2117 lines
68 KiB
Plaintext
2117 lines
68 KiB
Plaintext
policy_module(systemd)
|
|
|
|
#########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Enable support for systemd-tmpfiles to manage all non-security files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_tmpfiles_manage_all, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-networkd to run its DHCPd server component
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_networkd_dhcp_server, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-nspawn to create a labelled namespace with the same types
|
|
## as parent environment
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_nspawn_labeled_namespace, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-logind to interact with the bootloader (read which one is
|
|
## installed on fixed disks, enumerate entries for dbus property
|
|
## BootLoaderEntries, etc.)
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_logind_get_bootloader, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-socket-proxyd to bind any port instead of one labelled
|
|
## with systemd_socket_proxyd_port_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_socket_proxyd_bind_any, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow systemd-socket-proxyd to connect to any port instead of
|
|
## labelled ones.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(systemd_socket_proxyd_connect_any, false)
|
|
|
|
attribute systemd_log_parse_env_type;
|
|
attribute systemd_tmpfiles_conf_type;
|
|
attribute systemd_user_session_type;
|
|
attribute systemd_user_activated_sock_file_type;
|
|
attribute systemd_user_unix_stream_activated_socket_type;
|
|
|
|
attribute_role systemd_sysusers_roles;
|
|
|
|
type systemd_activate_t;
|
|
type systemd_activate_exec_t;
|
|
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
|
|
|
|
type systemd_analyze_t;
|
|
type systemd_analyze_exec_t;
|
|
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
|
|
|
|
type systemd_backlight_t;
|
|
type systemd_backlight_exec_t;
|
|
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
|
|
|
|
type systemd_backlight_unit_t;
|
|
init_unit_file(systemd_backlight_unit_t)
|
|
|
|
type systemd_backlight_var_lib_t;
|
|
files_type(systemd_backlight_var_lib_t)
|
|
|
|
type systemd_binfmt_t;
|
|
type systemd_binfmt_exec_t;
|
|
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
|
|
|
|
type systemd_binfmt_unit_t;
|
|
init_unit_file(systemd_binfmt_unit_t)
|
|
|
|
type systemd_conf_t;
|
|
files_config_file(systemd_conf_t)
|
|
|
|
type systemd_cgroups_t;
|
|
type systemd_cgroups_exec_t;
|
|
domain_type(systemd_cgroups_t)
|
|
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
|
|
role system_r types systemd_cgroups_t;
|
|
|
|
type systemd_cgroups_runtime_t alias systemd_cgroups_var_run_t;
|
|
files_runtime_file(systemd_cgroups_runtime_t)
|
|
init_daemon_runtime_file(systemd_cgroups_runtime_t, dir, "systemd_cgroups")
|
|
|
|
type systemd_cgtop_t;
|
|
type systemd_cgtop_exec_t;
|
|
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
|
|
|
|
type systemd_coredump_t;
|
|
type systemd_coredump_exec_t;
|
|
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
|
|
|
|
type systemd_coredump_var_lib_t;
|
|
files_type(systemd_coredump_var_lib_t)
|
|
|
|
type systemd_factory_conf_t;
|
|
systemd_tmpfiles_conf_file(systemd_factory_conf_t)
|
|
|
|
type systemd_generator_t;
|
|
type systemd_generator_exec_t;
|
|
init_system_domain(systemd_generator_t, systemd_generator_exec_t)
|
|
|
|
type systemd_homed_t;
|
|
type systemd_homed_exec_t;
|
|
init_daemon_domain(systemd_homed_t, systemd_homed_exec_t)
|
|
|
|
type systemd_homework_t;
|
|
type systemd_homework_exec_t;
|
|
domain_type(systemd_homework_t)
|
|
domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
|
|
role system_r types systemd_homework_t;
|
|
|
|
type systemd_homed_runtime_t;
|
|
files_runtime_file(systemd_homed_runtime_t)
|
|
|
|
type systemd_homed_storage_t;
|
|
files_type(systemd_homed_storage_t)
|
|
|
|
type systemd_homed_tmpfs_t;
|
|
files_tmpfs_file(systemd_homed_tmpfs_t)
|
|
|
|
type systemd_homed_var_lib_t;
|
|
files_type(systemd_homed_var_lib_t)
|
|
|
|
type systemd_hostnamed_t;
|
|
type systemd_hostnamed_exec_t;
|
|
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
|
|
|
type systemd_hw_t;
|
|
type systemd_hw_exec_t;
|
|
init_system_domain(systemd_hw_t, systemd_hw_exec_t)
|
|
|
|
type systemd_hwdb_t;
|
|
files_type(systemd_hwdb_t)
|
|
|
|
type systemd_journal_t;
|
|
logging_log_file(systemd_journal_t)
|
|
|
|
type systemd_journal_init_t;
|
|
type systemd_journalctl_exec_t;
|
|
init_system_domain(systemd_journal_init_t, systemd_journalctl_exec_t)
|
|
|
|
type systemd_locale_t;
|
|
type systemd_locale_exec_t;
|
|
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
|
|
|
|
# systemd_log_t is the type for /var/log/systemd which contains TPM measurements.
|
|
type systemd_log_t;
|
|
logging_log_file(systemd_log_t)
|
|
|
|
type systemd_logind_t;
|
|
type systemd_logind_exec_t;
|
|
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
|
|
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
|
|
|
|
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
|
|
files_runtime_file(systemd_logind_inhibit_runtime_t)
|
|
init_mountpoint(systemd_logind_inhibit_runtime_t)
|
|
|
|
type systemd_logind_runtime_t alias systemd_logind_var_run_t;
|
|
files_runtime_file(systemd_logind_runtime_t)
|
|
init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
|
|
init_mountpoint(systemd_logind_runtime_t)
|
|
|
|
type systemd_logind_var_lib_t;
|
|
files_type(systemd_logind_var_lib_t)
|
|
init_mountpoint(systemd_logind_var_lib_t)
|
|
|
|
type systemd_machined_t;
|
|
type systemd_machined_exec_t;
|
|
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
|
|
|
type systemd_machined_devpts_t;
|
|
term_login_pty(systemd_machined_devpts_t)
|
|
|
|
type systemd_machined_runtime_t alias systemd_machined_var_run_t;
|
|
files_runtime_file(systemd_machined_runtime_t)
|
|
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
|
|
|
|
type systemd_machine_id_setup_t;
|
|
type systemd_machine_id_setup_exec_t;
|
|
init_system_domain(systemd_machine_id_setup_t, systemd_machine_id_setup_exec_t)
|
|
|
|
type systemd_modules_load_t;
|
|
type systemd_modules_load_exec_t;
|
|
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
|
|
|
|
type systemd_networkd_t;
|
|
type systemd_networkd_exec_t;
|
|
init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t)
|
|
|
|
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
|
|
files_runtime_file(systemd_networkd_runtime_t)
|
|
init_mountpoint(systemd_networkd_runtime_t)
|
|
|
|
type systemd_networkd_unit_t;
|
|
init_unit_file(systemd_networkd_unit_t)
|
|
|
|
type systemd_notify_t;
|
|
type systemd_notify_exec_t;
|
|
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
|
|
|
|
type systemd_nspawn_t;
|
|
type systemd_nspawn_exec_t;
|
|
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
|
|
|
|
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
|
|
files_runtime_file(systemd_nspawn_runtime_t)
|
|
|
|
type systemd_nspawn_tmp_t;
|
|
files_tmp_file(systemd_nspawn_tmp_t)
|
|
|
|
type systemd_pcrphase_t;
|
|
type systemd_pcrphase_exec_t;
|
|
init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
|
|
|
|
type systemd_pstore_t;
|
|
type systemd_pstore_exec_t;
|
|
init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
|
|
|
|
type systemd_pstore_var_lib_t;
|
|
files_type(systemd_pstore_var_lib_t)
|
|
|
|
type systemd_resolved_t;
|
|
type systemd_resolved_exec_t;
|
|
init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
|
|
|
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
|
|
files_runtime_file(systemd_resolved_runtime_t)
|
|
|
|
type systemd_stdio_bridge_t;
|
|
type systemd_stdio_bridge_exec_t;
|
|
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
|
|
|
|
type systemd_passwd_agent_t;
|
|
type systemd_passwd_agent_exec_t;
|
|
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
|
|
|
type systemd_passwd_runtime_t alias systemd_passwd_var_run_t;
|
|
files_runtime_file(systemd_passwd_runtime_t)
|
|
init_path_unit_location_file(systemd_passwd_runtime_t)
|
|
|
|
type systemd_rfkill_t;
|
|
type systemd_rfkill_exec_t;
|
|
init_daemon_domain(systemd_rfkill_t, systemd_rfkill_exec_t)
|
|
|
|
type systemd_rfkill_unit_t;
|
|
init_unit_file(systemd_rfkill_unit_t)
|
|
|
|
type systemd_rfkill_var_lib_t;
|
|
files_type(systemd_rfkill_var_lib_t)
