With all the changes Chris requested.
Description: App changes related to systemd
Author: Russell Coker <[email protected]>
Last-Update: 2017-04-05
Index: refpolicy-2.20170402/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170402/policy/modules/contrib/apache.te
@@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+ifdef(`init_systemd', `
+ systemd_use_passwd_agent(httpd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
Index: refpolicy-2.20170402/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170402/policy/modules/contrib/cron.te
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)
auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,16 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
@@ -340,6 +340,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
Index: refpolicy-2.20170402/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170402/policy/modules/services/ssh.te
@@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
+ systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170402/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+# for hdparm init script run by udev
+init_get_script_status(udev_t)
+
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)
@@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+systemd_read_logind_sessions_files(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+
+dbus_system_bus_client(logrotate_t)
+init_write_pid_socket(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -126,6 +133,8 @@ ifdef(`distro_debian',`
logging_read_syslog_config(logrotate_t)
')
+init_manage_all_units(logrotate_t)
+
optional_policy(`
abrt_manage_cache(logrotate_t)
')
Index: refpolicy-2.20170402/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170402/policy/modules/system/lvm.te
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
logging_send_syslog_msg(lvm_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.te
@@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_logind_pid_pipes(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
Index: refpolicy-2.20170402/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170402/policy/modules/system/unconfined.te
@@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',`
')
optional_policy(`
+ init_unconfined(unconfined_t)
+')
+
+optional_policy(`
ada_domtrans(unconfined_t)
')
Index: refpolicy-2.20170402/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170402/policy/modules/system/logging.if
@@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
+
+ # because systemd is now using /run/systemd/journal/dev-log
+ init_search_run($1)
')
########################################
Index: refpolicy-2.20170402/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170402/policy/modules/system/locallogin.te
@@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
')
')
+optional_policy(`
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
tunable_policy(`console_login',`
# Able to relabel /dev/console to user tty types.
term_relabel_console(local_login_t)
Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170402/policy/modules/contrib/policykit.te
@@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+# for /run/systemd/machines
+systemd_read_machines(policykit_t)
+
+# for /run/systemd/seats/seat*
+systemd_read_logind_sessions_files(policykit_t)
+
+# for /run/systemd/users/*
+systemd_read_logind_pids(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if
+++ refpolicy-2.20170402/policy/modules/contrib/dbus.if
@@ -88,6 +88,10 @@ template(`dbus_role_template',`
ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')
#######################################
Index: refpolicy-2.20170402/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170402/policy/modules/kernel/files.if
@@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')
+########################################
+## <summary>
+## start etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+## stop etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service stop;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
Index: refpolicy-2.20170402/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170402/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
+ class service all_service_perms;
')
# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ files_get_etc_unit_status($1)
+ files_start_etc_service($1)
+ files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170402/policy/modules/roles/sysadm.te
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_unconfined(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20170402/policy/modules/system/lvm.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20170402/policy/modules/system/lvm.fc
@@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170402/policy/modules/contrib/mta.te
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst
init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
Index: refpolicy-2.20170402/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170402/policy/modules/services/xserver.te
@@ -285,6 +285,10 @@ files_search_pids(xauth_t)
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
# cjp: why?
term_use_ptmx(xauth_t)
Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if
@@ -399,7 +399,7 @@ interface(`sysnet_write_config',`
#######################################
## <summary>
-## Create network config files.
+## relabel network config files.
## </summary>
## <param name="domain">
## <summary>
@@ -407,13 +407,13 @@ interface(`sysnet_write_config',`
## </summary>
## </param>
#
-interface(`sysnet_create_config',`
+interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
- allow $1 net_conf_t:file create_file_perms;
+ allow $1 net_conf_t:file { relabelfrom relabelto };
')
#######################################
@@ -455,6 +455,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
+ files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
dev_read_sysfs(ntpd_t)
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)
+clock_read_adjtime(ntpd_t)
domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pid_dirs(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
Index: refpolicy-2.20170402/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.if
+++ refpolicy-2.20170402/policy/modules/system/init.if
@@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',`
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')
+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Get the attributes of initctl.
@@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')
+#######################################
+## <summary>
+## All perms on all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service all_service_perms;
+ ')
+
+ allow $1 systemdunit:service all_service_perms;
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Start all systemd units.
