systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer version of the patch which applies to today's git version. Description: systemd-resolved, sessions, and tmpfiles patches Author: Russell Coker <russell@coker.com.au> Last-Update: 2017-03-26
This commit is contained in:
parent
066a5efbdf
commit
160d08f3ae
@ -1 +1 @@
|
||||
Subproject commit aede270ab97e863cbe2b8a1459b8c72ae5786356
|
||||
Subproject commit 2128180acf3e02131dfb02d7cf1835d0a1f62b1b
|
@ -2831,6 +2831,24 @@ interface(`files_manage_etc_dirs',`
|
||||
manage_dirs_pattern($1, etc_t, etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel directories to etc_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelto_etc_dirs',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic files in /etc.
|
||||
@ -3809,6 +3827,24 @@ interface(`files_relabelto_home',`
|
||||
allow $1 home_root_t:dir relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from user home root (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelfrom_home',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in /home.
|
||||
@ -5496,6 +5532,24 @@ interface(`files_manage_var_dirs',`
|
||||
allow $1 var_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## relabelto/from var directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_var_dirs',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the /var directory.
|
||||
@ -5763,6 +5817,44 @@ interface(`files_rw_var_lib_dirs',`
|
||||
rw_dirs_pattern($1, var_lib_t, var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage var_lib_t dirs
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_var_lib_dirs',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_lib_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## relabel var_lib_t dirs
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_var_lib_dirs',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_lib_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in the /var/lib directory
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(files, 1.23.7)
|
||||
policy_module(files, 1.23.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -698,6 +698,42 @@ interface(`xserver_rw_console',`
|
||||
allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create the X windows console named pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_create_console_pipes',`
|
||||
gen_require(`
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
allow $1 xconsole_device_t:fifo_file create;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## relabel the X windows console named pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_relabel_console_pipes',`
|
||||
gen_require(`
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use file descriptors for xdm.
|
||||
@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',`
|
||||
gen_require(`
|
||||
type xdm_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
')
|
||||
|
||||
allow $1 xdm_t:dbus send_msg;
|
||||
allow xdm_t $1:dbus send_msg;
|
||||
@ -1162,6 +1198,24 @@ interface(`xserver_read_xkb_libs',`
|
||||
read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create xdm temporary directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_create_xdm_tmp_dirs',`
|
||||
gen_require(`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_tmp_t:dir create;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read xdm temporary files.
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(xserver, 3.13.4)
|
||||
policy_module(xserver, 3.13.5)
|
||||
|
||||
gen_require(`
|
||||
class x_drawable all_x_drawable_perms;
|
||||
|
@ -1084,6 +1084,24 @@ interface(`init_list_var_lib_dirs',`
|
||||
allow $1 init_var_lib_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel dirs in /var/lib/systemd/.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_relabel_var_lib_dirs',`
|
||||
gen_require(`
|
||||
type init_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 init_var_lib_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage files in /var/lib/systemd/.
|
||||
@ -2517,6 +2535,24 @@ interface(`init_manage_utmp',`
|
||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel utmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_relabel_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_var_run_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files in /var/run with the
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(init, 2.2.12)
|
||||
policy_module(init, 2.2.13)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -433,6 +433,82 @@ interface(`logging_domtrans_syslog',`
|
||||
domtrans_pattern($1, syslogd_exec_t, syslogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of syslog temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_setattr_syslogd_tmp_files',`
|
||||
gen_require(`
|
||||
type syslogd_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_tmp_t:file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from syslog temporary file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_relabel_syslogd_tmp_files',`
|
||||
gen_require(`
|
||||
type syslogd_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of syslog temporary directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_setattr_syslogd_tmp_dirs',`
|
||||
gen_require(`
|
||||
type syslogd_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_tmp_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from syslog temporary directory type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_relabel_syslogd_tmp_dirs',`
|
||||
gen_require(`
|
||||
type syslogd_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in the log directory, with a private type.
|
||||
@ -920,6 +996,46 @@ interface(`logging_manage_all_logs',`
|
||||
read_lnk_files_pattern($1, logfile, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete generic log directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_manage_generic_log_dirs',`
|
||||
gen_require(`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from and to generic log directory type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_relabel_generic_log_dirs',`
|
||||
gen_require(`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic log files.