|
|
|
|
type systemd_sessions_t;
|
|
type systemd_sessions_exec_t;
|
|
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
|
|
|
|
type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
|
|
files_runtime_file(systemd_sessions_runtime_t)
|
|
init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
|
|
init_mountpoint(systemd_sessions_runtime_t)
|
|
|
|
type systemd_socket_proxyd_t;
|
|
type systemd_socket_proxyd_exec_t;
|
|
init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
|
|
|
|
type systemd_socket_proxyd_port_t;
|
|
corenet_port(systemd_socket_proxyd_port_t)
|
|
|
|
type systemd_socket_proxyd_unit_file_t;
|
|
init_unit_file(systemd_socket_proxyd_unit_file_t)
|
|
|
|
type systemd_sysctl_t;
|
|
type systemd_sysctl_exec_t;
|
|
init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
|
|
|
|
type systemd_sysusers_t;
|
|
type systemd_sysusers_exec_t;
|
|
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
|
|
role systemd_sysusers_roles types systemd_sysusers_t;
|
|
|
|
type systemd_tmpfiles_t;
|
|
type systemd_tmpfiles_exec_t;
|
|
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
|
|
|
|
type systemd_tmpfiles_conf_t;
|
|
files_config_file(systemd_tmpfiles_conf_t)
|
|
|
|
type systemd_update_done_t;
|
|
type systemd_update_done_exec_t;
|
|
init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
|
|
|
|
type systemd_update_run_t;
|
|
files_type(systemd_update_run_t)
|
|
|
|
type systemd_user_manager_unit_t;
|
|
init_unit_file(systemd_user_manager_unit_t)
|
|
|
|
type systemd_conf_home_t;
|
|
init_unit_file(systemd_conf_home_t)
|
|
xdg_config_content(systemd_conf_home_t)
|
|
|
|
type systemd_data_home_t;
|
|
xdg_data_content(systemd_data_home_t)
|
|
|
|
type systemd_user_runtime_notify_t;
|
|
userdom_user_runtime_content(systemd_user_runtime_notify_t)
|
|
|
|
type systemd_runtime_notify_t;
|
|
files_runtime_file(systemd_runtime_notify_t)
|
|
|
|
type systemd_user_runtime_t;
|
|
userdom_user_runtime_content(systemd_user_runtime_t)
|
|
|
|
type systemd_user_runtime_dir_t;
|
|
type systemd_user_runtime_dir_exec_t;
|
|
init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
|
|
|
|
type systemd_user_tmpfs_t;
|
|
userdom_user_tmpfs_file(systemd_user_tmpfs_t)
|
|
|
|
type systemd_userdbd_t;
|
|
type systemd_userdbd_exec_t;
|
|
init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t)
|
|
|
|
type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t;
|
|
files_runtime_file(systemd_userdbd_runtime_t)
|
|
|
|
type systemd_userdbd_unit_t;
|
|
init_unit_file(systemd_userdbd_unit_t)
|
|
|
|
type systemd_user_unit_t;
|
|
init_unit_file(systemd_user_unit_t)
|
|
|
|
type systemd_user_runtime_unit_t;
|
|
init_unit_file(systemd_user_runtime_unit_t)
|
|
userdom_user_runtime_content(systemd_user_runtime_unit_t)
|
|
|
|
type systemd_user_transient_unit_t;
|
|
init_unit_file(systemd_user_transient_unit_t)
|
|
userdom_user_runtime_content(systemd_user_transient_unit_t)
|
|
|
|
#
|
|
# Unit file types
|
|
#
|
|
|
|
type power_unit_t;
|
|
init_unit_file(power_unit_t)
|
|
|
|
######################################
|
|
#
|
|
# Backlight local policy
|
|
#
|
|
|
|
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
|
|
|
|
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
|
|
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
|
|
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
|
|
|
|
systemd_log_parse_environment(systemd_backlight_t)
|
|
|
|
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
|
|
dev_rw_sysfs(systemd_backlight_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_backlight_t)
|
|
|
|
# for udev.conf
|
|
files_read_etc_files(systemd_backlight_t)
|
|
|
|
# for /run/udev/data/+backlight*
|
|
udev_read_runtime_files(systemd_backlight_t)
|
|
|
|
files_search_var_lib(systemd_backlight_t)
|
|
|
|
fs_getattr_all_fs(systemd_backlight_t)
|
|
fs_search_cgroup_dirs(systemd_backlight_t)
|
|
|
|
#######################################
|
|
#
|
|
# Binfmt local policy
|
|
#
|
|
|
|
kernel_read_kernel_sysctls(systemd_binfmt_t)
|
|
kernel_getattr_proc(systemd_binfmt_t)
|
|
|
|
systemd_log_parse_environment(systemd_binfmt_t)
|
|
|
|
# Allow to read /etc/binfmt.d/ files
|
|
files_read_etc_files(systemd_binfmt_t)
|
|
|
|
fs_register_binary_executable_type(systemd_binfmt_t)
|
|
|
|
fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
|
|
fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
|
|
|
|
fs_getattr_cgroup(systemd_binfmt_t)
|
|
fs_search_cgroup_dirs(systemd_binfmt_t)
|
|
|
|
######################################
|
|
#
|
|
# Cgroups local policy
|
|
#
|
|
|
|
allow systemd_cgroups_t self:capability net_admin;
|
|
|
|
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
|
|
# read kernel.cap_last_cap
|
|
kernel_read_kernel_sysctls(systemd_cgroups_t)
|
|
kernel_dontaudit_getattr_proc(systemd_cgroups_t)
|
|
# for /proc/cmdline
|
|
kernel_read_system_state(systemd_cgroups_t)
|
|
|
|
mls_fd_use_all_levels(systemd_cgroups_t)
|
|
|
|
selinux_getattr_fs(systemd_cgroups_t)
|
|
|
|
# write to /run/systemd/cgroups-agent
|
|
init_dgram_send(systemd_cgroups_t)
|
|
init_stream_connect(systemd_cgroups_t)
|
|
# for /proc/1/environ
|
|
init_read_state(systemd_cgroups_t)
|
|
|
|
seutil_libselinux_linked(systemd_cgroups_t)
|
|
|
|
systemd_log_parse_environment(systemd_cgroups_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
######################################
|
|
#
|
|
# coredump local policy
|
|
#
|
|
|
|
allow systemd_coredump_t self:capability { dac_read_search setgid setuid setpcap sys_ptrace };
|
|
dontaudit systemd_coredump_t self:capability { dac_override net_admin };
|
|
allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
|
|
allow systemd_coredump_t self:process { getcap setcap setfscreate };
|
|
allow systemd_coredump_t self:user_namespace create;
|
|
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
|
|
allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
|
|
|
|
mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
|
|
|
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
|
|
kernel_read_kernel_sysctls(systemd_coredump_t)
|
|
kernel_read_system_state(systemd_coredump_t)
|
|
kernel_rw_pipes(systemd_coredump_t)
|
|
kernel_use_fds(systemd_coredump_t)
|
|
|
|
corecmd_exec_bin(systemd_coredump_t)
|
|
corecmd_mmap_read_all_executables(systemd_coredump_t)
|
|
|
|
dev_write_kmsg(systemd_coredump_t)
|
|
|
|
domain_read_all_domains_state(systemd_coredump_t)
|
|
|
|
files_getattr_all_mountpoints(systemd_coredump_t)
|
|
files_read_etc_files(systemd_coredump_t)
|
|
files_search_var_lib(systemd_coredump_t)
|
|
files_mounton_root(systemd_coredump_t)
|
|
|
|
fs_getattr_all_fs(systemd_coredump_t)
|
|
fs_getattr_nsfs_files(systemd_coredump_t)
|
|
fs_search_cgroup_dirs(systemd_coredump_t)
|
|
|
|
init_list_var_lib_dirs(systemd_coredump_t)
|
|
init_read_state(systemd_coredump_t)
|
|
init_search_runtime(systemd_coredump_t)
|
|
init_write_runtime_socket(systemd_coredump_t)
|
|
|
|
logging_send_syslog_msg(systemd_coredump_t)
|
|
|
|
seutil_search_default_contexts(systemd_coredump_t)
|
|
|
|
#######################################
|
|
#
|
|
# Systemd generator local policy
|
|
#
|
|
|
|
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
|
|
allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
|
|
allow systemd_generator_t self:process { getcap getsched setfscreate signal };
|
|
|
|
corecmd_exec_shell(systemd_generator_t)
|
|
corecmd_exec_bin(systemd_generator_t)
|
|
|
|
dev_read_sysfs(systemd_generator_t)
|
|
dev_write_kmsg(systemd_generator_t)
|
|
dev_write_sysfs_dirs(systemd_generator_t)
|
|
dev_read_urand(systemd_generator_t)
|
|
dev_create_sysfs_files(systemd_generator_t)
|
|
dev_write_sysfs(systemd_generator_t)
|
|
|
|
files_read_etc_files(systemd_generator_t)
|
|
files_read_etc_runtime_files(systemd_generator_t)
|
|
files_search_runtime(systemd_generator_t)
|
|
files_list_boot(systemd_generator_t)
|
|
files_read_boot_files(systemd_generator_t)
|
|
files_search_all_mountpoints(systemd_generator_t)
|
|
files_list_usr(systemd_generator_t)
|
|
files_dontaudit_getattr_all_dirs(systemd_generator_t)
|
|
files_dontaudit_read_etc_runtime_files(systemd_generator_t)
|
|
|
|
fs_list_efivars(systemd_generator_t)
|
|
fs_getattr_all_fs(systemd_generator_t)
|
|
|
|
init_create_runtime_files(systemd_generator_t)
|
|
init_manage_runtime_dirs(systemd_generator_t)
|
|
init_manage_runtime_symlinks(systemd_generator_t)
|
|
init_read_runtime_files(systemd_generator_t)
