Chris PeBenito
commit
8409f39cdb
38
.travis.yml
38
.travis.yml
@ -5,24 +5,24 @@ python:
|
||||
- "2.7"
|
||||
|
||||
env:
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=y
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=n
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=y
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=n
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=y
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=n
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=y
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=n
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=y
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=n
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=y
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=n
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=y
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=n
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=y
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=n
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=y
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=n
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
|
||||
|
||||
before_install:
|
||||
- lsb_release -a
|
||||
@ -50,7 +50,7 @@ before_install:
|
||||
- sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
|
||||
|
||||
# Drop build.conf settings to listen to env vars
|
||||
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO)/d' build.conf
|
||||
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
|
||||
|
||||
script:
|
||||
- echo $TYPE $DISTRO $MONOLITHIC
|
||||
|
||||
5
Makefile
5
Makefile
@ -190,6 +190,10 @@ ifeq "$(DISTRO)" "ubuntu"
|
||||
M4PARAM += -D distro_debian
|
||||
endif
|
||||
|
||||
ifeq "$(SYSTEMD)" "y"
|
||||
M4PARAM += -D init_systemd
|
||||
endif
|
||||
|
||||
ifneq ($(OUTPUT_POLICY),)
|
||||
CHECKPOLICY += -c $(OUTPUT_POLICY)
|
||||
endif
|
||||
@ -522,6 +526,7 @@ ifneq "$(DISTRO)" ""
|
||||
endif
|
||||
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "SYSTEMD ?= $(SYSTEMD)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
||||
|
||||
@ -44,6 +44,10 @@ UNK_PERMS = deny
|
||||
# not work in conditional policy.
|
||||
DIRECT_INITRC = n
|
||||
|
||||
# Systemd
|
||||
# Setting this will configure systemd as the init system.
|
||||
SYSTEMD = n
|
||||
|
||||
# Build monolithic policy. Putting y here
|
||||
# will build a monolithic policy.
|
||||
MONOLITHIC = n
|
||||
|
||||
@ -393,6 +393,17 @@ class system
|
||||
syslog_mod
|
||||
syslog_console
|
||||
module_request
|
||||
|
||||
# these are overloaded userspace
|
||||
# permissions from systemd
|
||||
halt
|
||||
reboot
|
||||
status
|
||||
start
|
||||
stop
|
||||
enable
|
||||
disable
|
||||
reload
|
||||
}
|
||||
|
||||
#
|
||||
@ -910,3 +921,13 @@ inherits database
|
||||
implement
|
||||
execute
|
||||
}
|
||||
|
||||
class service
|
||||
{
|
||||
start
|
||||
stop
|
||||
status
|
||||
reload
|
||||
enable
|
||||
disable
|
||||
}
|
||||
|
||||
@ -145,4 +145,6 @@ class db_view # userspace
|
||||
class db_sequence # userspace
|
||||
class db_language # userspace
|
||||
|
||||
class service # userspace
|
||||
|
||||
# FLASK
|
||||
|
||||
@ -235,6 +235,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
relabelfrom_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
|
||||
relabelfrom_files_pattern($1, device_t, { device_t device_node })
|
||||
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
|
||||
relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
|
||||
relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||
relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||
')
|
||||
@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:chr_file relabelfrom;
|
||||
allow $1 device_t:chr_file relabelfrom_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1941,6 +1941,30 @@ interface(`dev_filetrans_dri',`
|
||||
filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Automatic type transition to the type
|
||||
## for event device nodes when created in /dev.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_filetrans_input_dev',`
|
||||
gen_require(`
|
||||
type device_t, event_device_t;
|
||||
')
|
||||
|
||||
filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the event devices.
|
||||
@ -2015,6 +2039,24 @@ interface(`dev_rw_input_dev',`
|
||||
rw_chr_files_pattern($1, device_t, event_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete input event devices (/dev/input).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_manage_input_dev',`
|
||||
gen_require(`
|
||||
type device_t, event_device_t;
|
||||
')
|
||||
|
||||
manage_chr_files_pattern($1, device_t, event_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the framebuffer device node.
|
||||
@ -4086,6 +4128,26 @@ interface(`dev_rw_sysfs',`
|
||||
list_dirs_pattern($1, sysfs_t, sysfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from/to all sysfs types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_relabel_all_sysfs',`
|
||||
gen_require(`
|
||||
attribute sysfs_types;
|
||||
')
|
||||
|
||||
allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
|
||||
allow $1 sysfs_types:file relabel_file_perms;
|
||||
allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the TPM device.
|
||||
|
||||
@ -9,6 +9,7 @@ attribute device_node;
|
||||
attribute memory_raw_read;
|
||||
attribute memory_raw_write;
|
||||
attribute devices_unconfined_type;
|
||||
attribute sysfs_types;
|
||||
|
||||
#
|
||||
# device_t is the type of /dev.
|
||||
@ -62,7 +63,7 @@ dev_node(cpu_device_t)
|
||||
#
|
||||
# /sys/devices/system/cpu/online device
|
||||
#
|
||||
type cpu_online_t;
|
||||
type cpu_online_t, sysfs_types;
|
||||
files_type(cpu_online_t)
|
||||
dev_associate_sysfs(cpu_online_t)
|
||||
|
||||
@ -229,7 +230,7 @@ dev_node(sound_device_t)
|
||||
#
|
||||
# sysfs_t is the type for the /sys pseudofs
|
||||
#
|
||||
type sysfs_t;
|
||||
type sysfs_t, sysfs_types;
|
||||
files_mountpoint(sysfs_t)
|
||||
fs_xattr_type(sysfs_t)
|
||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
|
||||
dontaudit domain self:udp_socket listen;
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
optional_policy(`
|
||||
shutdown_sigchld(domain)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`global_ssp',`
|
||||
# enable reading of urandom for all domains:
|
||||
# this should be enabled when all programs
|
||||
|
||||
@ -561,6 +561,24 @@ interface(`files_manage_non_security_dirs',`
|
||||
allow $1 non_security_file_type:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from/to non-security directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_non_security_dirs',`
|
||||
gen_require(`
|
||||
attribute non_security_file_type;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all files.