@@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_get_script_status',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_unconfined',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ dev_manage_null_service($1)
+ init_disable($1)
+ init_enable($1)
+ init_get_all_units_status($1)
+ init_get_generic_units_status($1)
+ init_get_system_status($1)
+ init_manage_all_units($1)
+ init_manage_script_service($1)
+ init_reboot_system($1)
+ init_reload($1)
+ init_reload_all_units($1)
+ init_shutdown_system($1)
+ init_start_all_units($1)
+ init_start_generic_units($1)
+ init_stop_all_units($1)
+ init_stop_generic_units($1)
+ init_stop_system($1)
+ init_telinit($1)
+')
Index: refpolicy-2.20170402/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170402/policy/modules/system/fstools.te
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
logging_send_syslog_msg(fsadm_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170402/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
######################################
## <summary>
+## Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ init_search_run($1)
+ files_search_pids($1)
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
######################################
## <summary>
+## Read logind sessions files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+ gen_require(`
+ type systemd_sessions_var_run_t, systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ init_search_run($1)
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
@@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')
+#######################################
+## <summary>
+## Allow a systemd_passwd_agent_t process to interact with a daemon
+## that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ type systemd_passwd_var_run_t;
+ ')
+
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
@@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',`
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+########################################
+## <summary>
+## Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+ gen_require(`
+ type systemd_machined_var_run_t;
+ ')
+
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+ allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te
@@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
-dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
-init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
-init_get_system_status(dpkg_script_t)
-init_start_generic_units(dpkg_script_t)
-init_stop_generic_units(dpkg_script_t)
-init_reload(dpkg_script_t)
-init_stop_system(dpkg_script_t)
-init_telinit(dpkg_script_t)
init_manage_script_service(dpkg_script_t)
init_startstop_all_script_services(dpkg_script_t)
+init_unconfined(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
Index: refpolicy-2.20170402/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/init.te
+++ refpolicy-2.20170402/policy/modules/system/init.te
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- sysnet_create_config(initrc_t)
- sysnet_write_config(initrc_t)
- sysnet_setattr_config(initrc_t)
+ sysnet_manage_config(initrc_t)
optional_policy(`
abrt_manage_pid_files(initrc_t)
Index: refpolicy-2.20170402/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170402/policy/modules/system/systemd.te
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20170402/policy/modules/contrib/ntp.if
@@ -200,6 +200,9 @@ interface(`ntp_admin',`
type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
type ntpd_unit_t;
+ ifdef(`init_systemd',`
+ class dbus send_msg;
+ ')
')
allow $1 ntpd_t:process { ptrace signal_perms };
@@ -223,4 +226,9 @@ interface(`ntp_admin',`
admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
+
+ ifdef(`init_systemd',`
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+ ')
')
Index: refpolicy-2.20170402/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170402.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170402/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
+
+ optional_policy(`
+ systemd_read_logind_sessions_files($1_t)
+ ')
')
########################################
2017-04-05 6:51 GMT+02:00 Russell Coker via refpolicy
<[email protected]>:
> With all the changes Chris requested.
>
>
> Description: App changes related to systemd
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-04-05
>
> Index: refpolicy-2.20170402/policy/modules/contrib/apache.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te
> +++ refpolicy-2.20170402/policy/modules/contrib/apache.te
> @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)
>
> userdom_use_unpriv_users_fds(httpd_t)
>
> +ifdef(`init_systemd', `
> + systemd_use_passwd_agent(httpd_t)
> +')
> +
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> Index: refpolicy-2.20170402/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170402/policy/modules/contrib/cron.te
> @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
> init_read_state(crond_t)
> init_rw_utmp(crond_t)
> init_spec_domtrans_script(crond_t)
> +init_stop_all_units(system_cronjob_t)
> +init_start_all_units(system_cronjob_t)
> +init_get_generic_units_status(system_cronjob_t)
> +init_get_system_status(system_cronjob_t)
>
> auth_domtrans_chk_passwd(crond_t)
> auth_manage_var_auth(crond_t)
> @@ -417,6 +421,16 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_write_inherited_logind_sessions_pipes(crond_t)
> +')
> +optional_policy(`
> + systemd_dbus_chat_logind(system_cronjob_t)
> + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> + # so cron jobs can restart daemons
> + init_stream_connect(system_cronjob_t)
> +')
> +
> +optional_policy(`
> udev_read_db(crond_t)
> ')
>
> Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te
> +++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te
> @@ -340,6 +340,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_read_logind_sessions_files(NetworkManager_t)
> +')
> +
> +optional_policy(`
> udev_exec(NetworkManager_t)
> udev_read_db(NetworkManager_t)
> udev_read_pid_files(NetworkManager_t)
> Index: refpolicy-2.20170402/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20170402/policy/modules/services/ssh.te
> @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
> ')
>
> optional_policy(`
> + systemd_write_inherited_logind_sessions_pipes(sshd_t)
> + systemd_dbus_chat_logind(sshd_t)
> +')
> +
> +optional_policy(`
> daemontools_service_domain(sshd_t, sshd_exec_t)
> ')
>
> Index: refpolicy-2.20170402/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170402/policy/modules/system/udev.te
> @@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
>
> allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
> dontaudit udev_t self:capability sys_tty_config;
> -allow udev_t self:capability2 block_suspend;
> +allow udev_t self:capability2 { wake_alarm block_suspend };
> allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> allow udev_t self:process { execmem setfscreate };
> allow udev_t self:fd use;
> @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
> files_read_usr_files(udev_t)
> files_read_etc_runtime_files(udev_t)
> files_read_etc_files(udev_t)
> +files_read_kernel_modules(udev_t)
> files_exec_etc_files(udev_t)
> files_getattr_generic_locks(udev_t)
> files_search_mnt(udev_t)
> @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
> auth_use_nsswitch(udev_t)
>
> init_read_utmp(udev_t)
> +# systemd-udevd searches /run/systemd
> +init_search_run(udev_t)
> init_dontaudit_write_utmp(udev_t)
> init_getattr_initctl(udev_t)
>
> +# for hdparm init script run by udev
> +init_get_script_status(udev_t)
> +
> logging_search_logs(udev_t)
> logging_send_syslog_msg(udev_t)
> logging_send_audit_msgs(udev_t)
> @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
> sysnet_manage_config(udev_t)
> sysnet_etc_filetrans_config(udev_t)
>
> +systemd_read_logind_sessions_files(udev_t)
> +init_start_all_units(udev_t)
> +init_stop_all_units(udev_t)
> +
> userdom_dontaudit_search_user_home_content(udev_t)
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te
> @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
> #
>
> allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
> allow logrotate_t self:fd use;
> allow logrotate_t self:key manage_key_perms;
> allow logrotate_t self:fifo_file rw_fifo_file_perms;
> @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
> auth_use_nsswitch(logrotate_t)
>
> init_all_labeled_script_domtrans(logrotate_t)
> +init_get_generic_units_status(logrotate_t)
> +init_get_all_units_status(logrotate_t)
> +init_dbus_chat(logrotate_t)
> +init_stream_connect(logrotate_t)
> +
> +dbus_system_bus_client(logrotate_t)
> +init_write_pid_socket(logrotate_t)
>
> logging_manage_all_logs(logrotate_t)
> logging_send_syslog_msg(logrotate_t)
> @@ -126,6 +133,8 @@ ifdef(`distro_debian',`
> logging_read_syslog_config(logrotate_t)
> ')
>
> +init_manage_all_units(logrotate_t)
> +
> optional_policy(`
> abrt_manage_cache(logrotate_t)
> ')
> Index: refpolicy-2.20170402/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170402/policy/modules/system/lvm.te
> @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
> files_etc_filetrans(lvm_t, lvm_metadata_t, file)
> files_search_mnt(lvm_t)
>
> +kernel_request_load_module(lvm_t)
> kernel_get_sysvipc_info(lvm_t)
> kernel_read_system_state(lvm_t)
> # Read system variables in /proc/sys
> @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
> # it has no reason to need this
> kernel_dontaudit_getattr_core_if(lvm_t)
> kernel_use_fds(lvm_t)
> +# for systemd-cryptsetup
> +kernel_read_crypto_sysctls(lvm_t)
> kernel_search_debugfs(lvm_t)
>
> corecmd_exec_bin(lvm_t)
> @@ -301,6 +304,8 @@ init_use_fds(lvm_t)
> init_dontaudit_getattr_initctl(lvm_t)
> init_use_script_ptys(lvm_t)
> init_read_script_state(lvm_t)
> +# for systemd-cryptsetup to talk to /run/systemd/journal/socket
> +init_stream_connect(lvm_t)
>
> logging_send_syslog_msg(lvm_t)
>
> Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te
> +++ refpolicy-2.20170402/policy/modules/contrib/dbus.te
> @@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>
> optional_policy(`
> + # for /run/systemd/users/*
> + systemd_read_logind_pids(system_dbusd_t)
> + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
> + systemd_write_logind_pid_pipes(system_dbusd_t)
> +')
> +
> +optional_policy(`
> bluetooth_stream_connect(system_dbusd_t)
> ')
>
> Index: refpolicy-2.20170402/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20170402/policy/modules/system/unconfined.te
> @@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',`
> ')
>
> optional_policy(`
> + init_unconfined(unconfined_t)
> +')
> +
> +optional_policy(`
> ada_domtrans(unconfined_t)
> ')
>
> Index: refpolicy-2.20170402/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170402/policy/modules/system/logging.if
> @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
> # will write to the console.