|
|
init_read_state(systemd_generator_t)
|
|
init_rename_runtime_files(systemd_generator_t)
|
|
init_search_runtime(systemd_generator_t)
|
|
init_setattr_runtime_files(systemd_generator_t)
|
|
init_write_runtime_files(systemd_generator_t)
|
|
init_read_generic_units_files(systemd_generator_t)
|
|
init_read_generic_units_symlinks(systemd_generator_t)
|
|
init_read_script_files(systemd_generator_t)
|
|
init_getattr_all_unit_files(systemd_generator_t)
|
|
init_getattr_all_script_files(systemd_generator_t)
|
|
|
|
kernel_use_fds(systemd_generator_t)
|
|
kernel_read_system_state(systemd_generator_t)
|
|
kernel_read_kernel_sysctls(systemd_generator_t)
|
|
kernel_dontaudit_getattr_proc(systemd_generator_t)
|
|
# Where an unlabeled mountpoint is encounted:
|
|
kernel_dontaudit_search_unlabeled(systemd_generator_t)
|
|
|
|
modutils_domtrans(systemd_generator_t)
|
|
|
|
# write for systemd-zram-generator
|
|
storage_raw_rw_fixed_disk(systemd_generator_t)
|
|
storage_raw_read_removable_device(systemd_generator_t)
|
|
|
|
# needed to resolve hostnames for NFS mounts
|
|
sysnet_dns_name_resolve(systemd_generator_t)
|
|
|
|
systemd_log_parse_environment(systemd_generator_t)
|
|
|
|
term_use_unallocated_ttys(systemd_generator_t)
|
|
|
|
udev_read_runtime_files(systemd_generator_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
corecmd_shell_entry_type(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cloudinit_create_runtime_dirs(systemd_generator_t)
|
|
cloudinit_rw_runtime_files(systemd_generator_t)
|
|
cloudinit_create_runtime_files(systemd_generator_t)
|
|
cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
|
|
|
|
cloudinit_getattr_state_files(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# for quadlet to access /etc/containers/systemd
|
|
container_search_config(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_exec(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_exec(systemd_generator_t)
|
|
lvm_map_config(systemd_generator_t)
|
|
lvm_read_config(systemd_generator_t)
|
|
miscfiles_read_localization(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fs_search_nfsd_fs(systemd_generator_t)
|
|
fs_rw_nfsd_fs(systemd_generator_t)
|
|
rpc_list_exports(systemd_generator_t)
|
|
rpc_read_exports(systemd_generator_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# needed by zfs-mount-generator
|
|
zfs_read_config(systemd_generator_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# systemd-homed policy
|
|
#
|
|
|
|
dontaudit systemd_homed_t self:capability { sys_resource sys_admin };
|
|
allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t)
|
|
|
|
allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms;
|
|
fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)
|
|
|
|
manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t)
|
|
manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t, systemd_homed_runtime_t)
|
|
filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t, sock_file)
|
|
init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir)
|
|
|
|
allow systemd_homed_t systemd_homed_storage_t:file read_file_perms;
|
|
|
|
allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
|
|
allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
|
|
init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
|
|
|
|
# Entries such as /sys/devices/virtual/block/loop1/uevent:
|
|
dev_read_sysfs(systemd_homed_t)
|
|
|
|
files_list_home(systemd_homed_t)
|
|
files_watch_home(systemd_homed_t)
|
|
files_read_etc_files(systemd_homed_t)
|
|
files_search_tmp(systemd_homed_t)
|
|
|
|
fs_get_xattr_fs_quotas(systemd_homed_t)
|
|
fs_getattr_all_fs(systemd_homed_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_homed_t)
|
|
kernel_read_system_state(systemd_homed_t)
|
|
|
|
systemd_log_parse_environment(systemd_homed_t)
|
|
|
|
udev_read_runtime_files(systemd_homed_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_homed_t)
|
|
dbus_connect_system_bus(systemd_homed_t)
|
|
|
|
init_dbus_chat(systemd_homed_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_list_spool(systemd_homed_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_dbus_send(systemd_homed_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# systemd-homework policy
|
|
#
|
|
|
|
allow systemd_homework_t self:capability { chown fowner fsetid sys_admin };
|
|
dontaudit systemd_homework_t self:capability sys_resource;
|
|
allow systemd_homework_t self:key { search write };
|
|
allow systemd_homework_t self:process getsched;
|
|
allow systemd_homework_t self:sem create_sem_perms;
|
|
|
|
allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms;
|
|
allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
|
|
files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
|
|
init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
|
|
|
|
# mount on /run/systemd/user-home-mount
|
|
allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
|
|
|
|
allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
|
|
files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
|
|
|
|
allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
|
|
|
|
dev_rw_loop_control(systemd_homework_t)
|
|
dev_read_rand(systemd_homework_t)
|
|
dev_read_urand(systemd_homework_t)
|
|
dev_rw_lvm_control(systemd_homework_t)
|
|
# Entries such as /sys/devices/virtual/block/loop1/uevent:
|
|
dev_read_sysfs(systemd_homework_t)
|
|
|
|
files_read_etc_files(systemd_homework_t)
|
|
files_mounton_runtime_dirs(systemd_homework_t)
|
|
|
|
fs_getattr_all_fs(systemd_homework_t)
|
|
fs_search_all(systemd_homework_t)
|
|
fs_mount_xattr_fs(systemd_homework_t)
|
|
fs_unmount_xattr_fs(systemd_homework_t)
|
|
|
|
fstools_exec(systemd_homework_t)
|
|
|
|
init_rw_inherited_stream_socket(systemd_homework_t)
|
|
init_use_fds(systemd_homework_t)
|
|
init_dontaudit_search_keys(systemd_homework_t)
|
|
|
|
kernel_write_key(systemd_homework_t)
|
|
kernel_get_sysvipc_info(systemd_homework_t)
|
|
kernel_request_load_module(systemd_homework_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_homework_t)
|
|
kernel_read_system_state(systemd_homework_t)
|
|
|
|
# loopback:
|
|
storage_raw_read_fixed_disk(systemd_homework_t)
|
|
storage_raw_write_fixed_disk(systemd_homework_t)
|
|
|
|
systemd_log_parse_environment(systemd_homework_t)
|
|
|
|
udev_read_runtime_files(systemd_homework_t)
|
|
|
|
#######################################
|
|
#
|
|
# Hostnamed policy
|
|
#
|
|
|
|
allow systemd_hostnamed_t self:capability sys_admin;
|
|
allow systemd_hostnamed_t self:process setfscreate;
|
|
|
|
fs_getattr_cgroup(systemd_hostnamed_t)
|
|
fs_getattr_xattr_fs(systemd_hostnamed_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_hostnamed_t)
|
|
kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
|
|
|
|
dev_read_sysfs(systemd_hostnamed_t)
|
|
|
|
files_read_etc_files(systemd_hostnamed_t)
|
|
files_read_etc_runtime_files(systemd_hostnamed_t)
|
|
|
|
fs_getattr_all_fs(systemd_hostnamed_t)
|
|
|
|
init_delete_runtime_files(systemd_hostnamed_t)
|
|
init_read_runtime_files(systemd_hostnamed_t)
|
|
init_write_runtime_files(systemd_hostnamed_t)
|
|
|
|
miscfiles_read_localization(systemd_hostnamed_t)
|
|
|
|
selinux_use_status_page(systemd_hostnamed_t)
|
|
|
|
seutil_read_config(systemd_hostnamed_t)
|
|
seutil_read_file_contexts(systemd_hostnamed_t)
|
|
|
|
sysnet_etc_filetrans_config(systemd_hostnamed_t)
|
|
sysnet_manage_config(systemd_hostnamed_t)
|
|
|
|
systemd_log_parse_environment(systemd_hostnamed_t)
|
|
|
|
# Allow reading /run/udev/data/+dmi:id
|
|
udev_read_runtime_files(systemd_hostnamed_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(systemd_hostnamed_t)
|
|
dbus_system_bus_client(systemd_hostnamed_t)
|
|
init_dbus_chat(systemd_hostnamed_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(systemd_hostnamed_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# hw local policy
|
|
#
|
|
|
|
kernel_read_kernel_sysctls(systemd_hw_t)
|
|
|
|
allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabel_file_perms };
|
|
files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
|
|
|
|
files_search_runtime(systemd_hw_t)
|
|
|
|
fs_getattr_all_fs(systemd_hw_t)
|
|
fs_search_cgroup_dirs(systemd_hw_t)
|
|
|
|
selinux_get_fs_mount(systemd_hw_t)
|
|
selinux_use_status_page(systemd_hw_t)
|
|
|
|
init_read_state(systemd_hw_t)
|
|
init_search_runtime(systemd_hw_t)
|
|
|
|
seutil_read_config(systemd_hw_t)
|
|
seutil_read_file_contexts(systemd_hw_t)