|
||||
@ -618,6 +636,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
|
||||
dontaudit $1 non_security_file_type:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete all non-security files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`files_manage_non_security_files',`
|
||||
gen_require(`
|
||||
attribute non_security_file_type;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, non_security_file_type, non_security_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from/to all non-security files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`files_relabel_non_security_files',`
|
||||
gen_require(`
|
||||
attribute non_security_file_type;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all files.
|
||||
@ -1944,6 +2000,24 @@ interface(`files_unmount_rootfs',`
|
||||
allow $1 root_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount on the root directory (/)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mounton_root',`
|
||||
gen_require(`
|
||||
type root_t;
|
||||
')
|
||||
|
||||
allow $1 root_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get attributes of the /boot directory.
|
||||
@ -2816,6 +2890,24 @@ interface(`files_exec_etc_files',`
|
||||
exec_files_pattern($1, etc_t, etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get etc_t service status.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_get_etc_unit_status',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:service status;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel from and to generic files in /etc.
|
||||
@ -4394,6 +4486,24 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
rw_sock_files_pattern($1, tmp_t, tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount filesystems in the tmp directory (/tmp)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mounton_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of all tmp directories.
|
||||
@ -5674,6 +5784,25 @@ interface(`files_list_locks',`
|
||||
list_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add entries in the /var/lock directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_add_entry_lock_dirs',`
|
||||
gen_require(`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
||||
add_entry_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add and remove entries in the /var/lock
|
||||
@ -5867,6 +5996,29 @@ interface(`files_manage_all_locks',`
|
||||
manage_lnk_files_pattern($1, lockfile, lockfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from/to all lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_all_locks',`
|
||||
gen_require(`
|
||||
attribute lockfile;
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
|
||||
allow $1 { var_t var_lock_t }:dir search_dir_perms;
|
||||
relabel_dirs_pattern($1, lockfile, lockfile)
|
||||
relabel_files_pattern($1, lockfile, lockfile)
|
||||
relabel_lnk_files_pattern($1, lockfile, lockfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in the locks directory, with a private
|
||||
@ -6296,6 +6448,44 @@ interface(`files_manage_all_pids',`
|
||||
manage_lnk_files_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to/from all var_run (pid) directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_all_pid_dirs',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to/from all var_run (pid) files and directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_all_pids',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, pidfile, pidfile)
|
||||
relabel_files_pattern($1, pidfile, pidfile)
|
||||
relabel_lnk_files_pattern($1, pidfile, pidfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount filesystems on all polyinstantiation
|
||||
|
||||
@ -765,6 +765,24 @@ interface(`fs_manage_cgroup_dirs',`
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel cgroup directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_cgroup_dirs',`
|
||||
gen_require(`
|
||||
type cgroup_t;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cgroup files.
|
||||
@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, cgroup_t, cgroup_t)
|
||||
read_lnk_files_pattern($1, cgroup_t, cgroup_t)
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
@ -3339,6 +3358,25 @@ interface(`fs_rw_nfsd_fs',`
|
||||
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr on pstore dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_getattr_pstore_dirs',`
|
||||
gen_require(`
|
||||
type pstore_t;
|
||||
')
|
||||
|
||||
getattr_files_pattern($1, pstore_t, pstore_t)
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the type to associate to ramfs filesystems.
|
||||
@ -4093,6 +4131,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
|
||||
dontaudit $1 tmpfs_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel directory on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_tmpfs_dirs',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in a tmpfs filesystem, with a private
|
||||
@ -4221,6 +4276,24 @@ interface(`fs_rw_tmpfs_files',`
|
||||
rw_files_pattern($1, tmpfs_t, tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel files on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_tmpfs_files',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1, tmpfs_t, tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read tmpfs link files.
|
||||
|
||||
@ -6,6 +6,27 @@
|
||||
## This module has initial SIDs.
|
||||
## </required>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the kernel to start userland processes
|
||||
## by dynamic transitions to the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type entered by the kernel.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dyntrans_to',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
domain_dyntrans_type(kernel_t)
|
||||
allow kernel_t self:process setcurrent;
|
||||
allow kernel_t $1:process dyntransition;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows to start userland processes
|
||||
@ -252,6 +273,25 @@ interface(`kernel_rw_pipes',`
|
||||
allow $1 kernel_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/write to kernel using a unix
|
||||
## domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to kernel using a unix
|
||||
@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write kernel unix datagram sockets.
|
||||
## Getattr on kernel unix datagram sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_getattr_dgram_sockets',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:unix_dgram_socket getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write kernel unix datagram sockets. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
optional_policy(`
|
||||
dev_manage_input_dev(kernel_t)
|
||||
dev_filetrans_input_dev(kernel_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
selinux_compute_create_context(kernel_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
storage_dev_filetrans_fixed_disk(kernel_t)
|
||||
storage_setattr_fixed_disk_dev(kernel_t)
|
||||
storage_create_fixed_disk_dev(kernel_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# loop devices
|
||||
fstools_use_fds(kernel_t)
|
||||
|
||||
@ -517,6 +517,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
|
||||
dontaudit $1 devpts_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from and to pty directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`term_relabel_pty_dirs',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir relabel_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
|
||||
@ -34,6 +34,15 @@ ubac_file_exempt(sysadm_t)
|
||||
ubac_fd_exempt(sysadm_t)
|
||||
|
||||
init_exec(sysadm_t)
|
||||
init_get_system_status(sysadm_t)
|
||||
init_disable(sysadm_t)
|
||||
init_enable(sysadm_t)
|
||||
init_reload(sysadm_t)
|
||||
init_reboot_system(sysadm_t)
|
||||
init_shutdown_system(sysadm_t)
|
||||
init_start_generic_units(sysadm_t)
|
||||
init_stop_generic_units(sysadm_t)
|
||||
init_reload_generic_units(sysadm_t)
|
||||
|
||||
# Add/remove user home directories
|
||||
userdom_manage_user_home_dirs(sysadm_t)
|
||||
|
||||
@ -569,7 +569,7 @@ interface(`postgresql_admin',`
|
||||
type postgresql_t, postgresql_var_run_t;
|
||||
type postgresql_tmp_t, postgresql_db_t;
|
||||
type postgresql_etc_t, postgresql_log_t;
|
||||
type postgresql_initrc_exec_t;
|
||||
type postgresql_initrc_exec_t, postgresql_unit_t;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_admin_type;
|
||||
@ -577,7 +577,7 @@ interface(`postgresql_admin',`
|
||||
allow $1 postgresql_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postgresql_t)
|
||||
|
||||
init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
|
||||
init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
|
||||
|
||||
admin_pattern($1, postgresql_var_run_t)
|
||||
|
||||
|
||||
@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
|
||||
type postgresql_tmp_t;
|
||||
files_tmp_file(postgresql_tmp_t)
|
||||
|
||||
type postgresql_unit_t;
|
||||
init_unit_file(postgresql_unit_t)
|
||||
|
||||
type postgresql_var_run_t;
|
||||
files_pid_file(postgresql_var_run_t)
|
||||
init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
|
||||
|
||||
@ -266,6 +266,11 @@ ifdef(`distro_debian',`
|
||||
allow sshd_t self:process { getcap setcap };
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
systemd_dbus_chat_logind(sshd_t)
|
||||
init_rw_stream_sockets(sshd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
|
||||
@ -766,6 +766,25 @@ interface(`auth_rw_faillog',`
|
||||
allow $1 faillog_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the login failure logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_manage_faillog',`
|
||||
gen_require(`
|
||||
type faillog_t;
|
||||
')
|
||||
|
||||
allow $1 faillog_t:file manage_file_perms;
|
||||
logging_rw_generic_log_dirs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the last logins log.