> term_write_console($1)
> term_dontaudit_read_console($1)
> +
> + # because systemd is now using /run/systemd/journal/dev-log
> + init_search_run($1)
in logging_send_syslog_msg is already a init_search_run($1) statement
> ')
>
> ########################################
> Index: refpolicy-2.20170402/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170402/policy/modules/system/locallogin.te
> @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
> ')
> ')
>
> +optional_policy(`
> + systemd_dbus_chat_logind(local_login_t)
> + systemd_write_inherited_logind_sessions_pipes(local_login_t)
> +')
> +
> tunable_policy(`console_login',`
> # Able to relabel /dev/console to user tty types.
> term_relabel_console(local_login_t)
> Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te
> +++ refpolicy-2.20170402/policy/modules/contrib/policykit.te
> @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
>
> +# for /run/systemd/machines
> +systemd_read_machines(policykit_t)
> +
> +# for /run/systemd/seats/seat*
> +systemd_read_logind_sessions_files(policykit_t)
> +
> +# for /run/systemd/users/*
> +systemd_read_logind_pids(policykit_t)
> +
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
>
> Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if
> +++ refpolicy-2.20170402/policy/modules/contrib/dbus.if
> @@ -88,6 +88,10 @@ template(`dbus_role_template',`
> ifdef(`hide_broken_symptoms',`
> dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
> ')
> +
> + optional_policy(`
> + systemd_read_logind_pids($1_dbusd_t)
> + ')
> ')
>
> #######################################
> Index: refpolicy-2.20170402/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170402/policy/modules/kernel/files.if
> @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
> allow $1 etc_t:service status;
> ')
>
> +########################################
> +## <summary>
> +## start etc_t service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_start_etc_service',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## stop etc_t service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_stop_etc_service',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:service stop;
> +')
> +
> #######################################
> ## <summary>
> ## Relabel from and to generic files in /etc.
> Index: refpolicy-2.20170402/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170402/policy/modules/system/unconfined.if
> @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
> class dbus all_dbus_perms;
> class nscd all_nscd_perms;
> class passwd all_passwd_perms;
> + class service all_service_perms;
> ')
>
> # Use most Linux capabilities
> @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
> files_unconfined($1)
> fs_unconfined($1)
> selinux_unconfined($1)
> + files_get_etc_unit_status($1)
> + files_start_etc_service($1)
> + files_stop_etc_service($1)
>
> tunable_policy(`allow_execheap',`
> # Allow making the stack executable via mprotect.
> Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170402/policy/modules/roles/sysadm.te
> @@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
> ubac_fd_exempt(sysadm_t)
>
> init_exec(sysadm_t)
> -init_get_system_status(sysadm_t)
> -init_disable(sysadm_t)
> -init_enable(sysadm_t)
> -init_reload(sysadm_t)
> -init_reboot_system(sysadm_t)
> -init_shutdown_system(sysadm_t)
> -init_start_generic_units(sysadm_t)
> -init_stop_generic_units(sysadm_t)
> -init_reload_generic_units(sysadm_t)
> +init_unconfined(sysadm_t)
>
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
> Index: refpolicy-2.20170402/policy/modules/system/lvm.fc
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170402/policy/modules/system/lvm.fc
> @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
>
> /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
> /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> Index: refpolicy-2.20170402/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170402/policy/modules/contrib/mta.te
> @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst
>
> init_use_script_ptys(system_mail_t)
> init_use_fds(system_mail_t)
> +init_rw_stream_sockets(system_mail_t)
>
> userdom_use_user_terminals(system_mail_t)
>
> Index: refpolicy-2.20170402/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20170402/policy/modules/services/xserver.te
> @@ -285,6 +285,10 @@ files_search_pids(xauth_t)
> fs_getattr_xattr_fs(xauth_t)
> fs_search_auto_mountpoints(xauth_t)
>
> +allow xauth_t xdm_t:fd use;
> +allow xauth_t xdm_t:fifo_file { getattr read };
> +allow xauth_t xdm_t:unix_stream_socket { read write };
> +
> # cjp: why?
> term_use_ptmx(xauth_t)
>
> Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if
> @@ -399,7 +399,7 @@ interface(`sysnet_write_config',`
>
> #######################################
> ## <summary>
> -## Create network config files.
