Here's the second attempt at this patch. I addressed all issues Chris raised
apart from init_get_script_status(), and renaming systemd_manage_passwd_run().
Chris please rename systemd_manage_passwd_run() while applying this.
Description: App changes related to systemd
Author: Russell Coker <[email protected]>
Last-Update: 2017-04-04
Index: refpolicy-2.20170402/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170402/policy/modules/contrib/apache.te
@@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+ifdef(`init_systemd', `
+ systemd_manage_passwd_run(httpd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
Index: refpolicy-2.20170402/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170402/policy/modules/contrib/cron.te
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)
auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,16 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
@@ -340,6 +340,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
Index: refpolicy-2.20170402/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170402/policy/modules/services/ssh.te
@@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
+ systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170402/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+# for hdparm init script run by udev
+initrc_service_status(udev_t)
+
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)
@@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+systemd_read_logind_sessions_files(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+
+dbus_system_bus_client(logrotate_t)
+init_write_pid_socket(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -126,6 +133,8 @@ ifdef(`distro_debian',`
logging_read_syslog_config(logrotate_t)
')
+init_manage_all_units(logrotate_t)
+
optional_policy(`
abrt_manage_cache(logrotate_t)
')
Index: refpolicy-2.20170402/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170402/policy/modules/system/lvm.te
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
logging_send_syslog_msg(lvm_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.te
@@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_logind_pid_pipes(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
Index: refpolicy-2.20170402/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170402/policy/modules/system/unconfined.te
@@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',`
')
optional_policy(`
+ init_unconfined(unconfined_t)
+')
+
+optional_policy(`
ada_domtrans(unconfined_t)
')
Index: refpolicy-2.20170402/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170402/policy/modules/system/logging.if
@@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
+
+ # because systemd is now using /run/systemd/journal/dev-log
+ init_search_run($1)
')
########################################
Index: refpolicy-2.20170402/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170402/policy/modules/system/locallogin.te
@@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
')
')
+optional_policy(`
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
tunable_policy(`console_login',`
# Able to relabel /dev/console to user tty types.
term_relabel_console(local_login_t)
Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170402/policy/modules/contrib/policykit.te
@@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+# for /run/systemd/machines
+systemd_read_machines(policykit_t)
+
+# for /run/systemd/seats/seat*
+systemd_read_logind_sessions_files(policykit_t)
+
+# for /run/systemd/users/*
+systemd_read_logind_pids(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.if
@@ -88,6 +88,10 @@ template(`dbus_role_template',`
ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')
#######################################
Index: refpolicy-2.20170402/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170402/policy/modules/kernel/files.if
@@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')
+########################################
+## <summary>
+## start etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+## stop etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service stop;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
Index: refpolicy-2.20170402/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170402/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
+ class service all_service_perms;
')
# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ files_get_etc_unit_status($1)
+ files_start_etc_service($1)
+ files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170402/policy/modules/roles/sysadm.te
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_unconfined(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20170402/policy/modules/system/lvm.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20170402/policy/modules/system/lvm.fc
@@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170402/policy/modules/contrib/mta.te
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst
init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
Index: refpolicy-2.20170402/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170402/policy/modules/services/xserver.te
@@ -285,6 +285,10 @@ files_search_pids(xauth_t)
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
# cjp: why?
term_use_ptmx(xauth_t)
Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if
@@ -399,7 +399,7 @@ interface(`sysnet_write_config',`
#######################################
## <summary>
-## Create network config files.
+## relabel network config files.
## </summary>
## <param name="domain">
## <summary>
@@ -407,13 +407,13 @@ interface(`sysnet_write_config',`
## </summary>
## </param>
#
-interface(`sysnet_create_config',`
+interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
- allow $1 net_conf_t:file create_file_perms;
+ allow $1 net_conf_t:file { relabelfrom relabelto };
')
#######################################
@@ -455,6 +455,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
+ files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
dev_read_sysfs(ntpd_t)
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)
+clock_read_adjtime(ntpd_t)
domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pid_dirs(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
Index: refpolicy-2.20170402/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.if
+++ refpolicy-2.20170402/policy/modules/system/init.if
@@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',`
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')
+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Get the attributes of initctl.
@@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')
+#######################################
+## <summary>
+## All perms on all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service all_service_perms;
+ ')
+
+ allow $1 systemdunit:service all_service_perms;
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Start all systemd units.
@@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`initrc_service_status',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_unconfined',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ dev_manage_null_service($1)
+ init_disable($1)
+ init_enable($1)
+ init_get_all_units_status($1)
+ init_get_generic_units_status($1)
+ init_get_system_status($1)
+ init_manage_all_units($1)
+ init_manage_script_service($1)
+ init_reboot_system($1)
+ init_reload($1)
+ init_reload_all_units($1)
+ init_shutdown_system($1)
+ init_start_all_units($1)
+ init_start_generic_units($1)
+ init_stop_all_units($1)
+ init_stop_generic_units($1)
+ init_stop_system($1)
+ init_telinit($1)
+')
Index: refpolicy-2.20170402/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170402/policy/modules/system/fstools.te
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
logging_send_syslog_msg(fsadm_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170402/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
######################################
## <summary>
+## Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ init_search_run($1)
+ files_search_pids($1)
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
######################################
## <summary>
+## Read logind sessions files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+ gen_require(`
+ type systemd_sessions_var_run_t, systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ init_search_run($1)
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
@@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')
+#######################################
+## <summary>
+## Allow a systemd_passwd_agent_t process to interact with a daemon
+## that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_run',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ type systemd_passwd_var_run_t;
+ ')
+
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
@@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',`
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+########################################
+## <summary>
+## Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+ gen_require(`
+ type systemd_machined_var_run_t;
+ ')
+
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+ allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te
@@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
-dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
-init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
-init_get_system_status(dpkg_script_t)
-init_start_generic_units(dpkg_script_t)
-init_stop_generic_units(dpkg_script_t)
-init_reload(dpkg_script_t)
-init_stop_system(dpkg_script_t)
-init_telinit(dpkg_script_t)
init_manage_script_service(dpkg_script_t)
init_startstop_all_script_services(dpkg_script_t)
+init_unconfined(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
Index: refpolicy-2.20170402/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.te
+++ refpolicy-2.20170402/policy/modules/system/init.te
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- sysnet_create_config(initrc_t)
- sysnet_write_config(initrc_t)
- sysnet_setattr_config(initrc_t)
+ sysnet_manage_config(initrc_t)
optional_policy(`
abrt_manage_pid_files(initrc_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170402/policy/modules/system/systemd.te
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.if
@@ -200,6 +200,9 @@ interface(`ntp_admin',`
type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
type ntpd_unit_t;
+ ifdef(`init_systemd',`
+ class dbus send_msg;
+ ')
')
allow $1 ntpd_t:process { ptrace signal_perms };
@@ -223,4 +226,9 @@ interface(`ntp_admin',`
admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
+
+ ifdef(`init_systemd',`
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+ ')
')
Index: refpolicy-2.20170402/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170402/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
+
+ optional_policy(`
+ systemd_read_logind_sessions_files($1_t)
+ ')
')
########################################