|
|
|
|
#######################################
|
|
#
|
|
# journald local policy
|
|
#
|
|
# During system boot, the service systemd-journal-catalog-update.service
|
|
# runs journalctl with the switch --update-catalog which needs manage
|
|
# permissions for systemd_journal_t files. Transitioning from initrc_t
|
|
# into systemd_journal_init_t for this operation limits write access
|
|
# to sysemd_journal_t files to only the systemd_journal_init_t domain.
|
|
#
|
|
|
|
dontaudit systemd_journal_init_t self:capability net_admin;
|
|
|
|
manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t)
|
|
manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t)
|
|
|
|
fs_getattr_all_fs(systemd_journal_init_t)
|
|
fs_search_cgroup_dirs(systemd_journal_init_t)
|
|
|
|
kernel_getattr_proc(systemd_journal_init_t)
|
|
kernel_read_kernel_sysctls(systemd_journal_init_t)
|
|
kernel_read_system_state(systemd_journal_init_t)
|
|
|
|
init_read_state(systemd_journal_init_t)
|
|
init_search_var_lib_dirs(systemd_journal_init_t)
|
|
init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir)
|
|
|
|
logging_send_syslog_msg(systemd_journal_init_t)
|
|
logging_stream_connect_journald_varlink(systemd_journal_init_t)
|
|
|
|
miscfiles_read_localization(systemd_journal_init_t)
|
|
|
|
#######################################
|
|
#
|
|
# locale local policy
|
|
#
|
|
|
|
kernel_read_kernel_sysctls(systemd_locale_t)
|
|
|
|
files_read_etc_files(systemd_locale_t)
|
|
|
|
fs_getattr_all_fs(systemd_locale_t)
|
|
fs_search_cgroup_dirs(systemd_locale_t)
|
|
|
|
init_stream_connect(systemd_locale_t)
|
|
|
|
selinux_use_status_page(systemd_locale_t)
|
|
|
|
seutil_read_file_contexts(systemd_locale_t)
|
|
|
|
systemd_log_parse_environment(systemd_locale_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(systemd_locale_t)
|
|
dbus_system_bus_client(systemd_locale_t)
|
|
')
|
|
|
|
######################################
|
|
#
|
|
# systemd log parse environment
|
|
#
|
|
|
|
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
|
|
dontaudit systemd_log_parse_env_type self:capability net_admin;
|
|
|
|
kernel_read_system_state(systemd_log_parse_env_type)
|
|
|
|
dev_write_kmsg(systemd_log_parse_env_type)
|
|
|
|
# For /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67
|
|
fs_read_efivarfs_files(systemd_log_parse_env_type)
|
|
|
|
term_use_console(systemd_log_parse_env_type)
|
|
|
|
init_read_state(systemd_log_parse_env_type)
|
|
|
|
logging_send_syslog_msg(systemd_log_parse_env_type)
|
|
|
|
#########################################
|
|
#
|
|
# Logind local policy
|
|
#
|
|
|
|
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
|
|
allow systemd_logind_t self:process { getcap setfscreate };
|
|
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
|
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
|
|
allow systemd_logind_t systemd_logind_var_lib_t:file manage_file_perms;
|
|
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
|
|
|
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
|
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
|
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
|
|
|
|
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
|
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
|
|
init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")
|
|
|
|
# for /run/systemd/userdb/io.systemd.Machine
|
|
allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
|
|
|
|
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
|
|
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
|
|
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
|
|
|
|
stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
|
|
|
|
kernel_dontaudit_getattr_proc(systemd_logind_t)
|
|
kernel_read_kernel_sysctls(systemd_logind_t)
|
|
|
|
dev_getattr_dri_dev(systemd_logind_t)
|
|
dev_getattr_generic_usb_dev(systemd_logind_t)
|
|
dev_getattr_kvm_dev(systemd_logind_t)
|
|
dev_getattr_sound_dev(systemd_logind_t)
|
|
dev_getattr_video_dev(systemd_logind_t)
|
|
dev_manage_wireless(systemd_logind_t)
|
|
dev_read_urand(systemd_logind_t)
|
|
dev_rw_dri(systemd_logind_t)
|
|
dev_rw_input_dev(systemd_logind_t)
|
|
dev_rw_sysfs(systemd_logind_t)
|
|
dev_setattr_dri_dev(systemd_logind_t)
|
|
dev_setattr_generic_usb_dev(systemd_logind_t)
|
|
dev_setattr_input_dev(systemd_logind_t)
|
|
dev_setattr_kvm_dev(systemd_logind_t)
|
|
dev_setattr_sound_dev(systemd_logind_t)
|
|
dev_setattr_video_dev(systemd_logind_t)
|
|
|
|
domain_obj_id_change_exemption(systemd_logind_t)
|
|
|
|
files_check_write_runtime_dirs(systemd_logind_t)
|
|
files_read_etc_runtime_files(systemd_logind_t)
|
|
files_search_runtime(systemd_logind_t)
|
|
# Getattr all shm segments as part of cleaning up the
|
|
# segments of deleted ephemeral users.
|
|
files_getattr_all_tmpfs_files(systemd_logind_t)
|
|
files_rw_runtime_dirs(systemd_logind_t)
|
|
|
|
fs_getattr_cgroup(systemd_logind_t)
|
|
fs_getattr_tmpfs(systemd_logind_t)
|
|
fs_getattr_tmpfs_dirs(systemd_logind_t)
|
|
fs_list_tmpfs(systemd_logind_t)
|
|
fs_mount_tmpfs(systemd_logind_t)
|
|
fs_read_cgroup_files(systemd_logind_t)
|
|
fs_read_efivarfs_files(systemd_logind_t)
|
|
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
|
|
fs_unmount_tmpfs(systemd_logind_t)
|
|
fs_getattr_xattr_fs(systemd_logind_t)
|
|
fs_watch_memory_pressure(systemd_logind_t)
|
|
|
|
selinux_use_status_page(systemd_logind_t)
|
|
|
|
storage_getattr_removable_dev(systemd_logind_t)
|
|
storage_getattr_scsi_generic_dev(systemd_logind_t)
|
|
storage_setattr_removable_dev(systemd_logind_t)
|
|
storage_setattr_scsi_generic_dev(systemd_logind_t)
|
|
|
|
term_setattr_unallocated_ttys(systemd_logind_t)
|
|
term_use_unallocated_ttys(systemd_logind_t)
|
|
|
|
auth_manage_faillog(systemd_logind_t)
|
|
auth_use_nsswitch(systemd_logind_t)
|
|
|
|
init_dbus_send_script(systemd_logind_t)
|
|
init_get_all_units_status(systemd_logind_t)
|
|
init_get_system_status(systemd_logind_t)
|
|
init_read_utmp(systemd_logind_t)
|
|
init_watch_utmp(systemd_logind_t)
|
|
init_service_start(systemd_logind_t)
|
|
init_service_status(systemd_logind_t)
|
|
init_start_all_units(systemd_logind_t)
|
|
init_stop_all_units(systemd_logind_t)
|
|
init_start_system(systemd_logind_t)
|
|
init_stop_system(systemd_logind_t)
|
|
|
|
miscfiles_read_localization(systemd_logind_t)
|
|
|
|
locallogin_read_state(systemd_logind_t)
|
|
|
|
seutil_libselinux_linked(systemd_logind_t)
|
|
seutil_read_default_contexts(systemd_logind_t)
|
|
seutil_read_file_contexts(systemd_logind_t)
|
|
|
|
systemd_log_parse_environment(systemd_logind_t)
|
|
systemd_start_power_units(systemd_logind_t)
|
|
|
|
udev_list_runtime(systemd_logind_t)
|
|
udev_read_runtime_files(systemd_logind_t)
|
|
|
|
userdom_delete_all_user_runtime_dirs(systemd_logind_t)
|
|
userdom_delete_all_user_runtime_files(systemd_logind_t)
|
|
userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
|
|
userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
|
|
userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
|
|
userdom_delete_user_tmp_dirs(systemd_logind_t)
|
|
userdom_delete_user_tmp_files(systemd_logind_t)
|
|
userdom_delete_user_tmp_symlinks(systemd_logind_t)
|
|
userdom_delete_user_tmp_named_pipes(systemd_logind_t)
|
|
userdom_delete_user_tmp_named_sockets(systemd_logind_t)
|
|
# user_tmp_t is for the dbus-1 directory
|
|
userdom_list_user_tmp(systemd_logind_t)
|
|
userdom_manage_user_runtime_dirs(systemd_logind_t)
|
|
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
|
|
userdom_mounton_user_runtime_dirs(systemd_logind_t)
|
|
userdom_read_all_users_state(systemd_logind_t)
|
|
userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
|
|
userdom_relabel_user_tmpfs_files(systemd_logind_t)
|
|
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
|
|
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
|
|
userdom_setattr_user_ttys(systemd_logind_t)
|
|
userdom_use_user_ttys(systemd_logind_t)
|
|
|
|
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
|
|
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
|
|
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
|
|
# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
|
|
ifdef(`distro_redhat',`
|
|
userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
|
|
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
|
|
')
|
|
|
|
tunable_policy(`systemd_logind_get_bootloader',`
|
|
fs_getattr_dos_fs(systemd_logind_t)
|
|
fs_list_dos(systemd_logind_t)
|
|
fs_read_dos_files(systemd_logind_t)
|
|
|
|
files_search_boot(systemd_logind_t)
|
|
')