|
||||
|
||||
@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
|
||||
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
|
||||
|
||||
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
@ -42,6 +42,26 @@ interface(`init_script_file',`
|
||||
domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable for
|
||||
## systemd unit files.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type to be used for systemd unit files.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_unit_file',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
typeattribute $1 systemdunit;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain used for init scripts.
|
||||
@ -108,6 +128,10 @@ interface(`init_domain',`
|
||||
role system_r types $1;
|
||||
|
||||
domtrans_pattern(init_t, $2, $1)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
|
||||
userdom_dontaudit_use_user_terminals($1)
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_domain($1, $2)
|
||||
# this may be because of late labelling
|
||||
kernel_dgram_send($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_use($1)
|
||||
')
|
||||
@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
init_daemon_domain($1, $2)
|
||||
ifdef(`init_systemd',`
|
||||
init_ranged_domain($1, $2, $3)
|
||||
',`
|
||||
init_daemon_domain($1, $2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
mls_rangetrans_target($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
mls_rangetrans_target($1)
|
||||
#########################################
|
||||
## <summary>
|
||||
## Abstract socket service activation (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain to be started by systemd socket activation.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_abstract_socket_activation',`
|
||||
ifdef(`init_systemd',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow init_t $1:unix_stream_socket create_stream_socket_perms;
|
||||
')
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Named socket service activation (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain to be started by systemd socket activation.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="sock_file">
|
||||
## <summary>
|
||||
## The domain socket file type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_named_socket_activation',`
|
||||
ifdef(`init_systemd',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow init_t $1:unix_dgram_socket create_socket_perms;
|
||||
allow init_t $1:unix_stream_socket create_stream_socket_perms;
|
||||
allow init_t $2:dir manage_dir_perms;
|
||||
allow init_t $2:fifo_file manage_fifo_file_perms;
|
||||
allow init_t $2:sock_file manage_sock_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
@ -324,6 +407,10 @@ interface(`init_system_domain',`
|
||||
role system_r types $1;
|
||||
|
||||
domtrans_pattern(initrc_t, $2, $1)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_domain($1, $2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
init_system_domain($1, $2)
|
||||
ifdef(`init_systemd',`
|
||||
init_ranged_domain($1, $2, $3)
|
||||
',`
|
||||
init_system_domain($1, $2)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
')
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
mls_rangetrans_target($1)
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
mls_rangetrans_target($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
@ -579,10 +670,11 @@ interface(`init_sigchld',`
|
||||
#
|
||||
interface(`init_stream_connect',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
type init_t, init_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -662,6 +754,45 @@ interface(`init_dontaudit_use_fds',`
|
||||
dontaudit $1 init_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send messages to init unix datagram sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`init_dgram_send',`
|
||||
gen_require(`
|
||||
type init_t, init_var_run_t;
|
||||
')
|
||||
|
||||
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read/write to
|
||||
## init with unix domain stream sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to init. (Deprecated)
|
||||
@ -676,6 +807,276 @@ interface(`init_udp_send',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get all service status (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_system_status',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Enable all systemd services (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_enable',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system enable;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Disable all services (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_disable',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system disable;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Reload all services (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_reload',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system reload;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Reboot the system (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_reboot_system',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system reboot;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Shutdown (halt) the system (systemd).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_shutdown_system',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
')
|
||||
|
||||
allow $1 init_t:system halt;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to get init status
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_service_status',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 init_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to get init start
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to allow access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_service_start',`
|
||||
gen_require(`
|
||||
type init_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 init_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## systemd over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dbus_chat',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 init_t:dbus send_msg;
|
||||
allow init_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage files in /var/lib/systemd/.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="file_type">
|
||||
## <summary>
|
||||
## The type of the object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_manage_var_lib_files',`
|
||||
gen_require(`
|
||||
type init_var_lib_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files in /var/lib/systemd
|
||||
## with an automatic type transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## The type of object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_var_lib_filetrans',`
|
||||
gen_require(`
|
||||
type init_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files in an init PID directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="file_type">
|
||||
## <summary>
|
||||
## The type of the object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_pid_filetrans',`
|
||||
gen_require(`
|
||||
type init_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of initctl.
|
||||
@ -986,6 +1387,11 @@ interface(`init_all_labeled_script_domtrans',`
|
||||
## Labeled init script file.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="unit" optional="true">
|
||||
## <summary>
|
||||
## Systemd unit file type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_startstop_service',`
|
||||
gen_require(`
|
||||
@ -1003,6 +1409,18 @@ interface(`init_startstop_service',`
|
||||
role_transition $2 $4 system_r;
|
||||
allow $2 system_r;
