemd_analyze_t) + +systemd_log_parse_environment(systemd_analyze_t) + +userdom_use_inherited_user_terminals(systemd_analyze_t) + ###################################### # # Backlight local policy @@ -635,6 +658,7 @@ files_search_tmp(systemd_homed_t) fs_get_xattr_fs_quotas(systemd_homed_t) fs_getattr_all_fs(systemd_homed_t) +fs_watch_memory_pressure(systemd_homed_t) kernel_read_kernel_sysctls(systemd_homed_t) kernel_read_system_state(systemd_homed_t) @@ -2044,6 +2068,7 @@ files_read_usr_files(systemd_userdbd_t) fs_getattr_all_fs(systemd_userdbd_t) fs_search_cgroup_dirs(systemd_userdbd_t) fs_read_efivarfs_files(systemd_userdbd_t) +fs_watch_memory_pressure(systemd_userdbd_t) kernel_read_system_state(systemd_userdbd_t)