nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #770 from pebenito/systemd-analyze

Browse Source 
Misc fixes
This commit is contained in:
Chris PeBenito 2024-06-06 12:07:27 -04:00 committed by GitHub
commit 04eca2fa9b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 63 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
policy/modules/admin/cloudinit.te
View File

@ -9,6 +9,13 @@ gen_require(`
# Declarations # Declarations
# #
## <desc>
## <p>
## Enable support for the cloud-init-growpart module.
## </p>
## </desc>
gen_tunable(cloudinit_growpart, false)
## <desc> ## <desc>
## <p> ## <p>
## Enable support for cloud-init to manage all non-security files. ## Enable support for cloud-init to manage all non-security files.
@ -128,6 +135,8 @@ ssh_setattr_home_dirs(cloud_init_t)
# Read public keys # Read public keys
ssh_read_server_keys(cloud_init_t) ssh_read_server_keys(cloud_init_t)
storage_raw_read_fixed_disk_cond(cloud_init_t, cloudinit_growpart)
sysnet_run_ifconfig(cloud_init_t, system_r) sysnet_run_ifconfig(cloud_init_t, system_r)
term_write_console(cloud_init_t) term_write_console(cloud_init_t)

5
policy/modules/kernel/filesystem.fc
View File

@ -14,14 +14,15 @@
/sys/fs/bpf(/.*)? <<none>> /sys/fs/bpf(/.*)? <<none>>
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>> /sys/fs/cgroup/.* gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/[^/]+ -l gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
/sys/fs/pstore/.* <<none>> /sys/fs/pstore/.* <<none>>
/sys/kernel/tracing(/.*)? <<none>> /sys/kernel/tracing(/.*)? <<none>>
/sys/fs/cgroup/.*/memory\.pressure -- gen_context(system_u:object_r:memory_pressure_t,s0)
ifdef(`distro_debian',` ifdef(`distro_debian',`
/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/run/shm/.* <<none>> /run/shm/.* <<none>>

1
policy/modules/kernel/filesystem.te
View File

@ -95,6 +95,7 @@ files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t) dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
allow cgroup_types cgroup_t:filesystem associate;
# When running under systemd, the cgroup file memory.pressure will have this # When running under systemd, the cgroup file memory.pressure will have this
# separate label, to allow unprivileged process to access it without accessing # separate label, to allow unprivileged process to access it without accessing
# the rest of the cgroup tree. # the rest of the cgroup tree.

4
policy/modules/system/init.te
View File

@ -1201,6 +1201,10 @@ ifdef(`init_systemd',`
# create /var/lock/lvm/ # create /var/lock/lvm/
lvm_create_lock_dirs(initrc_t) lvm_create_lock_dirs(initrc_t)
') ')
optional_policy(`
systemd_dbus_chat_homed(initrc_t)
')
') ')
optional_policy(` optional_policy(`

21
policy/modules/system/systemd.if
View File

@ -1113,6 +1113,27 @@ interface(`systemd_PrivateDevices',`
fs_read_tmpfs_symlinks($1) fs_read_tmpfs_symlinks($1)
') ')
########################################
## <summary>
## Send and receive messages from
## systemd homed over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_homed',`
gen_require(`
type systemd_homed_t;
class dbus send_msg;
')
allow $1 systemd_homed_t:dbus send_msg;
allow systemd_homed_t $1:dbus send_msg;
')
###################################### ######################################
## <summary> ## <summary>
## Read and write systemd-homework semaphores. ## Read and write systemd-homework semaphores.

25
policy/modules/system/systemd.te
View File

@ -362,6 +362,29 @@ userdom_user_runtime_content(systemd_user_transient_unit_t)
type power_unit_t; type power_unit_t;
init_unit_file(power_unit_t) init_unit_file(power_unit_t)
######################################
#
# Analyze local policy
#
files_get_etc_unit_status(systemd_analyze_t)
init_stream_connect(systemd_analyze_t)
init_get_all_units_status(systemd_analyze_t)
init_service_status(systemd_analyze_t)
init_get_system_status(systemd_analyze_t)
kernel_read_kernel_sysctls(systemd_analyze_t)
kernel_dontaudit_getattr_proc(systemd_analyze_t)
miscfiles_read_localization(systemd_analyze_t)
seutil_libselinux_linked(systemd_analyze_t)
systemd_log_parse_environment(systemd_analyze_t)
userdom_use_inherited_user_terminals(systemd_analyze_t)
###################################### ######################################
# #
# Backlight local policy # Backlight local policy
@ -635,6 +658,7 @@ files_search_tmp(systemd_homed_t)
fs_get_xattr_fs_quotas(systemd_homed_t) fs_get_xattr_fs_quotas(systemd_homed_t)
fs_getattr_all_fs(systemd_homed_t) fs_getattr_all_fs(systemd_homed_t)
fs_watch_memory_pressure(systemd_homed_t)
kernel_read_kernel_sysctls(systemd_homed_t) kernel_read_kernel_sysctls(systemd_homed_t)
kernel_read_system_state(systemd_homed_t) kernel_read_system_state(systemd_homed_t)
@ -2044,6 +2068,7 @@ files_read_usr_files(systemd_userdbd_t)
fs_getattr_all_fs(systemd_userdbd_t) fs_getattr_all_fs(systemd_userdbd_t)
fs_search_cgroup_dirs(systemd_userdbd_t) fs_search_cgroup_dirs(systemd_userdbd_t)
fs_read_efivarfs_files(systemd_userdbd_t) fs_read_efivarfs_files(systemd_userdbd_t)
fs_watch_memory_pressure(systemd_userdbd_t)
kernel_read_system_state(systemd_userdbd_t) kernel_read_system_state(systemd_userdbd_t)