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
# This ifelse condition is temporary, until
|
||||
# all callers are updated to provide unit files.
|
||||
ifelse(`$5',`',`',`
|
||||
gen_require(`
|
||||
class service { start stop };
|
||||
')
|
||||
|
||||
allow $1 $5:service { start stop };
|
||||
')
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
@ -1909,3 +2327,180 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Search systemd unit dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_search_units',`
|
||||
gen_require(`
|
||||
type init_var_run_t, systemd_unit_t;
|
||||
')
|
||||
|
||||
search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
|
||||
|
||||
# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
|
||||
files_search_etc($1)
|
||||
files_search_usr($1)
|
||||
libs_search_lib($1)
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get status of generic systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_generic_units_status',`
|
||||
gen_require(`
|
||||
type systemd_unit_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 systemd_unit_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start generic systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_start_generic_units',`
|
||||
gen_require(`
|
||||
type systemd_unit_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 systemd_unit_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Stop generic systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_stop_generic_units',`
|
||||
gen_require(`
|
||||
type systemd_unit_t;
|
||||
class service stop;
|
||||
')
|
||||
|
||||
allow $1 systemd_unit_t:service stop;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Reload generic systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_reload_generic_units',`
|
||||
gen_require(`
|
||||
type systemd_unit_t;
|
||||
class service reload;
|
||||
')
|
||||
|
||||
allow $1 systemd_unit_t:service reload;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get status of all systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_get_all_units_status',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start all systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_start_all_units',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Stop all systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_stop_all_units',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
class service stop;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service stop;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Reload all systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_reload_all_units',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
class service reload;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service reload;
|
||||
')
|
||||
|
||||
@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
|
||||
attribute init_script_domain_type;
|
||||
attribute init_script_file_type;
|
||||
attribute init_run_all_scripts_domain;
|
||||
attribute systemdunit;
|
||||
|
||||
# Mark process types as daemons
|
||||
attribute daemon;
|
||||
@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
|
||||
type initrc_exec_t, init_script_file_type;
|
||||
domain_type(initrc_t)
|
||||
domain_entry_file(initrc_t, initrc_exec_t)
|
||||
init_named_socket_activation(initrc_t, init_var_run_t)
|
||||
role system_r types initrc_t;
|
||||
# should be part of the true block
|
||||
# of the below init_upstart tunable
|
||||
@ -74,6 +76,9 @@ type initrc_devpts_t;
|
||||
term_pty(initrc_devpts_t)
|
||||
files_type(initrc_devpts_t)
|
||||
|
||||
type initrc_lock_t;
|
||||
files_lock_file(initrc_lock_t)
|
||||
|
||||
type initrc_state_t;
|
||||
files_type(initrc_state_t)
|
||||
|
||||
@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
|
||||
type initrc_var_run_t;
|
||||
files_pid_file(initrc_var_run_t)
|
||||
|
||||
type systemd_unit_t;
|
||||
init_unit_file(systemd_unit_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
type rc_exec_t;
|
||||
domain_entry_file(initrc_t, rc_exec_t)
|
||||
@ -182,6 +190,117 @@ seutil_read_config(init_t)
|
||||
|
||||
miscfiles_read_localization(init_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
# handle instances where an old labeled init script is encountered.
|
||||
typeattribute init_t init_run_all_scripts_domain;
|
||||
|
||||
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
|
||||
allow init_t self:capability2 block_suspend;
|
||||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow init_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
|
||||
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
|
||||
|
||||
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
||||
manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
|
||||
allow init_t systemd_unit_t:dir relabel_dir_perms;
|
||||
|
||||
kernel_dyntrans_to(init_t)
|
||||
kernel_read_network_state(init_t)
|
||||
kernel_read_kernel_sysctls(init_t)
|
||||
kernel_read_vm_sysctls(init_t)
|
||||
kernel_dgram_send(init_t)
|
||||
kernel_stream_connect(init_t)
|
||||
kernel_getattr_proc(init_t)
|
||||
kernel_read_fs_sysctls(init_t)
|
||||
|
||||
dev_rw_autofs(init_t)
|
||||
dev_create_generic_dirs(init_t)
|
||||
dev_manage_input_dev(init_t)
|
||||
dev_relabel_all_dev_nodes(init_t)
|
||||
dev_relabel_all_sysfs(init_t)
|
||||
dev_read_urand(init_t)
|
||||
dev_write_kmsg(init_t)
|
||||
|
||||
domain_read_all_domains_state(init_t)
|
||||
|
||||
files_read_all_pids(init_t)
|
||||
files_list_usr(init_t)
|
||||
files_list_var(init_t)
|
||||
files_list_var_lib(init_t)
|
||||
files_relabel_all_lock_dirs(init_t)
|
||||
files_mounton_root(init_t)
|
||||
files_search_pids(init_t)
|
||||
files_relabel_all_pids(init_t)
|
||||
files_read_all_locks(init_t)
|
||||
files_search_kernel_modules(init_t)
|
||||
# for privatetmp functions
|
||||
files_manage_generic_tmp_dirs(init_t)
|
||||
files_mounton_tmp(init_t)
|
||||
|
||||
fs_manage_cgroup_dirs(init_t)
|
||||
fs_relabel_cgroup_dirs(init_t)
|
||||
fs_rw_cgroup_files(init_t)
|
||||
fs_list_auto_mountpoints(init_t)
|
||||
fs_mount_autofs(init_t)
|
||||
fs_manage_hugetlbfs_dirs(init_t)
|
||||
fs_getattr_tmpfs(init_t)
|
||||
fs_read_tmpfs_files(init_t)
|
||||
fs_read_cgroup_files(init_t)
|
||||
fs_dontaudit_getattr_xattr_fs(init_t)
|
||||
# for privatetmp functions
|
||||
fs_relabel_tmpfs_dirs(init_t)
|
||||
fs_relabel_tmpfs_files(init_t)
|
||||
# mount-setup
|
||||
fs_unmount_autofs(init_t)
|
||||
fs_getattr_pstore_dirs(init_t)
|
||||
|
||||
# systemd_socket_activated policy
|
||||
mls_socket_write_all_levels(init_t)
|
||||
|
||||
selinux_compute_create_context(init_t)
|
||||
selinux_compute_access_vector(init_t)
|
||||
|
||||
term_relabel_pty_dirs(init_t)
|
||||
|
||||
clock_read_adjtime(init_t)
|
||||
|
||||
logging_manage_pid_sockets(init_t)
|
||||
logging_send_audit_msgs(init_t)
|
||||
logging_relabelto_devlog_sock_files(init_t)
|
||||
|
||||
seutil_read_file_contexts(init_t)
|
||||
|
||||
systemd_relabelto_kmod_files(init_t)
|
||||
systemd_dbus_chat_logind(init_t)
|
||||
|
||||
# udevd is a "systemd kobject uevent socket activated daemon"
|
||||
udev_create_kobject_uevent_sockets(init_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(init_t)
|
||||
dbus_connect_system_bus(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_insmod(init_t)
|
||||
')
|
||||
',`
|
||||
tunable_policy(`init_upstart',`
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
# causes problems with upstart
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
|
||||
|
||||
@ -201,14 +320,6 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
tunable_policy(`init_upstart',`
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
# causes problems with upstart
|
||||
sysadm_shell_domtrans(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_rw_login_records(init_t)
|
||||
')
|
||||
@ -609,6 +720,60 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
|
||||
files_lock_filetrans(initrc_t, initrc_lock_t, file)
|
||||
|
||||
manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
||||
manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
||||
manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
|
||||
|
||||
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
|
||||
|
||||
manage_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
|
||||
|
||||
kernel_dgram_send(initrc_t)
