2017-02-24 10:45:40

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] reorder systemd and add some policy

The following patch reorders systemd.te to have all the module policy sections
in alphabetical order and to add policy for coredump, hostnamed, machined,
notify, and passwd_agent. It also adds some interfaces needed by the added
policy.


Index: refpolicy-2.20170224/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170224/policy/modules/system/systemd.te
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)

######################################
#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
-######################################
-#
# Backlight local policy
#

@@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)

systemd_log_parse_environment(systemd_cgroups_t)

+######################################
+#
+# coredump local policy
+#
+
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
+
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
+
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+dev_write_kmsg(systemd_coredump_t)
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+fs_getattr_xattr_fs(systemd_coredump_t)
+logging_send_syslog_msg(systemd_coredump_t)
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pid_dirs(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+selinux_getattr_fs(systemd_coredump_t)
+seutil_search_default_contexts(systemd_coredump_t)
+
+
+#######################################
+#
+# Hostnamed policy
+#
+
+kernel_read_kernel_sysctls(systemd_hostnamed_t)
+
+files_read_etc_files(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+systemd_log_parse_environment(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
#######################################
#
# locale local policy
@@ -244,23 +275,23 @@ optional_policy(`
dbus_system_bus_client(systemd_locale_t)
')

-#######################################
+######################################
#
-# Hostnamed policy
+# systemd log parse enviroment
#

-kernel_read_kernel_sysctls(systemd_hostnamed_t)
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;

-files_read_etc_files(systemd_hostnamed_t)
+kernel_read_system_state(systemd_log_parse_env_type)

-seutil_read_file_contexts(systemd_hostnamed_t)
+dev_write_kmsg(systemd_log_parse_env_type)

-systemd_log_parse_environment(systemd_hostnamed_t)
+term_use_console(systemd_log_parse_env_type)

-optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
- dbus_connect_system_bus(systemd_hostnamed_t)
-')
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)

#########################################
#
@@ -325,6 +356,66 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')

+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+logging_send_syslog_msg(systemd_machined_t)
+
+read_initrc_files(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+seutil_search_default_contexts(systemd_machined_t)
+start_stop_init_var_run_service(systemd_machined_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_machined_t)
+ dbus_system_bus_client(systemd_machined_t)
+')
+
+optional_policy(`
+ init_dbus_chat(systemd_machined_t)
+ init_dbus_send_script(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+auth_use_nsswitch(systemd_notify_t)
+domain_use_interactive_fds(systemd_notify_t)
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+fs_getattr_cgroup_files(systemd_notify_t)
+init_rw_stream_sockets(systemd_notify_t)
+miscfiles_read_localization(systemd_notify_t)
+
########################################
#
# Nspawn local policy
@@ -332,6 +423,57 @@ optional_policy(`

init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)

+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+files_read_etc_files(systemd_passwd_agent_t)
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+logging_send_syslog_msg(systemd_passwd_agent_t)
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ getty_use_fds(systemd_passwd_agent_t)
+')

#########################################
#
Index: refpolicy-2.20170224/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/init.if
+++ refpolicy-2.20170224/policy/modules/system/init.if
@@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`

########################################
## <summary>
+## Read initrc_t files for /proc/pid/cgroup etc
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`read_initrc_files',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:dir search;
+ allow $1 initrc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
@@ -733,6 +752,26 @@ interface(`init_stream_connect',`
allow $1 init_t:unix_stream_socket getattr;
')

+#######################################
+## <summary>
+## Start and stop a service file under /run/systemd/system
+## Should we have a different type for this?
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`start_stop_init_var_run_service',`
+ gen_require(`
+ type init_var_run_t;
+ class service { start status stop };
+ ')
+
+ allow $1 init_var_run_t:service { start status stop };
+')
+
########################################
## <summary>
## Inherit and use file descriptors from init.
@@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
')

########################################
+## <summary>
+## list /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
+########################################
## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`

########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170224/policy/modules/kernel/devices.if
@@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files

########################################
## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20170224/policy/modules/system/lvm.if
@@ -205,3 +205,21 @@ interface(`lvm_admin',`
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
')
+
+########################################
+## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')


2017-02-25 14:37:32

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] reorder systemd and add some policy

On 02/24/17 05:45, Russell Coker via refpolicy wrote:
> The following patch reorders systemd.te to have all the module policy sections
> in alphabetical order and to add policy for coredump, hostnamed, machined,
> notify, and passwd_agent. It also adds some interfaces needed by the added
> policy.