|
|
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
|
# This reads the first sectors of fixed disk devices.
|
|
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(systemd_logind_t)
|
|
dbus_system_bus_client(systemd_logind_t)
|
|
|
|
# pidfd
|
|
dbus_use_system_bus_fds(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
devicekit_dbus_chat_disk(systemd_logind_t)
|
|
devicekit_dbus_chat_power(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
modemmanager_dbus_chat(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
policykit_dbus_chat(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_read_state(systemd_logind_t)
|
|
xserver_dbus_chat(systemd_logind_t)
|
|
xserver_dbus_chat_xdm(systemd_logind_t)
|
|
xserver_read_xdm_state(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_dbus_send(systemd_logind_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# machined local policy
|
|
#
|
|
|
|
allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
|
|
allow systemd_machined_t self:cap_userns sys_chroot;
|
|
allow systemd_machined_t self:process setfscreate;
|
|
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
|
|
|
|
term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
|
|
allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perms;
|
|
|
|
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
|
|
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
|
|
|
|
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
|
|
|
kernel_getattr_proc(systemd_machined_t)
|
|
kernel_read_kernel_sysctls(systemd_machined_t)
|
|
kernel_read_system_state(systemd_machined_t)
|
|
|
|
dev_getattr_fs(systemd_machined_t)
|
|
dev_setattr_urand_dev(systemd_machined_t)
|
|
|
|
files_read_etc_files(systemd_machined_t)
|
|
|
|
fs_getattr_cgroup(systemd_machined_t)
|
|
fs_getattr_tmpfs(systemd_machined_t)
|
|
fs_getattr_xattr_fs(systemd_machined_t)
|
|
fs_read_nsfs_files(systemd_machined_t)
|
|
fs_watch_memory_pressure(systemd_machined_t)
|
|
|
|
selinux_getattr_fs(systemd_machined_t)
|
|
|
|
init_read_script_state(systemd_machined_t)
|
|
init_get_system_status(systemd_machined_t)
|
|
init_read_state(systemd_machined_t)
|
|
init_service_start(systemd_machined_t)
|
|
init_service_status(systemd_machined_t)
|
|
init_start_system(systemd_machined_t)
|
|
init_stop_system(systemd_machined_t)
|
|
init_get_generic_units_status(systemd_machined_t)
|
|
init_start_generic_units(systemd_machined_t)
|
|
init_stop_generic_units(systemd_machined_t)
|
|
init_get_transient_units_status(systemd_machined_t)
|
|
init_start_transient_units(systemd_machined_t)
|
|
init_stop_transient_units(systemd_machined_t)
|
|
|
|
logging_send_syslog_msg(systemd_machined_t)
|
|
|
|
seutil_search_default_contexts(systemd_machined_t)
|
|
|
|
term_getattr_pty_fs(systemd_machined_t)
|
|
|
|
optional_policy(`
|
|
init_dbus_chat(systemd_machined_t)
|
|
init_dbus_send_script(systemd_machined_t)
|
|
|
|
dbus_connect_system_bus(systemd_machined_t)
|
|
dbus_system_bus_client(systemd_machined_t)
|
|
|
|
optional_policy(`
|
|
unconfined_dbus_send(systemd_machined_t)
|
|
')
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# machine-id-setup local policy
|
|
#
|
|
|
|
allow systemd_machine_id_setup_t self:capability { setgid sys_admin sys_chroot };
|
|
|
|
files_list_var(systemd_machine_id_setup_t)
|
|
files_mounton_root(systemd_machine_id_setup_t)
|
|
files_rw_etc_runtime_files(systemd_machine_id_setup_t)
|
|
|
|
fs_getattr_cgroup(systemd_machine_id_setup_t)
|
|
fs_search_cgroup_dirs(systemd_machine_id_setup_t)
|
|
fs_getattr_tmpfs(systemd_machine_id_setup_t)
|
|
fs_read_nsfs_files(systemd_machine_id_setup_t)
|
|
fs_unmount_tmpfs(systemd_machine_id_setup_t)
|
|
|
|
kernel_dontaudit_getattr_proc(systemd_machine_id_setup_t)
|
|
kernel_read_kernel_sysctls(systemd_machine_id_setup_t)
|
|
kernel_read_system_state(systemd_machine_id_setup_t)
|
|
|
|
init_read_runtime_files(systemd_machine_id_setup_t)
|
|
init_read_state(systemd_machine_id_setup_t)
|
|
|
|
########################################
|
|
#
|
|
# modules-load local policy
|
|
#
|
|
|
|
fs_getattr_cgroup(systemd_modules_load_t)
|
|
fs_getattr_xattr_fs(systemd_modules_load_t)
|
|
|
|
kernel_load_module(systemd_modules_load_t)
|
|
kernel_read_kernel_sysctls(systemd_modules_load_t)
|
|
kernel_request_load_module(systemd_modules_load_t)
|
|
kernel_dontaudit_getattr_proc(systemd_modules_load_t)
|
|
|
|
dev_read_sysfs(systemd_modules_load_t)
|
|
|
|
files_mmap_read_kernel_modules(systemd_modules_load_t)
|
|
files_read_etc_files(systemd_modules_load_t)
|
|
|
|
fs_getattr_all_fs(systemd_modules_load_t)
|
|
fs_search_all(systemd_modules_load_t)
|
|
|
|
modutils_read_module_config(systemd_modules_load_t)
|
|
modutils_read_module_deps(systemd_modules_load_t)
|
|
|
|
systemd_log_parse_environment(systemd_modules_load_t)
|
|
|
|
########################################
|
|
#
|
|
# networkd local policy
|
|
#
|
|
|
|
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
|
|
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
|
|
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
|
|
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
|
allow systemd_networkd_t self:packet_socket create_socket_perms;
|
|
allow systemd_networkd_t self:process { getcap setcap setfscreate };
|
|
allow systemd_networkd_t self:rawip_socket create_socket_perms;
|
|
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
|
|
allow systemd_networkd_t self:udp_socket create_socket_perms;
|
|
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
|
|
|
|
kernel_read_system_state(systemd_networkd_t)
|
|
kernel_read_kernel_sysctls(systemd_networkd_t)
|
|
kernel_read_network_state(systemd_networkd_t)
|
|
kernel_request_load_module(systemd_networkd_t)
|
|
kernel_rw_net_sysctls(systemd_networkd_t)
|
|
kernel_dontaudit_getattr_proc(systemd_networkd_t)
|
|
|
|
corecmd_bin_entry_type(systemd_networkd_t)
|
|
corecmd_exec_bin(systemd_networkd_t)
|
|
|
|
corenet_sendrecv_icmp_packets(systemd_networkd_t)
|
|
corenet_sendrecv_dhcpd_client_packets(systemd_networkd_t)
|
|
corenet_rw_tun_tap_dev(systemd_networkd_t)
|
|
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
|
|
corenet_udp_bind_generic_node(systemd_networkd_t)
|
|
|
|
dev_read_urand(systemd_networkd_t)
|
|
dev_read_sysfs(systemd_networkd_t)
|
|
dev_write_kmsg(systemd_networkd_t)
|
|
|
|
files_read_etc_files(systemd_networkd_t)
|
|
files_read_etc_runtime_files(systemd_networkd_t)
|
|
files_watch_runtime_dirs(systemd_networkd_t)
|
|
files_watch_root_dirs(systemd_networkd_t)
|
|
files_list_runtime(systemd_networkd_t)
|
|
|
|
fs_getattr_all_fs(systemd_networkd_t)
|
|
fs_search_cgroup_dirs(systemd_networkd_t)
|
|
fs_read_nsfs_files(systemd_networkd_t)
|
|
fs_watch_memory_pressure(systemd_networkd_t)
|
|
|
|
auth_use_nsswitch(systemd_networkd_t)
|
|
|
|
init_dgram_send(systemd_networkd_t)
|
|
init_read_state(systemd_networkd_t)
|
|
init_read_runtime_files(systemd_networkd_t)
|
|
init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, { dir file })
|
|
|
|
logging_send_syslog_msg(systemd_networkd_t)
|
|
|
|
miscfiles_read_localization(systemd_networkd_t)
|
|
|
|
sysnet_read_config(systemd_networkd_t)
|
|
|
|
systemd_log_parse_environment(systemd_networkd_t)
|
|
|
|
tunable_policy(`systemd_networkd_dhcp_server',`
|
|
corenet_sendrecv_dhcpd_server_packets(systemd_networkd_t)
|
|
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_networkd_t)
|
|
dbus_connect_system_bus(systemd_networkd_t)
|
|
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
|
|
dbus_watch_system_bus_runtime_named_sockets(systemd_networkd_t)
|
|
|
|
systemd_dbus_chat_hostnamed(systemd_networkd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_runtime_files(systemd_networkd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# systemd_notify local policy
|
|
#
|
|
allow systemd_notify_t self:capability chown;
|
|
allow systemd_notify_t self:process { setfscreate setsockcreate };
|
|
|
|
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
|
|
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
domain_use_interactive_fds(systemd_notify_t)
|
|
|
|
files_read_etc_files(systemd_notify_t)
|
|
files_read_usr_files(systemd_notify_t)
|
|
|
|
fs_getattr_cgroup_files(systemd_notify_t)
|
|
|
|
auth_use_nsswitch(systemd_notify_t)
|
|
|
|
init_rw_stream_sockets(systemd_notify_t)
|
|
|
|
miscfiles_read_localization(systemd_notify_t)
|
|
|
|
########################################
|
|
#
|
|
# Nspawn local policy
|
|
#
|
|
|
|
allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
|
|
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
|
|
allow systemd_nspawn_t self:capability2 wake_alarm;
|
|
allow systemd_nspawn_t self:user_namespace create;
|
|
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
|
|
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
|
|
allow systemd_nspawn_t self:udp_socket create_socket_perms;
|
|
|
|
allow systemd_nspawn_t systemd_journal_t:dir search;
|
|
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
|
|
init_runtime_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)
|
|
|
|
files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
|
|
# for /tmp/.#inaccessible*
|
|
allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
|
|
|
|
# for /run/systemd/nspawn/incoming in chroot
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
|
|
|
