init: allow systemd to relabel /dev and /run
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
This commit is contained in:
Nicolas Iooss
Chris PeBenito
parent
ae40418b24
commit
60382e9e53
@ -4553,6 +4553,24 @@ interface(`fs_read_tmpfs_symlinks',`
|
||||
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabelfrom socket files on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabelfrom_tmpfs_sockets',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabelfrom tmpfs link files.
|
||||
|
||||
@ -301,6 +301,7 @@ ifdef(`init_systemd',`
|
||||
# for privatetmp functions
|
||||
fs_relabel_tmpfs_dirs(init_t)
|
||||
fs_relabel_tmpfs_files(init_t)
|
||||
fs_relabelfrom_tmpfs_sockets(init_t)
|
||||
# mount-setup
|
||||
fs_unmount_autofs(init_t)
|
||||
fs_getattr_pstore_dirs(init_t)
|
||||
@ -322,6 +323,9 @@ ifdef(`init_systemd',`
|
||||
|
||||
systemd_manage_passwd_runtime_symlinks(init_t)
|
||||
systemd_use_passwd_agent(init_t)
|
||||
systemd_list_tmpfiles_conf(init_t)
|
||||
systemd_relabelto_tmpfiles_conf_dirs(init_t)
|
||||
systemd_relabelto_tmpfiles_conf_files(init_t)
|
||||
|
||||
term_create_devpts(init_t)
|
||||
|
||||
@ -331,6 +335,8 @@ ifdef(`init_systemd',`
|
||||
# for systemd to read udev status
|
||||
udev_read_pid_files(init_t)
|
||||
|
||||
udev_relabelto_db_sockets(init_t)
|
||||
|
||||
optional_policy(`
|
||||
clock_read_adjtime(init_t)
|
||||
')
|
||||
|
||||
@ -463,6 +463,60 @@ interface(`systemd_tmpfiles_conf_filetrans',`
|
||||
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to list systemd tmpfiles config directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_list_tmpfiles_conf',`
|
||||
gen_require(`
|
||||
type systemd_tmpfiles_conf_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to relabel to systemd tmpfiles config directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
|
||||
gen_require(`
|
||||
type systemd_tmpfiles_conf_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to relabel to systemd tmpfiles config files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_relabelto_tmpfiles_conf_files',`
|
||||
gen_require(`
|
||||
attribute systemd_tmpfiles_conf_type;
|
||||
')
|
||||
|
||||
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow systemd_tmpfiles_t to manage filesystem objects
|
||||
|
||||
@ -261,6 +261,24 @@ interface(`udev_relabelto_db',`
|
||||
allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to relabelto sockets in /run/udev
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_relabelto_db_sockets',`
|
||||
gen_require(`
|
||||
type udev_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search through udev pid content
|
||||
|
||||
Loading…
Reference in New Issue
Block a user