|
||||
|
||||
# run systemd misc initializations
|
||||
# in the initrc_t domain, as would be
|
||||
# done in traditional sysvinit/upstart.
|
||||
corecmd_bin_entry_type(initrc_t)
|
||||
corecmd_shell_entry_type(initrc_t)
|
||||
corecmd_bin_domtrans(init_t, initrc_t)
|
||||
corecmd_shell_domtrans(init_t, initrc_t)
|
||||
|
||||
files_read_boot_files(initrc_t)
|
||||
# Allow initrc_t to check /etc/fstab "service." It appears that
|
||||
# systemd is conflating files and services.
|
||||
files_get_etc_unit_status(initrc_t)
|
||||
files_setattr_pid_dirs(initrc_t)
|
||||
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
|
||||
init_stream_connect(initrc_t)
|
||||
init_manage_var_lib_files(initrc_t)
|
||||
init_rw_stream_sockets(initrc_t)
|
||||
init_get_all_units_status(initrc_t)
|
||||
init_stop_all_units(initrc_t)
|
||||
|
||||
# Create /etc/audit.rules.prev after firstboot remediation
|
||||
logging_manage_audit_config(initrc_t)
|
||||
|
||||
# lvm2-activation-generator checks file labels
|
||||
seutil_read_file_contexts(initrc_t)
|
||||
|
||||
systemd_start_power_units(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
# create /var/lock/lvm/
|
||||
lvm_create_lock_dirs(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
|
||||
@ -393,12 +393,13 @@ interface(`ipsec_admin',`
|
||||
type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
|
||||
type ipsec_var_run_t, ipsec_mgmt_lock_t;
|
||||
type ipsec_mgmt_var_run_t, racoon_tmp_t;
|
||||
type ipsec_unit_t;
|
||||
')
|
||||
|
||||
allow $1 ipsec_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ipsec_t)
|
||||
|
||||
init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
|
||||
init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
|
||||
|
||||
ipsec_exec_mgmt($1)
|
||||
ipsec_stream_connect($1)
|
||||
|
||||
@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
|
||||
type ipsec_tmp_t;
|
||||
files_tmp_file(ipsec_tmp_t)
|
||||
|
||||
type ipsec_unit_t;
|
||||
init_unit_file(ipsec_unit_t)
|
||||
|
||||
# type for runtime files, including pluto.ctl
|
||||
type ipsec_var_run_t;
|
||||
files_pid_file(ipsec_var_run_t)
|
||||
|
||||
@ -14,6 +14,11 @@
|
||||
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
|
||||
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
|
||||
interface(`iptables_admin',`
|
||||
gen_require(`
|
||||
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
|
||||
type iptables_tmp_t, iptables_var_run_t;
|
||||
type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
|
||||
')
|
||||
|
||||
allow $1 iptables_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, iptables_t)
|
||||
|
||||
init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
|
||||
init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, iptables_conf_t)
|
||||
|
||||
@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
|
||||
type iptables_tmp_t;
|
||||
files_tmp_file(iptables_tmp_t)
|
||||
|
||||
type iptables_unit_t;
|
||||
init_unit_file(iptables_unit_t)
|
||||
|
||||
type iptables_var_run_t;
|
||||
files_pid_file(iptables_var_run_t)
|
||||
|
||||
|
||||
@ -22,6 +22,27 @@ interface(`locallogin_domtrans',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow calling domain to read locallogin state.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed permission.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`locallogin_read_state',`
|
||||
gen_require(`
|
||||
type local_login_t;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 local_login_t:file read_file_perms;
|
||||
allow $1 local_login_t:lnk_file read_lnk_file_perms;
|
||||
allow $1 local_login_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow processes to inherit local login file descriptors.
|
||||
|
||||
@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t)
|
||||
userdom_sigchld_all_users(local_login_t)
|
||||
userdom_create_all_users_keys(local_login_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
auth_manage_faillog(local_login_t)
|
||||
|
||||
systemd_dbus_chat_logind(local_login_t)
|
||||
systemd_use_logind_fds(local_login_t)
|
||||
systemd_manage_logind_pid_pipes(local_login_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(local_login_t)
|
||||
|
||||
@ -17,6 +17,8 @@
|
||||
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
@ -72,6 +74,7 @@ ifdef(`distro_redhat',`
|
||||
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
|
||||
@ -551,6 +551,25 @@ interface(`logging_send_syslog_msg',`
|
||||
term_dontaudit_read_console($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to relabelto devlog sock_files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_relabelto_devlog_sock_files',`
|
||||
gen_require(`
|
||||
type devlog_t;
|
||||
')
|
||||
|
||||
allow $1 devlog_t:sock_file relabelto_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the auditd configuration files.
