Merge branch 'resolved' of https://github.com/bigon/refpolicy

2018-11-11 15:52:51 -05:00 · 2018-11-11 15:52:51 -05:00 · 0e868859c4
commit 0e868859c4
parent 390c4f80fb d5d6fe0046
4 changed files with 38 additions and 4 deletions
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@ -756,9 +756,14 @@ interface(`sysnet_dns_name_resolve',`
 		nscd_use($1)
 	')

-	# This seems needed when the mymachines NSS module is used
-	optional_policy(`
-		systemd_read_machines($1)
+	ifdef(`init_systemd',`
+		optional_policy(`
+			systemd_dbus_chat_resolved($1)
+		')
+		# This seems needed when the mymachines NSS module is used
+		optional_policy(`
+			systemd_read_machines($1)
+		')
 	')
 ')

--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -753,6 +753,27 @@ interface(`systemd_tmpfilesd_managed',`
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')

+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd resolved over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_resolved',`
+	gen_require(`
+		type systemd_resolved_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_resolved_t:dbus send_msg;
+	allow systemd_resolved_t $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read resolv.conf file generated by systemd_resolved
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -864,7 +864,7 @@ optional_policy(`
 # Resolved local policy
 #

-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
 allow systemd_resolved_t self:process { getcap setcap setfscreate signal };

 allow systemd_resolved_t self:tcp_socket { accept listen };
@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)

 corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)

 auth_use_nsswitch(systemd_resolved_t)
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -58,6 +58,12 @@ ifdef(`direct_sysadm_daemon',`
        ')
 ')

+ifdef(`init_systemd',`
+	optional_policy(`
+		systemd_dbus_chat_resolved(unconfined_t)
+	')
+')
+
 optional_policy(`
 	ada_domtrans(unconfined_t)
 ')