Commit Graph

70 Commits

Author SHA1 Message Date
Chris PeBenito
0252046c95 systemd: Move lines. 2018-06-07 20:17:15 -04:00
Dave Sugar
f4713393ae policy for systemd-hwdb
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar
2408d45a3d policy for systemd-update-done
systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar
664d932c0f systemd-resolved uses notify to indicate status
type=AVC msg=audit(1528207926.219:1609): avc:  denied  { write } for  pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc:  denied  { sendto } for  pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar
fd466a380e Allow systemd-resolved to connect to system dbusd
type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar
0ddccc81ad Allow systemd_resolved to read systemd_networkd runtime files
type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
Dave Sugar
1dd2e5aca4 Allow systemd-resolved to read sysctl
type=AVC msg=audit(1527698300.007:150): avc:  denied  { search } for  pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

type=AVC msg=audit(1527698300.006:148): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
Chris PeBenito
ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Chris PeBenito
e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter
2268d42fee Removed unnecessary semicolons
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
Chris PeBenito
9c0d0e66ff another trivial dbus patch from Russell Coker. 2018-02-18 11:25:29 -05:00
Chris PeBenito
03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Chris PeBenito
b492924414 Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
8e19b3103e mls, xserver, systemd, userdomain: Module version bump. 2017-12-12 20:25:32 -05:00
David Sugar
dd4facd8af Allow systemd_logind to delete user_runtime_content_type files
Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-12 20:19:10 -05:00
Chris PeBenito
61a31f6cea xserver, sysnetwork, systemd: Module version bump. 2017-12-07 19:02:02 -05:00
Laurent Bigonville
88b7c61bd7 Add private type for systemd logind inhibit files and pipes 2017-12-07 18:50:30 -05:00
Chris PeBenito
6ca6a2e1db corcmd, fs, xserver, init, systemd, userdomain: Module version bump. 2017-12-03 16:48:54 -05:00
David Sugar
d7674a5406 Work around systemd-logind patch not in RHEL 7.x yet
This is probably RHEL only - seeing directories in /run/user/$(UID) created as
 tmpfs_t rather than user_runtime_t.  This appears fixed in newer systemd-logind.
It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
I don't see this merged into RHEL 7.x as of now but as some point it hopefully
will be merged in and this can go away.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-03 16:38:39 -05:00
Chris PeBenito
1b405f4a90 files, init, sysnetwork, systemd: Module version bumps. 2017-10-12 18:48:29 -04:00
David Sugar
4a54f9c1f0 policy for systemd-networkd
Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-12 18:38:54 -04:00
Chris PeBenito
2ae2b38e6d Module version bumps. 2017-10-10 20:32:43 -04:00
Chris PeBenito
6abb3eb5fc corecommands, xserver, systemd, userdomain: Version bumps. 2017-09-17 11:11:18 -04:00
Russell Coker
25a9bcb405 minor nspawn, dnsmasq, and mon patches
Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.
2017-09-17 11:08:06 -04:00
Chris PeBenito
095ad7923a Several module version bumps. 2017-09-11 20:34:13 -04:00
Chris PeBenito
1fdac56605 systemd, udev: Module version bump. 2017-09-06 11:04:11 -04:00
Russell Coker
1ca7df474f systemd nspawn and backlight
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints.  Also allows systemd_nspawn_t to umount cgroup
filesystems.

Allows systemd_backlight_t to search /var/lib.
2017-09-06 10:46:28 -04:00
Krzysztof Nowicki
d9861c32ad Add policy for systemd GPT generator 2017-09-06 10:08:48 -04:00
Chris PeBenito
aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito
5e49dcea60 apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
2017-04-29 11:14:15 -04:00
Chris PeBenito
60114027f7 more systemd stuff from Russell Coker
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.
2017-04-16 19:48:04 -04:00
Chris PeBenito
73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito
2cd92db5cd systemd-nspawn again
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way.  I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.

Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.

Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.

Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
2017-04-01 12:08:42 -04:00
Chris PeBenito
160d08f3ae systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
2017-03-28 18:51:35 -04:00
Chris PeBenito
b411e4b300 another version of systemd cgroups hostnamed and logind
From Russell Coker
2017-03-25 13:45:37 -04:00
Chris PeBenito
4dcbc032cf Module version bump from /var/run fixes from cgzones. 2017-03-25 13:05:13 -04:00
Chris PeBenito
5e20a0ee5b /var/run -> /run again
Here's the latest version of my patch to remove all /var/run when it's not
needed.  I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it.  So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.

From Russell Coker
2017-03-25 12:56:03 -04:00
Chris PeBenito
4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones
4d0d7cfc6f systemd-tmpfiles: refactor runtime configs
handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-27 19:32:20 +01:00
Chris PeBenito
e527ebaadf systemd: Further revisions from Russell Coker. 2017-02-25 09:35:10 -05:00
Chris PeBenito
c3c767bae2 Module version bump for CI fixes. 2017-02-23 20:32:10 -05:00
Chris PeBenito
2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito
498fb3c6e8 Module version bump for cgroups systemd fix from cgzones. 2017-02-20 11:21:00 -05:00
Chris PeBenito
e72556c6dd Merge branch 'cgroups_fix' of git://github.com/cgzones/refpolicy 2017-02-20 11:13:07 -05:00
Chris PeBenito
132db642bd Module version bump for selinuxutil and systmd changes from cgzones. 2017-02-20 10:57:50 -05:00
Chris PeBenito
53fb3a3ba4 dpkg: Updates from Russell Coker. 2017-02-19 16:13:14 -05:00
cgzones
8266424bcb systemd_cgroups_t: fix denials 2017-02-18 18:41:45 +01:00
Chris PeBenito
1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito
7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00