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(logging, 1.25.8)
|
||||
policy_module(logging, 1.25.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -620,6 +620,25 @@ interface(`miscfiles_manage_man_cache',`
|
||||
allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from and to man cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_relabel_man_cache',`
|
||||
gen_require(`
|
||||
type man_cache_t;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, man_cache_t, man_cache_t)
|
||||
relabel_files_pattern($1, man_cache_t, man_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read public files used for file
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(miscfiles, 1.12.1)
|
||||
policy_module(miscfiles, 1.12.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(systemd, 1.3.13)
|
||||
policy_module(systemd, 1.3.14)
|
||||
|
||||
#########################################
|
||||
#
|
||||
@ -613,9 +613,18 @@ optional_policy(`
|
||||
# Sessions local policy
|
||||
#
|
||||
|
||||
allow systemd_sessions_t self:process setfscreate;
|
||||
|
||||
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
|
||||
|
||||
selinux_get_enforce_mode(systemd_sessions_t)
|
||||
selinux_get_fs_mount(systemd_sessions_t)
|
||||
|
||||
seutil_read_config(systemd_sessions_t)
|
||||
seutil_read_default_contexts(systemd_sessions_t)
|
||||
seutil_read_file_contexts(systemd_sessions_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_sessions_t)
|
||||
|
||||
#########################################
|
||||
@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t)
|
||||
# Tmpfiles local policy
|
||||
#
|
||||
|
||||
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
|
||||
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
|
||||
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
||||
|
||||
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
|
||||
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
|
||||
|
||||
allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
|
||||
|
||||
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
||||
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
||||
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
|
||||
@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
|
||||
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
|
||||
kernel_read_network_state(systemd_tmpfiles_t)
|
||||
|
||||
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
||||
dev_read_urand(systemd_tmpfiles_t)
|
||||
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||||
dev_read_urand(systemd_tmpfiles_t)
|
||||
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
||||
|
||||
files_create_lock_dirs(systemd_tmpfiles_t)
|
||||
files_manage_all_pid_dirs(systemd_tmpfiles_t)
|
||||
files_delete_usr_files(systemd_tmpfiles_t)
|
||||
files_list_home(systemd_tmpfiles_t)
|
||||
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
|
||||
files_manage_var_dirs(systemd_tmpfiles_t)
|
||||
files_manage_var_lib_dirs(systemd_tmpfiles_t)
|
||||
files_purge_tmp(systemd_tmpfiles_t)
|
||||
files_read_etc_files(systemd_tmpfiles_t)
|
||||
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_var_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
||||
files_relabelfrom_home(systemd_tmpfiles_t)
|
||||
files_relabelto_home(systemd_tmpfiles_t)
|
||||
files_relabelto_etc_dirs(systemd_tmpfiles_t)
|
||||
# for /etc/mtab
|
||||
files_manage_etc_symlinks(systemd_tmpfiles_t)
|
||||
|
||||
auth_manage_var_auth(systemd_tmpfiles_t)
|
||||
fs_getattr_xattr_fs(systemd_tmpfiles_t)
|
||||
|
||||
selinux_get_fs_mount(systemd_tmpfiles_t)
|
||||
selinux_search_fs(systemd_tmpfiles_t)
|
||||
|
||||
auth_manage_faillog(systemd_tmpfiles_t)
|
||||
auth_manage_login_records(systemd_tmpfiles_t)
|
||||
auth_manage_var_auth(systemd_tmpfiles_t)
|
||||
auth_relabel_login_records(systemd_tmpfiles_t)
|
||||
auth_setattr_login_records(systemd_tmpfiles_t)
|
||||
|
||||
init_manage_utmp(systemd_tmpfiles_t)
|
||||
init_manage_var_lib_files(systemd_tmpfiles_t)
|
||||
# for /proc/1/environ
|
||||
init_read_state(systemd_tmpfiles_t)
|
||||
|
||||
init_relabel_utmp(systemd_tmpfiles_t)
|
||||
init_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
||||
|
||||
logging_manage_generic_logs(systemd_tmpfiles_t)
|
||||
logging_manage_generic_log_dirs(systemd_tmpfiles_t)
|
||||
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
|
||||
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
|
||||
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
||||
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
|
||||
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
||||
|
||||
miscfiles_manage_man_pages(systemd_tmpfiles_t)
|
||||
miscfiles_relabel_man_cache(systemd_tmpfiles_t)
|
||||
|
||||
seutil_read_config(systemd_tmpfiles_t)
|
||||
seutil_read_file_contexts(systemd_tmpfiles_t)
|
||||
|
||||
sysnet_create_config(systemd_tmpfiles_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_tmpfiles_t)
|
||||
|
||||
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
|
||||
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
|
||||
|
||||
tunable_policy(`systemd_tmpfiles_manage_all',`
|
||||
# systemd-tmpfiles can be configured to manage anything.
|
||||
# have a last-resort option for users to do this.
|
||||
@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
|
||||
files_relabel_non_security_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_non_security_files(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_read_lib_files(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xfs_create_tmp_dirs(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_create_console_pipes(systemd_tmpfiles_t)
|
||||
xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
|
||||
xserver_relabel_console_pipes(systemd_tmpfiles_t)
|
||||
xserver_setattr_console_pipes(systemd_tmpfiles_t)
|
||||
')
|
||||
|
@ -2919,6 +2919,24 @@ interface(`userdom_manage_user_runtime_root_dirs',`
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from user runtime root dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_relabel_user_runtime_root_dirs',`
|
||||
gen_require(`
|
||||
type user_runtime_root_t;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete user
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(userdomain, 4.13.5)
|
||||
policy_module(userdomain, 4.13.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user