I merged this, though moved some stuff and renamed an interface. I
dropped one piece, the one with init_var_run_t service status. I
believe these are transient units, and I think they should probably have
a new type (you asked the question in a comment in the patch)

> Index: refpolicy-2.20170224/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170224/policy/modules/system/systemd.te
> @@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
>
> ######################################
> #
> -# systemd log parse enviroment
> -#
> -
> -# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> -dontaudit systemd_log_parse_env_type self:capability net_admin;
> -
> -kernel_read_system_state(systemd_log_parse_env_type)
> -
> -dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
> -init_read_state(systemd_log_parse_env_type)
> -
> -logging_send_syslog_msg(systemd_log_parse_env_type)
> -
> -######################################
> -#
> # Backlight local policy
> #
>
> @@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)
>
> systemd_log_parse_environment(systemd_cgroups_t)
>
> +######################################
> +#
> +# coredump local policy
> +#
> +
> +allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> +allow systemd_coredump_t self:capability { setgid setuid setpcap };
> +allow systemd_coredump_t self:process { getcap setcap setfscreate };
> +
> +manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
> +
> +kernel_read_kernel_sysctls(systemd_coredump_t)
> +kernel_read_system_state(systemd_coredump_t)
> +kernel_rw_pipes(systemd_coredump_t)
> +kernel_use_fds(systemd_coredump_t)
> +
> +corecmd_exec_bin(systemd_coredump_t)
> +corecmd_read_all_executables(systemd_coredump_t)
> +dev_write_kmsg(systemd_coredump_t)
> +files_read_etc_files(systemd_coredump_t)
> +files_search_var_lib(systemd_coredump_t)
> +fs_getattr_xattr_fs(systemd_coredump_t)
> +logging_send_syslog_msg(systemd_coredump_t)
> +init_list_var_lib_dirs(systemd_coredump_t)
> +init_read_state(systemd_coredump_t)
> +init_search_pid_dirs(systemd_coredump_t)
> +init_write_pid_socket(systemd_coredump_t)
> +selinux_getattr_fs(systemd_coredump_t)
> +seutil_search_default_contexts(systemd_coredump_t)
> +
> +
> +#######################################
> +#
> +# Hostnamed policy
> +#
> +
> +kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +
> +files_read_etc_files(systemd_hostnamed_t)
> +
> +seutil_read_file_contexts(systemd_hostnamed_t)
> +
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_hostnamed_t)
> + dbus_connect_system_bus(systemd_hostnamed_t)
> +')
> +
> #######################################
> #
> # locale local policy
> @@ -244,23 +275,23 @@ optional_policy(`
> dbus_system_bus_client(systemd_locale_t)
> ')
>
> -#######################################
> +######################################
> #
> -# Hostnamed policy
> +# systemd log parse enviroment
> #
>
> -kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
>
> -files_read_etc_files(systemd_hostnamed_t)
> +kernel_read_system_state(systemd_log_parse_env_type)
>
> -seutil_read_file_contexts(systemd_hostnamed_t)
> +dev_write_kmsg(systemd_log_parse_env_type)
>
> -systemd_log_parse_environment(systemd_hostnamed_t)
> +term_use_console(systemd_log_parse_env_type)
>
> -optional_policy(`
> - dbus_system_bus_client(systemd_hostnamed_t)
> - dbus_connect_system_bus(systemd_hostnamed_t)
> -')
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
>
> #########################################
> #
> @@ -325,6 +356,66 @@ optional_policy(`
> dbus_connect_system_bus(systemd_logind_t)
> ')
>
> +#########################################
> +#
> +# machined local policy
> +#
> +
> +allow systemd_machined_t self:capability sys_ptrace;
> +allow systemd_machined_t self:process setfscreate;
> +allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
> +
> +manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
> +allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
> +
> +kernel_read_kernel_sysctls(systemd_machined_t)
> +kernel_read_system_state(systemd_machined_t)
> +
> +files_read_etc_files(systemd_machined_t)
> +fs_getattr_cgroup(systemd_machined_t)
> +fs_getattr_tmpfs(systemd_machined_t)
> +init_get_system_status(systemd_machined_t)
> +init_read_state(systemd_machined_t)
> +init_service_start(systemd_machined_t)
> +init_service_status(systemd_machined_t)
> +init_start_system(systemd_machined_t)
> +init_stop_system(systemd_machined_t)
> +logging_send_syslog_msg(systemd_machined_t)
> +
> +read_initrc_files(systemd_machined_t)
> +
> +selinux_getattr_fs(systemd_machined_t)
> +seutil_search_default_contexts(systemd_machined_t)
> +start_stop_init_var_run_service(systemd_machined_t)
> +
> +optional_policy(`
> + dbus_connect_system_bus(systemd_machined_t)
> + dbus_system_bus_client(systemd_machined_t)
> +')
> +
> +optional_policy(`
> + init_dbus_chat(systemd_machined_t)
> + init_dbus_send_script(systemd_machined_t)
> +')
> +
> +########################################
> +#
> +# systemd_notify local policy
> +#
> +allow systemd_notify_t self:capability chown;
> +allow systemd_notify_t self:process { fork setfscreate setsockcreate };
> +
> +allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
> +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
> +