|
||||
@ -610,6 +629,25 @@ interface(`logging_read_syslog_config',`
|
||||
allow $1 syslog_conf_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete syslog PID sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_manage_pid_sockets',`
|
||||
gen_require(`
|
||||
type syslogd_var_run_t;
|
||||
')
|
||||
|
||||
manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the domain to open a file in the
|
||||
@ -986,7 +1024,7 @@ interface(`logging_admin_audit',`
|
||||
gen_require(`
|
||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||
type auditd_var_run_t;
|
||||
type auditd_initrc_exec_t;
|
||||
type auditd_initrc_exec_t, auditd_unit_t;
|
||||
')
|
||||
|
||||
allow $1 auditd_t:process { ptrace signal_perms };
|
||||
@ -1003,7 +1041,7 @@ interface(`logging_admin_audit',`
|
||||
|
||||
logging_run_auditctl($1, $2)
|
||||
|
||||
init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
|
||||
init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1029,7 +1067,7 @@ interface(`logging_admin_syslog',`
|
||||
type syslogd_tmp_t, syslogd_var_lib_t;
|
||||
type syslogd_var_run_t, klogd_var_run_t;
|
||||
type klogd_tmp_t, var_log_t;
|
||||
type syslogd_initrc_exec_t;
|
||||
type syslogd_initrc_exec_t, syslogd_unit_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_t:process { ptrace signal_perms };
|
||||
@ -1058,7 +1096,7 @@ interface(`logging_admin_syslog',`
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
|
||||
init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
|
||||
init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
|
||||
type auditd_initrc_exec_t;
|
||||
init_script_file(auditd_initrc_exec_t)
|
||||
|
||||
type auditd_unit_t;
|
||||
init_unit_file(auditd_unit_t);
|
||||
|
||||
type auditd_var_run_t;
|
||||
files_pid_file(auditd_var_run_t)
|
||||
|
||||
@ -64,6 +67,7 @@ files_config_file(syslog_conf_t)
|
||||
type syslogd_t;
|
||||
type syslogd_exec_t;
|
||||
init_daemon_domain(syslogd_t, syslogd_exec_t)
|
||||
init_named_socket_activation(syslogd_t, syslogd_var_run_t)
|
||||
|
||||
type syslogd_initrc_exec_t;
|
||||
init_script_file(syslogd_initrc_exec_t)
|
||||
@ -71,6 +75,9 @@ init_script_file(syslogd_initrc_exec_t)
|
||||
type syslogd_tmp_t;
|
||||
files_tmp_file(syslogd_tmp_t)
|
||||
|
||||
type syslogd_unit_t;
|
||||
init_unit_file(syslogd_unit_t)
|
||||
|
||||
type syslogd_var_lib_t;
|
||||
files_type(syslogd_var_lib_t)
|
||||
|
||||
@ -120,6 +127,10 @@ locallogin_dontaudit_use_fds(auditctl_t)
|
||||
logging_set_audit_parameters(auditctl_t)
|
||||
logging_send_syslog_msg(auditctl_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_rw_stream_sockets(auditctl_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
@ -248,6 +259,10 @@ miscfiles_read_localization(audisp_t)
|
||||
|
||||
sysnet_dns_name_resolve(audisp_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
kernel_dgram_send(audisp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(audisp_t)
|
||||
')
|
||||
@ -480,6 +495,20 @@ miscfiles_read_localization(syslogd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(syslogd_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
allow syslogd_t self:capability { chown setuid setgid };
|
||||
|
||||
kernel_use_fds(syslogd_t)
|
||||
kernel_getattr_dgram_sockets(syslogd_t)
|
||||
kernel_rw_unix_dgram_sockets(syslogd_t)
|
||||
kernel_rw_stream_sockets(syslogd_t)
|
||||
|
||||
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
|
||||
init_dgram_send(syslogd_t)
|
||||
|
||||
udev_read_pid_files(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# default gentoo syslog-ng config appends kernel
|
||||
# and high priority messages to /dev/tty12
|
||||
|
||||
@ -89,6 +89,12 @@ ifdef(`distro_gentoo',`
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
|
||||
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
|
||||
|
||||
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
|
||||
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
|
||||
|
||||
@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
|
||||
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create lvm_lock_t directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`lvm_create_lock_dirs',`
|
||||
gen_require(`
|
||||
type lvm_lock_t;
|
||||
')
|
||||
|
||||
create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
|
||||
files_add_entry_lock_dirs($1)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clvmd.
|
||||
@ -142,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
|
||||
#
|
||||
interface(`lvm_admin',`
|
||||
gen_require(`
|
||||
type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
|
||||
type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
|
||||
type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
|
||||
type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
|
||||
')
|
||||
@ -150,7 +170,7 @@ interface(`lvm_admin',`
|
||||
allow $1 clvmd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, clvmd_t)
|
||||
|
||||
init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
|
||||
init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, lvm_etc_t)
|
||||
|
||||
@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t)
|
||||
type lvm_t;
|
||||
type lvm_exec_t;
|
||||
init_system_domain(lvm_t, lvm_exec_t)
|
||||
init_named_socket_activation(lvm_t, lvm_var_run_t)
|
||||
# needs privowner because it assigns the identity system_u to device nodes
|
||||
# but runs as the identity of the sysadmin
|
||||
domain_obj_id_change_exemption(lvm_t)
|
||||
@ -32,6 +33,9 @@ files_lock_file(lvm_lock_t)
|
||||
type lvm_metadata_t;
|
||||
files_type(lvm_metadata_t)
|
||||
|
||||
type lvm_unit_t;
|
||||
init_unit_file(lvm_unit_t)
|
||||
|
||||
type lvm_var_lib_t;
|
||||
files_type(lvm_var_lib_t)
|
||||
|
||||
@ -304,6 +308,12 @@ seutil_sigchld_newrole(lvm_t)
|
||||
|
||||
userdom_use_user_terminals(lvm_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_rw_stream_sockets(lvm_t)
|
||||
|
||||
fs_manage_hugetlbfs_dirs(lvm_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# this is from the initrd:
|
||||
kernel_rw_unlabeled_dirs(lvm_t)
|
||||
|
||||
@ -179,6 +179,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t)
|
||||
|
||||
kernel_domtrans_to(insmod_t, insmod_exec_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
kernel_search_key(insmod_t)
|
||||
|
||||
init_rw_stream_sockets(insmod_t)
|
||||
|
||||
systemd_write_kmod_files(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(insmod_t)
|
||||
')
|
||||
|
||||
@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
|
||||
# the security server policy configuration.
|
||||
#
|
||||
type policy_config_t;
|
||||
files_type(policy_config_t)
|
||||
files_security_file(policy_config_t)
|
||||
|
||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||
|
||||
@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
|
||||
interface(`setrans_admin',`
|
||||
gen_require(`
|
||||
type setrans_t, setrans_initrc_exec_t;
|
||||
type setrans_var_run_t;
|
||||
type setrans_var_run_t, setrans_unit_t;
|
||||
')
|
||||
|
||||
allow $1 setrans_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, setrans_t)
|
||||
|
||||
init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
|
||||
init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, setrans_var_run_t)
|
||||
|
||||
@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
|
||||
type setrans_initrc_exec_t;
|
||||
init_script_file(setrans_initrc_exec_t)
|
||||
|
||||
type setrans_unit_t;
|
||||
init_unit_file(setrans_unit_t)
|
||||
|
||||
type setrans_var_run_t;
|
||||
files_pid_file(setrans_var_run_t)
|
||||
mls_trusted_object(setrans_var_run_t)
|
||||
|
||||
@ -160,6 +160,14 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_rw_stream_sockets(dhcpc_t)
|
||||
init_read_state(dhcpc_t)
|
||||
init_stream_connect(dhcpc_t)
|
||||
init_get_all_units_status(dhcpc_t)
|
||||
init_search_units(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_run(dhcpc_t, dhcpc_roles)
|
||||
')
|
||||
|
||||
39
policy/modules/system/systemd.fc
Normal file
39
policy/modules/system/systemd.fc
Normal file
@ -0,0 +1,39 @@
|
||||
/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
|
||||
/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
|
||||
/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
|
||||
/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
|
||||
/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
|
||||
/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
|
||||
/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
|
||||
/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
|
||||
/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
|
||||
|
||||
# Systemd unit files
|
||||
/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
|
||||
|
||||
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
|
||||
|
||||
/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
|
||||
|
||||
/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||
/var/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
|
||||
195
policy/modules/system/systemd.if
Normal file
195
policy/modules/system/systemd.if
Normal file
@ -0,0 +1,195 @@
|
||||
## <summary>Systemd components (not PID 1)</summary>
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Read systemd_login PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_read_logind_pids',`
|
||||
gen_require(`
|
||||
type systemd_logind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Manage systemd_login PID pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_manage_logind_pid_pipes',`
|
||||
gen_require(`
|
||||
type systemd_logind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Use inherited systemd
|
||||
## logind file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_use_logind_fds',`
|
||||
gen_require(`
|
||||
type systemd_logind_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## systemd logind over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_dbus_chat_logind',`
|
||||
gen_require(`
|
||||
type systemd_logind_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:dbus send_msg;
|
||||
allow systemd_logind_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to write to systemd_kmod_conf_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`systemd_write_kmod_files',`
|
||||
gen_require(`
|
||||
type systemd_kmod_conf_t;
|
||||
')
|
||||
|
||||
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to relabel to systemd_kmod_conf_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`systemd_relabelto_kmod_files',`
|
||||
gen_require(`
|
||||
type systemd_kmod_conf_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read systemd homedir content
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_read_home_content',`
|
||||
gen_require(`
|
||||
type systemd_home_t;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_search_gconf_data_dir($1)
|
||||
')
|
||||
read_files_pattern($1, systemd_home_t, systemd_home_t)
|
||||
read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the system status information from systemd_login
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_status_logind',`
|
||||
gen_require(`
|
||||
type systemd_logind_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send systemd_login a null signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_signull_logind',`
|
||||
gen_require(`
|
||||
type systemd_logind_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_logind_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to start power units
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_start_power_units',`
|
||||
gen_require(`
|
||||
type power_unit_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 power_unit_t:service start;
|
||||
')
|
||||
264
policy/modules/system/systemd.te
Normal file
264
policy/modules/system/systemd.te
Normal file
@ -0,0 +1,264 @@
|
||||
policy_module(systemd, 1.0.0)
|
||||
|
||||
#########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Enable support for systemd-tmpfiles to manage all non-security files.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(systemd_tmpfiles_manage_all, false)
|
||||
|
||||
type systemd_activate_t;
|
||||
type systemd_activate_exec_t;
|
||||
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
|
||||
|
||||
type systemd_analyze_t;
|
||||
type systemd_analyze_exec_t;
|
||||
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
|
||||
|
||||
type systemd_backlight_t;
|
||||
type systemd_backlight_exec_t;
|
||||
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
|
||||
|
||||
type systemd_binfmt_t;
|
||||
type systemd_binfmt_exec_t;
|
||||
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
|
||||
|
||||
type systemd_cgroups_t;
|
||||
type systemd_cgroups_exec_t;
|
||||
domain_type(systemd_cgroups_t)
|
||||
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
|
||||
role system_r types systemd_cgroups_t;
|
||||
|
||||
type systemd_cgroups_var_run_t;
|
||||
files_pid_file(systemd_cgroups_var_run_t)
|
||||
init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
|
||||
|
||||
type systemd_cgtop_t;
|
||||
type systemd_cgtop_exec_t;
|
||||
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
|
||||
|
||||
type systemd_coredump_t;
|
||||
type systemd_coredump_exec_t;
|
||||
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
|
||||
|
||||
type systemd_detect_virt_t;
|
||||
type systemd_detect_virt_exec_t;
|
||||
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
|
||||
|
||||
type systemd_hostnamed_t;
|
||||
type systemd_hostnamed_exec_t;
|
||||
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
||||
|
||||
type systemd_locale_t;
|
||||
type systemd_locale_exec_t;
|
||||
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
|
||||
|
||||
type systemd_logind_t;
|
||||
type systemd_logind_exec_t;
|
||||
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
|
||||
init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
|
||||
|
||||
type systemd_logind_var_lib_t;
|
||||
files_type(systemd_logind_var_lib_t)
|
||||
|
||||
type systemd_logind_var_run_t;
|
||||
files_pid_file(systemd_logind_var_run_t)
|
||||
init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
|
||||
|
||||
type systemd_machined_t;
|
||||
type systemd_machined_exec_t;
|
||||
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
||||
|
||||
type systemd_nspawn_t;
|
||||
type systemd_nspawn_exec_t;
|
||||
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
|
||||
|
||||
type systemd_run_t;
|
||||
type systemd_run_exec_t;
|
||||
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
|
||||
|
||||
type systemd_stdio_bridge_t;
|
||||
type systemd_stdio_bridge_exec_t;
|
||||
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
|
||||
|
||||
type systemd_passwd_agent_t;
|
||||
type systemd_passwd_agent_exec_t;
|
||||
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
||||
|
||||
type systemd_sessions_t;
|
||||
type systemd_sessions_exec_t;
|
||||
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
|
||||
|
||||
type systemd_sessions_var_run_t;
|
||||
files_pid_file(systemd_sessions_var_run_t)
|
||||
init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
|
||||
|
||||
type systemd_tmpfiles_t;
|
||||
type systemd_tmpfiles_exec_t;
|
||||
type systemd_kmod_conf_t;
|
||||
files_config_file(systemd_kmod_conf_t)
|
||||
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
|
||||
|
||||
#
|
||||
# Unit file types
|
||||
#
|
||||
|
||||
type power_unit_t;
|
||||
init_unit_file(power_unit_t)
|
||||
|
||||
######################################
|
||||
#
|
||||
# Cgroups local policy
|
||||
#
|
||||
|
||||
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
|
||||
|
||||
init_stream_connect(systemd_cgroups_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_cgroups_t)
|
||||
|
||||
kernel_dgram_send(systemd_cgroups_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# locale local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(systemd_locale_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_locale_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_locale_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(systemd_locale_t)
|
||||
dbus_system_bus_client(systemd_locale_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Hostnamed policy
|
||||
#
|
||||
|
||||
files_read_etc_files(systemd_hostnamed_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_hostnamed_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_hostnamed_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(systemd_hostnamed_t)
|
||||
dbus_connect_system_bus(systemd_hostnamed_t)
|
||||
')
|
||||
|
||||
#########################################
|
||||
#
|
||||
# Logind local policy
|
||||
#
|
||||
|
||||
allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
|
||||
allow systemd_logind_t self:process getcap;
|
||||
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
||||
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
|
||||
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
|
||||
|
||||
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
|
||||
files_search_pids(systemd_logind_t)
|
||||
|
||||
auth_manage_faillog(systemd_logind_t)
|
||||
|
||||
dev_rw_sysfs(systemd_logind_t)
|
||||
dev_rw_input_dev(systemd_logind_t)
|
||||
dev_getattr_dri_dev(systemd_logind_t)
|
||||
dev_setattr_dri_dev(systemd_logind_t)
|
||||
dev_getattr_sound_dev(systemd_logind_t)
|
||||
dev_setattr_sound_dev(systemd_logind_t)
|
||||
|
||||
files_read_etc_files(systemd_logind_t)
|
||||
|
||||
fs_getattr_tmpfs(systemd_logind_t)
|
||||
|
||||
storage_getattr_removable_dev(systemd_logind_t)
|
||||
storage_setattr_removable_dev(systemd_logind_t)
|
||||
storage_getattr_scsi_generic_dev(systemd_logind_t)
|
||||
storage_setattr_scsi_generic_dev(systemd_logind_t)
|
||||
|
||||
term_use_unallocated_ttys(systemd_logind_t)
|
||||
|
||||
init_get_all_units_status(systemd_logind_t)
|
||||
init_start_all_units(systemd_logind_t)
|
||||
init_stop_all_units(systemd_logind_t)
|
||||
init_service_status(systemd_logind_t)
|
||||
init_service_start(systemd_logind_t)
|
||||
# This is for reading /proc/1/cgroup
|
||||
init_read_state(systemd_logind_t)
|
||||
|
||||
locallogin_read_state(systemd_logind_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_logind_t)
|
||||
|
||||
systemd_start_power_units(systemd_logind_t)
|
||||
|
||||
udev_read_db(systemd_logind_t)
|
||||
udev_read_pid_files(systemd_logind_t)
|
||||
|
||||
userdom_use_user_ttys(systemd_logind_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(systemd_logind_t)
|
||||
dbus_connect_system_bus(systemd_logind_t)
|
||||
')
|
||||
|
||||
#########################################
|
||||
#
|
||||
# Sessions local policy
|
||||
#
|
||||
|
||||
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
|
||||
|
||||
logging_send_syslog_msg(systemd_sessions_t)
|
||||
|
||||
#########################################
|
||||
#
|
||||
# Tmpfiles local policy
|
||||
#
|
||||
|
||||
allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod };
|
||||
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
||||
|
||||
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||||
dev_read_urand(systemd_tmpfiles_t)
|
||||
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
||||
|
||||
files_read_etc_files(systemd_tmpfiles_t)
|
||||
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
||||
|
||||
auth_manage_var_auth(systemd_tmpfiles_t)
|
||||
auth_manage_login_records(systemd_tmpfiles_t)
|
||||
auth_relabel_login_records(systemd_tmpfiles_t)
|
||||
auth_setattr_login_records(systemd_tmpfiles_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_tmpfiles_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_tmpfiles_t)
|
||||
|
||||
tunable_policy(`systemd_tmpfiles_manage_all',`
|
||||
# systemd-tmpfiles can be configured to manage anything.
|
||||
# have a last-resort option for users to do this.
|
||||
files_manage_non_security_dirs(systemd_tmpfiles_t)
|
||||
files_manage_non_security_files(systemd_tmpfiles_t)
|
||||
files_relabel_non_security_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_non_security_files(systemd_tmpfiles_t)
|
||||
')
|
||||
@ -92,6 +92,25 @@ interface(`udev_read_state',`
|
||||
allow $1 udev_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to create uevent sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_create_kobject_uevent_sockets',`
|
||||
gen_require(`
|
||||
type udev_t;
|
||||
')
|
||||
|
||||
allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit a
|
||||
|
||||
@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t)
|
||||
domain_entry_file(udev_t, udev_helper_exec_t)
|
||||
domain_interactive_fd(udev_t)
|
||||
init_daemon_domain(udev_t, udev_exec_t)
|
||||
init_named_socket_activation(udev_t, udev_var_run_t)
|
||||
|
||||
type udev_etc_t alias etc_udev_t;
|
||||
files_config_file(udev_etc_t)
|
||||
@ -218,6 +219,18 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
kernel_load_module(udev_t)
|
||||
|
||||
files_search_kernel_modules(udev_t)
|
||||
|
||||
fs_read_cgroup_files(udev_t)
|
||||
|
||||
init_dgram_send(udev_t)
|
||||
|
||||
systemd_read_logind_pids(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(udev_t)
|
||||
alsa_read_lib(udev_t)
|
||||
|
||||
@ -58,6 +58,10 @@ ifneq ($(DISTRO),)
|
||||
M4PARAM += -D distro_$(DISTRO)
|
||||
endif
|
||||
|
||||
ifeq "$(SYSTEMD)" "y"
|
||||
M4PARAM += -D init_systemd
|
||||
endif
|
||||
|
||||
ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
endif
|
||||
|
||||
Loading…
Reference in New Issue
Block a user