|
kernel_mount_proc(systemd_nspawn_t)
|
|
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
|
|
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
|
|
kernel_mounton_message_if(systemd_nspawn_t)
|
|
kernel_mounton_proc_dirs(systemd_nspawn_t)
|
|
kernel_read_kernel_sysctls(systemd_nspawn_t)
|
|
kernel_read_system_state(systemd_nspawn_t)
|
|
kernel_remount_proc(systemd_nspawn_t)
|
|
|
|
corecmd_exec_shell(systemd_nspawn_t)
|
|
corecmd_search_bin(systemd_nspawn_t)
|
|
|
|
corenet_rw_tun_tap_dev(systemd_nspawn_t)
|
|
|
|
dev_getattr_fs(systemd_nspawn_t)
|
|
dev_manage_sysfs_dirs(systemd_nspawn_t)
|
|
dev_mounton_sysfs_dirs(systemd_nspawn_t)
|
|
dev_mount_sysfs(systemd_nspawn_t)
|
|
dev_remount_sysfs(systemd_nspawn_t)
|
|
dev_unmount_sysfs(systemd_nspawn_t)
|
|
dev_read_sysfs(systemd_nspawn_t)
|
|
dev_read_rand(systemd_nspawn_t)
|
|
dev_read_urand(systemd_nspawn_t)
|
|
|
|
files_getattr_tmp_dirs(systemd_nspawn_t)
|
|
files_manage_etc_files(systemd_nspawn_t)
|
|
files_manage_mnt_dirs(systemd_nspawn_t)
|
|
files_mounton_mnt(systemd_nspawn_t)
|
|
files_mounton_root(systemd_nspawn_t)
|
|
files_mounton_tmp(systemd_nspawn_t)
|
|
files_read_kernel_symbol_table(systemd_nspawn_t)
|
|
files_setattr_runtime_dirs(systemd_nspawn_t)
|
|
|
|
fs_getattr_cgroup(systemd_nspawn_t)
|
|
fs_getattr_tmpfs(systemd_nspawn_t)
|
|
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
|
|
fs_mount_tmpfs(systemd_nspawn_t)
|
|
fs_remount_tmpfs(systemd_nspawn_t)
|
|
fs_remount_xattr_fs(systemd_nspawn_t)
|
|
fs_read_cgroup_files(systemd_nspawn_t)
|
|
fs_watch_memory_pressure(systemd_nspawn_t)
|
|
|
|
term_getattr_generic_ptys(systemd_nspawn_t)
|
|
term_getattr_pty_fs(systemd_nspawn_t)
|
|
term_mount_devpts(systemd_nspawn_t)
|
|
term_search_ptys(systemd_nspawn_t)
|
|
term_setattr_generic_ptys(systemd_nspawn_t)
|
|
term_use_ptmx(systemd_nspawn_t)
|
|
|
|
init_domtrans_script(systemd_nspawn_t)
|
|
init_getrlimit(systemd_nspawn_t)
|
|
init_kill_scripts(systemd_nspawn_t)
|
|
init_read_state(systemd_nspawn_t)
|
|
init_search_run(systemd_nspawn_t)
|
|
init_write_runtime_socket(systemd_nspawn_t)
|
|
init_spec_domtrans_script(systemd_nspawn_t)
|
|
|
|
miscfiles_manage_localization(systemd_nspawn_t)
|
|
|
|
# for writing inside chroot
|
|
sysnet_manage_config(systemd_nspawn_t)
|
|
|
|
udev_read_runtime_files(systemd_nspawn_t)
|
|
|
|
userdom_manage_user_home_dirs(systemd_nspawn_t)
|
|
|
|
tunable_policy(`systemd_nspawn_labeled_namespace',`
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
|
|
files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
|
|
|
|
allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
|
|
fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
|
|
|
|
corecmd_exec_bin(systemd_nspawn_t)
|
|
corecmd_exec_shell(systemd_nspawn_t)
|
|
|
|
dev_mounton(systemd_nspawn_t)
|
|
dev_setattr_generic_dirs(systemd_nspawn_t)
|
|
|
|
# manage etc symlinks for /etc/localtime
|
|
files_manage_etc_symlinks(systemd_nspawn_t)
|
|
files_mounton_runtime_dirs(systemd_nspawn_t)
|
|
files_mounton_kernel_symbol_table(systemd_nspawn_t)
|
|
files_search_home(systemd_nspawn_t)
|
|
|
|
fs_getattr_cgroup(systemd_nspawn_t)
|
|
fs_manage_cgroup_dirs(systemd_nspawn_t)
|
|
fs_manage_tmpfs_dirs(systemd_nspawn_t)
|
|
fs_manage_tmpfs_files(systemd_nspawn_t)
|
|
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
|
|
fs_mount_cgroup(systemd_nspawn_t)
|
|
fs_mounton_cgroup(systemd_nspawn_t)
|
|
fs_mounton_tmpfs(systemd_nspawn_t)
|
|
fs_mounton_tmpfs_files(systemd_nspawn_t)
|
|
fs_remount_cgroup(systemd_nspawn_t)
|
|
fs_search_tmpfs(systemd_nspawn_t)
|
|
fs_unmount_cgroup(systemd_nspawn_t)
|
|
fs_write_cgroup_files(systemd_nspawn_t)
|
|
|
|
selinux_getattr_fs(systemd_nspawn_t)
|
|
selinux_remount_fs(systemd_nspawn_t)
|
|
selinux_search_fs(systemd_nspawn_t)
|
|
selinux_mounton_fs(systemd_nspawn_t)
|
|
|
|
init_domtrans(systemd_nspawn_t)
|
|
|
|
logging_search_logs(systemd_nspawn_t)
|
|
|
|
seutil_search_default_contexts(systemd_nspawn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_nspawn_t)
|
|
|
|
systemd_dbus_chat_machined(systemd_nspawn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_manage_virt_content(systemd_nspawn_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# systemd_passwd_agent_t local policy
|
|
#
|
|
|
|
allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
|
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
|
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
|
|
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
|
|
init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
|
|
|
|
kernel_read_system_state(systemd_passwd_agent_t)
|
|
kernel_stream_connect(systemd_passwd_agent_t)
|
|
|
|
dev_create_generic_dirs(systemd_passwd_agent_t)
|
|
dev_read_generic_files(systemd_passwd_agent_t)
|
|
dev_write_generic_sock_files(systemd_passwd_agent_t)
|
|
dev_write_kmsg(systemd_passwd_agent_t)
|
|
|
|
files_read_etc_files(systemd_passwd_agent_t)
|
|
|
|
fs_getattr_xattr_fs(systemd_passwd_agent_t)
|
|
|
|
selinux_get_enforce_mode(systemd_passwd_agent_t)
|
|
selinux_getattr_fs(systemd_passwd_agent_t)
|
|
|
|
term_read_console(systemd_passwd_agent_t)
|
|
|
|
auth_use_nsswitch(systemd_passwd_agent_t)
|
|
|
|
init_create_runtime_dirs(systemd_passwd_agent_t)
|
|
init_read_runtime_pipes(systemd_passwd_agent_t)
|
|
init_read_state(systemd_passwd_agent_t)
|
|
init_read_utmp(systemd_passwd_agent_t)
|
|
init_stream_connect(systemd_passwd_agent_t)
|
|
|
|
logging_send_syslog_msg(systemd_passwd_agent_t)
|
|
|
|
miscfiles_read_localization(systemd_passwd_agent_t)
|
|
|
|
seutil_search_default_contexts(systemd_passwd_agent_t)
|
|
|
|
userdom_use_user_terminals(systemd_passwd_agent_t)
|
|
|
|
optional_policy(`
|
|
getty_use_fds(systemd_passwd_agent_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_signull(systemd_passwd_agent_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
plymouthd_stream_connect(systemd_passwd_agent_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# systemd-pcrphase local policy
|
|
#
|
|
|
|
allow systemd_pcrphase_t self:capability dac_override;
|
|
dontaudit systemd_pcrphase_t self:capability net_admin;
|
|
|
|
dev_read_sysfs(systemd_pcrphase_t)
|
|
dev_rw_tpm(systemd_pcrphase_t)
|
|
dev_write_kmsg(systemd_pcrphase_t)
|
|
|
|
# read /etc/machine-id
|
|
files_read_etc_runtime_files(systemd_pcrphase_t)
|
|
files_search_var_lib(systemd_pcrphase_t)
|
|
|
|
fs_read_efivarfs_files(systemd_pcrphase_t)
|
|
fs_getattr_cgroup(systemd_pcrphase_t)
|
|
fs_search_cgroup_dirs(systemd_pcrphase_t)
|
|
|
|
kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
|
|
kernel_read_kernel_sysctls(systemd_pcrphase_t)
|
|
kernel_read_system_state(systemd_pcrphase_t)
|
|
|
|
init_read_state(systemd_pcrphase_t)
|
|
# for writing the TPM public key and measurements to /var/lib/systemd and /run/systemd
|
|
init_manage_runtime_files(systemd_pcrphase_t)
|
|
init_manage_var_lib_files(systemd_pcrphase_t)
|
|
|
|
systemd_list_log_dirs(systemd_pcrphase_t)
|
|
systemd_create_log_dirs(systemd_pcrphase_t)
|
|
systemd_create_log_files(systemd_pcrphase_t)
|
|
systemd_write_log_files(systemd_pcrphase_t)
|
|
systemd_setattr_log_files(systemd_pcrphase_t)
|
|
|
|
logging_send_syslog_msg(systemd_pcrphase_t)
|
|
|
|
miscfiles_read_generic_certs(systemd_pcrphase_t)
|
|
|
|
#########################################
|
|
#
|
|
# systemd-pstore local policy
|
|
#
|
|
|
|
dontaudit systemd_pstore_t self:capability net_admin;
|
|
|
|
manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
|
|
|
|
files_read_etc_files(systemd_pstore_t)
|
|
files_search_var_lib(systemd_pstore_t)
|
|
|
|
fs_list_pstore_dirs(systemd_pstore_t)
|
|
fs_read_pstore_files(systemd_pstore_t)
|
|
fs_delete_pstore_files(systemd_pstore_t)
|
|
|
|
init_search_run(systemd_pstore_t)
|
|
init_list_var_lib_dirs(systemd_pstore_t)
|
|
|
|
kernel_read_system_state(systemd_pstore_t)
|
|
|
|
logging_send_syslog_msg(systemd_pstore_t)
|
|
|
|
#######################################
|
|
#
|
|
# Rfkill local policy
|
|
#
|
|
|
|
allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read getopt setopt };
|
|
|
|
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
|
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
|
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
|
|
|
|
fs_getattr_all_fs(systemd_rfkill_t)
|
|
|
|
kernel_getattr_proc(systemd_rfkill_t)
|
|
kernel_read_kernel_sysctls(systemd_rfkill_t)
|
|
|
|
dev_read_sysfs(systemd_rfkill_t)
|
|
dev_rw_wireless(systemd_rfkill_t)
|
|
|
|
# Allow reading /etc/udev/udev.conf
|
|
files_read_etc_files(systemd_rfkill_t)
|
|
|
|
# Allow reading /run/udev/data/+rfkill:rfkill0
|
|
udev_read_runtime_files(systemd_rfkill_t)
|
|
|
|
systemd_log_parse_environment(systemd_rfkill_t)
|
|
|
|
#########################################
|
|
#
|
|
# Resolved local policy
|
|
#
|
|
|
|
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
|
|
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
|
|
allow systemd_resolved_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow systemd_resolved_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
|
|
|
|
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
|
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
|
|
|
|
dev_read_sysfs(systemd_resolved_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_resolved_t)
|
|
kernel_read_net_sysctls(systemd_resolved_t)
|
|
kernel_dontaudit_getattr_proc(systemd_resolved_t)
|
|
|
|
corenet_tcp_bind_generic_node(systemd_resolved_t)
|
|
corenet_tcp_bind_dns_port(systemd_resolved_t)
|
|
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
|
corenet_udp_bind_generic_node(systemd_resolved_t)
|
|
corenet_udp_bind_dns_port(systemd_resolved_t)
|
|
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
|
corenet_udp_bind_howl_port(systemd_resolved_t)
|
|
|
|
selinux_use_status_page(systemd_resolved_t)
|
|
|
|
auth_use_nsswitch(systemd_resolved_t)
|
|
|
|
files_watch_root_dirs(systemd_resolved_t)
|
|
files_watch_runtime_dirs(systemd_resolved_t)
|
|
files_list_runtime(systemd_resolved_t)
|
|
|
|
fs_getattr_all_fs(systemd_resolved_t)
|
|
fs_search_cgroup_dirs(systemd_resolved_t)
|
|
fs_search_tmpfs(systemd_resolved_t)
|
|
fs_search_ramfs(systemd_resolved_t)
|
|
fs_watch_memory_pressure(systemd_resolved_t)
|
|
|
|
init_dgram_send(systemd_resolved_t)
|
|
|
|
miscfiles_read_generic_certs(systemd_resolved_t)
|
|
|
|
seutil_libselinux_linked(systemd_resolved_t)
|
|
seutil_read_file_contexts(systemd_resolved_t)
|
|
|
|
systemd_log_parse_environment(systemd_resolved_t)
|
|
systemd_read_networkd_runtime(systemd_resolved_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(systemd_resolved_t)
|
|
dbus_system_bus_client(systemd_resolved_t)
|
|
dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
|
|
dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# Socket-proxyd local policy
|
|
#
|
|
|
|
allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
|
|
allow systemd_socket_proxyd_t self:tcp_socket accept;
|
|
|
|
kernel_read_system_state(systemd_socket_proxyd_t)
|
|
|
|
auth_use_nsswitch(systemd_socket_proxyd_t)
|
|
|
|
sysnet_dns_name_resolve(systemd_socket_proxyd_t)
|
|
|
|
tunable_policy(`systemd_socket_proxyd_bind_any',`
|
|
corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
|
|
',`
|
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
|
|
')
|
|
|
|
tunable_policy(`systemd_socket_proxyd_connect_any',`
|
|
corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
|
|
',`
|
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# Sessions local policy
|
|
#
|
|
|
|
allow systemd_sessions_t self:process setfscreate;
|
|
|
|
allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
|
|
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
|
|
|
|
fs_getattr_all_fs(systemd_sessions_t)
|
|
fs_search_cgroup_dirs(systemd_sessions_t)
|
|
fs_search_tmpfs(systemd_sessions_t)
|
|
fs_search_ramfs(systemd_sessions_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_sessions_t)
|
|
kernel_dontaudit_getattr_proc(systemd_sessions_t)
|
|
|
|
selinux_get_fs_mount(systemd_sessions_t)
|
|
selinux_use_status_page(systemd_sessions_t)
|
|
|
|
seutil_read_config(systemd_sessions_t)
|
|
seutil_read_default_contexts(systemd_sessions_t)
|
|
seutil_read_file_contexts(systemd_sessions_t)
|
|
|
|
systemd_log_parse_environment(systemd_sessions_t)
|
|
|
|
########################################
|
|
#
|
|
# sysctl local policy
|
|
#
|
|
|
|
# sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
|
|
# sys_ptrace for kernel.yama.ptrace_scope
|
|
# net_admin for network sysctls
|
|
allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace };
|
|
|
|
kernel_read_kernel_sysctls(systemd_sysctl_t)
|
|
kernel_request_load_module(systemd_sysctl_t)
|
|
kernel_rw_all_sysctls(systemd_sysctl_t)
|
|
kernel_dontaudit_getattr_proc(systemd_sysctl_t)
|
|
|
|
files_read_etc_files(systemd_sysctl_t)
|
|
|
|
fs_getattr_all_fs(systemd_sysctl_t)
|
|
fs_search_cgroup_dirs(systemd_sysctl_t)
|
|
fs_search_ramfs(systemd_sysctl_t)
|
|
fs_search_tmpfs(systemd_sysctl_t)
|
|
|
|
systemd_log_parse_environment(systemd_sysctl_t)
|
|
|
|
#########################################
|
|
#
|
|
# Sysusers local policy
|
|
#
|
|
|
|
allow systemd_sysusers_t self:capability { dac_read_search chown fsetid };
|
|
allow systemd_sysusers_t self:process setfscreate;
|
|
allow systemd_sysusers_t self:unix_dgram_socket sendto;
|
|
|
|
files_manage_etc_files(systemd_sysusers_t)
|
|
|
|
fs_getattr_all_fs(systemd_sysusers_t)
|
|
fs_search_all(systemd_sysusers_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_sysusers_t)
|
|
|
|
selinux_use_status_page(systemd_sysusers_t)
|
|
|
|
auth_manage_shadow(systemd_sysusers_t)
|
|
auth_etc_filetrans_shadow(systemd_sysusers_t)
|
|
auth_use_nsswitch(systemd_sysusers_t)
|
|
|
|
seutil_libselinux_linked(systemd_sysusers_t)
|
|
seutil_read_file_contexts(systemd_sysusers_t)
|
|
|
|
systemd_log_parse_environment(systemd_sysusers_t)
|
|
|
|
#########################################
|
|
#
|
|
# Tmpfiles local policy
|
|
#
|
|
|
|
allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
|
|
allow systemd_tmpfiles_t self:process { setfscreate getcap };
|
|
|
|
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
|
|
|
|
allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
|
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
|
|
|
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:file manage_file_perms;
|
|
|
|
allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { manage_file_perms relabel_file_perms };
|
|
|
|
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
|
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
|
|
allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms;
|
|
allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
|
|
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
|
|
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
|
|
|
|
kernel_getattr_proc(systemd_tmpfiles_t)
|
|
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
|
|
kernel_read_network_state(systemd_tmpfiles_t)
|
|
|
|
dev_getattr_fs(systemd_tmpfiles_t)
|
|
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
|
dev_read_urand(systemd_tmpfiles_t)
|
|
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
|
dev_setattr_all_sysfs(systemd_tmpfiles_t)
|
|
# Allow systemd-tmpfiles to enable pstore kernel parameters over sysfs
|
|
# /sys/module/printk/parameters/always_kmsg_dump
|
|
# /sys/module/kernel/parameters/crash_kexec_post_notifiers
|
|
dev_write_sysfs(systemd_tmpfiles_t)
|
|
|
|
domain_obj_id_change_exemption(systemd_tmpfiles_t)
|
|
|
|
files_create_lock_dirs(systemd_tmpfiles_t)
|
|
files_dontaudit_getattr_all_dirs(systemd_tmpfiles_t)
|
|
files_manage_all_runtime_dirs(systemd_tmpfiles_t)
|
|
files_delete_usr_files(systemd_tmpfiles_t)
|
|
files_list_home(systemd_tmpfiles_t)
|
|
files_list_locks(systemd_tmpfiles_t)
|
|
files_manage_config_dirs(systemd_tmpfiles_t)
|
|
files_manage_config_files(systemd_tmpfiles_t)
|
|
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
|
|
files_manage_var_dirs(systemd_tmpfiles_t)
|
|
files_manage_var_lib_dirs(systemd_tmpfiles_t)
|
|
files_manage_all_locks(systemd_tmpfiles_t)
|
|
files_purge_tmp(systemd_tmpfiles_t)
|
|
files_read_etc_files(systemd_tmpfiles_t)
|
|
files_read_etc_runtime_files(systemd_tmpfiles_t)
|
|
files_relabel_config_dirs(systemd_tmpfiles_t)
|
|
files_relabel_config_files(systemd_tmpfiles_t)
|
|
files_relabel_config_symlinks(systemd_tmpfiles_t)
|
|
files_relabel_all_locks(systemd_tmpfiles_t)
|
|
files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
|
|
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
|
|
files_relabel_var_dirs(systemd_tmpfiles_t)
|
|
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
|
files_relabelfrom_home(systemd_tmpfiles_t)
|
|
files_relabelto_home(systemd_tmpfiles_t)
|
|
files_relabelto_etc_dirs(systemd_tmpfiles_t)
|
|
files_setattr_lock_dirs(systemd_tmpfiles_t)
|
|
# for /etc/mtab
|
|
files_manage_etc_symlinks(systemd_tmpfiles_t)
|
|
|
|
fs_list_tmpfs(systemd_tmpfiles_t)
|
|
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
|
|
fs_getattr_all_fs(systemd_tmpfiles_t)
|
|
fs_search_cgroup_dirs(systemd_tmpfiles_t)
|
|
|
|
selinux_get_fs_mount(systemd_tmpfiles_t)
|
|
selinux_use_status_page(systemd_tmpfiles_t)
|
|
|
|
auth_append_lastlog(systemd_tmpfiles_t)
|
|
auth_manage_faillog(systemd_tmpfiles_t)
|
|
auth_manage_lastlog(systemd_tmpfiles_t)
|
|
auth_manage_login_records(systemd_tmpfiles_t)
|
|
auth_manage_var_auth(systemd_tmpfiles_t)
|
|
auth_relabel_lastlog(systemd_tmpfiles_t)
|
|
auth_relabel_login_records(systemd_tmpfiles_t)
|
|
auth_setattr_login_records(systemd_tmpfiles_t)
|
|
|
|
auth_use_nsswitch(systemd_tmpfiles_t)
|
|
|
|
init_manage_utmp(systemd_tmpfiles_t)
|
|
init_manage_var_lib_files(systemd_tmpfiles_t)
|
|
# for /proc/1/environ
|
|
init_read_state(systemd_tmpfiles_t)
|
|
|
|
init_relabel_utmp(systemd_tmpfiles_t)
|
|
init_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
|
init_read_runtime_files(systemd_tmpfiles_t)
|
|
|
|
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
|
|
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
|
|
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
|
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
|
|
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
|
|
|
|
miscfiles_manage_man_pages(systemd_tmpfiles_t)
|
|
miscfiles_relabel_man_cache(systemd_tmpfiles_t)
|
|
miscfiles_getattr_localization(systemd_tmpfiles_t)
|
|
|
|
seutil_read_config(systemd_tmpfiles_t)
|
|
seutil_read_file_contexts(systemd_tmpfiles_t)
|
|
|
|
sysnet_manage_config(systemd_tmpfiles_t)
|
|
sysnet_relabel_config(systemd_tmpfiles_t)
|
|
|
|
systemd_log_parse_environment(systemd_tmpfiles_t)