> +auth_use_nsswitch(systemd_notify_t)
> +domain_use_interactive_fds(systemd_notify_t)
> +files_read_etc_files(systemd_notify_t)
> +files_read_usr_files(systemd_notify_t)
> +fs_getattr_cgroup_files(systemd_notify_t)
> +init_rw_stream_sockets(systemd_notify_t)
> +miscfiles_read_localization(systemd_notify_t)
> +
> ########################################
> #
> # Nspawn local policy
> @@ -332,6 +423,57 @@ optional_policy(`
>
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> +#######################################
> +#
> +# systemd_passwd_agent_t local policy
> +#
> +
> +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
> +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
> +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +
> +kernel_read_system_state(systemd_passwd_agent_t)
> +kernel_stream_connect(systemd_passwd_agent_t)
> +
> +auth_use_nsswitch(systemd_passwd_agent_t)
> +dev_create_generic_dirs(systemd_passwd_agent_t)
> +dev_read_generic_files(systemd_passwd_agent_t)
> +dev_write_generic_sock_files(systemd_passwd_agent_t)
> +dev_write_kmsg(systemd_passwd_agent_t)
> +files_read_etc_files(systemd_passwd_agent_t)
> +fs_getattr_xattr_fs(systemd_passwd_agent_t)
> +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
> +init_create_pid_dirs(systemd_passwd_agent_t)
> +init_read_pid_pipes(systemd_passwd_agent_t)
> +init_read_state(systemd_passwd_agent_t)
> +init_read_utmp(systemd_passwd_agent_t)
> +init_stream_connect(systemd_passwd_agent_t)
> +logging_send_syslog_msg(systemd_passwd_agent_t)
> +miscfiles_read_localization(systemd_passwd_agent_t)
> +
> +selinux_get_enforce_mode(systemd_passwd_agent_t)
> +selinux_getattr_fs(systemd_passwd_agent_t)
> +seutil_search_default_contexts(systemd_passwd_agent_t)
> +
> +term_read_console(systemd_passwd_agent_t)
> +userdom_use_user_ptys(systemd_passwd_agent_t)
> +
> +optional_policy(`
> + lvm_signull(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> + plymouthd_stream_connect(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> + getty_use_fds(systemd_passwd_agent_t)
> +')
>
> #########################################
> #
> Index: refpolicy-2.20170224/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170224/policy/modules/system/init.if
> @@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`
>
> ########################################
> ## <summary>
> +## Read initrc_t files for /proc/pid/cgroup etc
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain
> +## </summary>
> +## </param>
> +#
> +interface(`read_initrc_files',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:dir search;
> + allow $1 initrc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init (/sbin/init) with a domain transition.
> ## </summary>
> ## <param name="domain">
> @@ -733,6 +752,26 @@ interface(`init_stream_connect',`
> allow $1 init_t:unix_stream_socket getattr;
> ')
>
> +#######################################
> +## <summary>
> +## Start and stop a service file under /run/systemd/system
> +## Should we have a different type for this?
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`start_stop_init_var_run_service',`
> + gen_require(`
> + type init_var_run_t;
> + class service { start status stop };
> + ')
> +
> + allow $1 init_var_run_t:service { start status stop };
> +')
> +
> ########################################
> ## <summary>
> ## Inherit and use file descriptors from init.
> @@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
> ')
>
> ########################################
> +## <summary>
> +## list /var/lib/systemd/ dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_list_var_lib_dirs',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + allow $1 init_var_lib_t:dir list_dir_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Create files in /var/lib/systemd
> ## with an automatic type transition.
> Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> @@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
>
> ########################################
> ## <summary>
> +## Get attributes of cgroup files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_getattr_cgroup_files',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + getattr_files_pattern($1, cgroup_t, cgroup_t)
> + fs_search_tmpfs($1)
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read cgroup files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170224/policy/modules/kernel/devices.if
> @@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files
>
> ########################################
> ## <summary>
> +## write generic sock files in /dev.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_write_generic_sock_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + write_sock_files_pattern($1, device_t, device_t)
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit getattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20170224/policy/modules/system/lvm.if
> @@ -205,3 +205,21 @@ interface(`lvm_admin',`
> files_search_tmp($1)
> admin_pattern($1, lvm_tmp_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send lvm a null signal.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lvm_signull',`
> + gen_require(`
> + type lvm_t;
> + ')
> +
> + allow $1 lvm_t:process signull;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito