From 8eff2c5998bfe662cf0e4da0381316066c0dd97e Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Wed, 7 Apr 2021 12:55:38 -0400 Subject: [PATCH] sysadm, systemd: various fixes Allow sysadm to communicate with logind over dbus and add missing rules for systemd-logind. Signed-off-by: Kenton Groombridge --- policy/modules/roles/sysadm.te | 4 ++++ policy/modules/system/systemd.te | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 5aaec991d..a3447e7b0 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -81,6 +81,10 @@ ifdef(`init_systemd',` # Allow sysadm to resolve the username of dynamic users by calling # LookupDynamicUserByUID on org.freedesktop.systemd1. init_dbus_chat(sysadm_t) + + # Allow sysadm to get the status of and set properties of other users, + # sessions, and seats on the system. + systemd_dbus_chat_logind(sysadm_t) ') tunable_policy(`allow_ptrace',` diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 83f886344..7090a9136 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -602,6 +602,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms; allow systemd_logind_t self:fifo_file rw_fifo_file_perms; allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; +allow systemd_logind_t systemd_logind_var_lib_t:file manage_file_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) @@ -725,8 +726,11 @@ ifdef(`distro_redhat',` tunable_policy(`systemd_logind_get_bootloader',` fs_getattr_dos_fs(systemd_logind_t) + fs_getattr_xattr_fs(systemd_logind_t) fs_list_dos(systemd_logind_t) fs_read_dos_files(systemd_logind_t) + + files_search_boot(systemd_logind_t) ') # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition). # This reads the first sectors of fixed disk devices.