|
|
|
|
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
|
|
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
|
|
|
|
tunable_policy(`systemd_tmpfiles_manage_all',`
|
|
# systemd-tmpfiles can be configured to manage anything.
|
|
# have a last-resort option for users to do this.
|
|
files_manage_non_security_dirs(systemd_tmpfiles_t)
|
|
files_manage_non_security_files(systemd_tmpfiles_t)
|
|
files_relabel_non_security_dirs(systemd_tmpfiles_t)
|
|
files_relabel_non_security_files(systemd_tmpfiles_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_read_lib_files(systemd_tmpfiles_t)
|
|
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apt_use_fds(systemd_tmpfiles_t)
|
|
dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
screen_dontaudit_getattr_sock_file(systemd_tmpfiles_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xfs_create_tmp_dirs(systemd_tmpfiles_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_create_console_pipes(systemd_tmpfiles_t)
|
|
xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
|
|
xserver_relabel_console_pipes(systemd_tmpfiles_t)
|
|
xserver_setattr_console_pipes(systemd_tmpfiles_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# Update Done local policy
|
|
#
|
|
|
|
allow systemd_update_done_t self:process setfscreate;
|
|
|
|
allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
|
|
|
|
files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
|
|
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
|
|
|
|
fs_getattr_all_fs(systemd_update_done_t)
|
|
fs_search_cgroup_dirs(systemd_update_done_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_update_done_t)
|
|
|
|
selinux_use_status_page(systemd_update_done_t)
|
|
|
|
seutil_read_config(systemd_update_done_t)
|
|
seutil_read_file_contexts(systemd_update_done_t)
|
|
|
|
systemd_log_parse_environment(systemd_update_done_t)
|
|
|
|
#########################################
|
|
#
|
|
# User session (systemd --user) local policy
|
|
#
|
|
|
|
allow systemd_user_session_type self:bpf { prog_load prog_run };
|
|
allow systemd_user_session_type self:capability { dac_read_search sys_resource };
|
|
dontaudit systemd_user_session_type self:capability dac_override;
|
|
allow systemd_user_session_type self:fifo_file rw_fifo_file_perms;
|
|
allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap };
|
|
allow systemd_user_session_type self:udp_socket create_socket_perms;
|
|
allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
|
|
allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };
|
|
|
|
allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
|
|
allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
|
|
allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
|
|
userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
|
|
|
|
allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
|
|
type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";
|
|
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.early")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.late")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_transient_unit_t, dir, "transient")
|
|
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "user")
|
|
|
|
allow systemd_user_session_type systemd_user_tmpfs_t:file manage_file_perms;
|
|
fs_tmpfs_filetrans(systemd_user_session_type, systemd_user_tmpfs_t, file)
|
|
|
|
# Run generators in /usr/lib/systemd/user-environment-generators with no domain transition
|
|
can_exec(systemd_user_session_type, systemd_generator_exec_t)
|
|
|
|
dev_write_sysfs_dirs(systemd_user_session_type)
|
|
dev_read_sysfs(systemd_user_session_type)
|
|
|
|
domain_getattr_all_entry_files(systemd_user_session_type)
|
|
|
|
files_read_etc_files(systemd_user_session_type)
|
|
files_list_usr(systemd_user_session_type)
|
|
# /etc/localtime
|
|
files_watch_etc_symlinks(systemd_user_session_type)
|
|
|
|
fs_getattr_cgroup(systemd_user_session_type)
|
|
fs_getattr_tmpfs(systemd_user_session_type)
|
|
fs_rw_cgroup_files(systemd_user_session_type)
|
|
fs_manage_cgroup_dirs(systemd_user_session_type)
|
|
|
|
# for /proc/sys/fs/nr_open
|
|
kernel_read_fs_sysctls(systemd_user_session_type)
|
|
kernel_read_kernel_sysctls(systemd_user_session_type)
|
|
|
|
selinux_compute_access_vector(systemd_user_session_type)
|
|
selinux_compute_create_context(systemd_user_session_type)
|
|
|
|
storage_getattr_fixed_disk_dev(systemd_user_session_type)
|
|
|
|
# for systemd-executor
|
|
init_exec(systemd_user_session_type)
|
|
|
|
# for /run/systemd/notify
|
|
init_dgram_send(systemd_user_session_type)
|
|
init_signal(systemd_user_session_type)
|
|
|
|
logging_send_audit_msgs(systemd_user_session_type)
|
|
|
|
miscfiles_read_localization(systemd_user_session_type)
|
|
|
|
mount_list_runtime(systemd_user_session_type)
|
|
mount_watch_runtime_dirs(systemd_user_session_type)
|
|
|
|
# for systemd to read udev status
|
|
udev_read_runtime_files(systemd_user_session_type)
|
|
udev_list_runtime(systemd_user_session_type)
|
|
|
|
seutil_libselinux_linked(systemd_user_session_type)
|
|
|
|
########################################
|
|
#
|
|
# systemd-userdbd local policy
|
|
#
|
|
|
|
allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
|
|
allow systemd_userdbd_t self:process { getcap signal };
|
|
allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)
|
|
|
|
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
|
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
|
manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
|
init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir)
|
|
|
|
can_exec(systemd_userdbd_t, systemd_userdbd_exec_t)
|
|
|
|
auth_read_shadow(systemd_userdbd_t)
|
|
auth_use_nsswitch(systemd_userdbd_t)
|
|
|
|
dev_read_urand(systemd_userdbd_t)
|
|
|
|
files_read_etc_files(systemd_userdbd_t)
|
|
files_read_etc_runtime_files(systemd_userdbd_t)
|
|
files_read_usr_files(systemd_userdbd_t)
|
|
|
|
fs_getattr_all_fs(systemd_userdbd_t)
|
|
fs_search_cgroup_dirs(systemd_userdbd_t)
|
|
fs_read_efivarfs_files(systemd_userdbd_t)
|
|
|
|
kernel_read_system_state(systemd_userdbd_t)
|
|
|
|
init_stream_connect(systemd_userdbd_t)
|
|
init_search_runtime(systemd_userdbd_t)
|
|
init_read_state(systemd_userdbd_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_userdbd_t)
|
|
|
|
seutil_search_default_contexts(systemd_userdbd_t)
|
|
|
|
systemd_log_parse_environment(systemd_userdbd_t)
|
|
|
|
#########################################
|
|
#
|
|
# systemd-user-runtime-dir local policy
|
|
#
|
|
|
|
allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
|
|
allow systemd_user_runtime_dir_t self:process setfscreate;
|
|
|
|
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
|
|
|
|
allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
|
|
allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
|
|
|
|
files_read_etc_files(systemd_user_runtime_dir_t)
|
|
|
|
fs_mount_tmpfs(systemd_user_runtime_dir_t)
|
|
fs_getattr_tmpfs(systemd_user_runtime_dir_t)
|
|
fs_list_tmpfs(systemd_user_runtime_dir_t)
|
|
fs_unmount_tmpfs(systemd_user_runtime_dir_t)
|
|
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
|
|
fs_read_cgroup_files(systemd_user_runtime_dir_t)
|
|
fs_getattr_cgroup(systemd_user_runtime_dir_t)
|
|
fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
|
|
fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
|
|
|
|
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
|
|
kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
|
|
|
|
selinux_use_status_page(systemd_user_runtime_dir_t)
|
|
|
|
systemd_log_parse_environment(systemd_user_runtime_dir_t)
|
|
systemd_dbus_chat_logind(systemd_user_runtime_dir_t)
|
|
|
|
seutil_read_file_contexts(systemd_user_runtime_dir_t)
|
|
seutil_libselinux_linked(systemd_user_runtime_dir_t)
|
|
|
|
userdom_list_all_user_runtime(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_files(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_symlinks(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_named_pipes(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_blk_files(systemd_user_runtime_dir_t)
|
|
userdom_delete_all_user_runtime_chr_files(systemd_user_runtime_dir_t)
|
|
|
|
userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
|
|
userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
|
|
|
|
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
|
|
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
|
|
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(systemd_user_runtime_dir_t)
|
|
')
|