> +## relabel network config files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -407,13 +407,13 @@ interface(`sysnet_write_config',`
> ## </summary>
> ## </param>
> #
> -interface(`sysnet_create_config',`
> +interface(`sysnet_relabel_config',`
> gen_require(`
> type net_conf_t;
> ')
>
> files_search_etc($1)
> - allow $1 net_conf_t:file create_file_perms;
> + allow $1 net_conf_t:file { relabelfrom relabelto };
> ')
>
> #######################################
> @@ -455,6 +455,7 @@ interface(`sysnet_manage_config',`
> type net_conf_t;
> ')
>
> + files_search_etc($1)
> allow $1 net_conf_t:file manage_file_perms;
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
> @@ -15,6 +15,8 @@
>
> /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
> /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
> +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
> +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
in the longrun i'd like to run systemd-timesyncd in a seperate domain,
cause it's onyl a ntp client, which should require less permissions
than the ntp server
my current trial:
https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/patches/0010-systemd-timesyncd-and-notify.patch
>
> /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
> /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
> @@ -23,6 +25,7 @@
> /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
>
> /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
>
> Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
> dev_read_sysfs(ntpd_t)
> dev_read_urand(ntpd_t)
> dev_rw_realtime_clock(ntpd_t)
> +clock_read_adjtime(ntpd_t)
>
> domain_use_interactive_fds(ntpd_t)
> domain_dontaudit_list_all_domains_state(ntpd_t)
> @@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t)
> userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
> userdom_list_user_home_dirs(ntpd_t)
>
> +ifdef(`init_systemd',`
> + dbus_system_bus_client(ntpd_t)
> + dbus_connect_system_bus(ntpd_t)
> + init_dbus_chat(ntpd_t)
> + init_get_system_status(ntpd_t)
> + allow ntpd_t self:capability { fowner setpcap };
> + init_reload(ntpd_t)
> +
> + # for /var/lib/systemd/clock
> + init_list_var_lib_dirs(ntpd_t)
> +
> + # for /run/systemd/netif/links
> + init_list_pid_dirs(ntpd_t)
> +
> + optional_policy(`
> + unconfined_dbus_send(ntpd_t)
> + ')
> +')
> +
> optional_policy(`
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
> Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te
> +++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te
> @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
>
> init_all_labeled_script_domtrans(devicekit_power_t)
> init_read_utmp(devicekit_power_t)
> +init_search_run(devicekit_power_t)
>
> miscfiles_read_localization(devicekit_power_t)
>
> Index: refpolicy-2.20170402/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170402/policy/modules/system/init.if
> @@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',`
> filetrans_pattern($1, init_var_run_t, $2, $3, $4)
> ')
>
> +######################################
> +## <summary>
> +## Allow listing of the /run/systemd directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_list_pid_dirs',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
add files_search_pids($1) ?
> + allow $1 init_var_run_t:dir list_dir_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Get the attributes of initctl.
> @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
> allow $1 { init_script_file_type systemdunit }:service status;
> ')
>
> +#######################################
> +## <summary>
> +## All perms on all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_manage_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + class service all_service_perms;
> + ')
> +
> + allow $1 systemdunit:service all_service_perms;
> + allow $1 systemdunit:file getattr;
> +')
> +
> ########################################
> ## <summary>
> ## Start all systemd units.
> @@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',`
>
> allow $1 { init_script_file_type systemdunit }:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## Allow getting service status of initrc_exec_t scripts
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Target domain
> +## </summary>
> +## </param>
> +#
> +interface(`init_get_script_status',`
> + gen_require(`
> + type initrc_exec_t;
> + class service status;
> + ')
> +
> + allow $1 initrc_exec_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +## Allow unconfined access to send instructions to init
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Target domain
> +## </summary>
> +## </param>
> +#
> +interface(`init_unconfined',`
> + gen_require(`
> + type initrc_exec_t;
> + class service status;
> + ')
> +
> + dev_manage_null_service($1)
> + init_disable($1)
> + init_enable($1)
> + init_get_all_units_status($1)
> + init_get_generic_units_status($1)
> + init_get_system_status($1)
> + init_manage_all_units($1)
> + init_manage_script_service($1)
> + init_reboot_system($1)
> + init_reload($1)
> + init_reload_all_units($1)
> + init_shutdown_system($1)
> + init_start_all_units($1)
> + init_start_generic_units($1)
> + init_stop_all_units($1)
> + init_stop_generic_units($1)
> + init_stop_system($1)
> + init_telinit($1)
> +')
> Index: refpolicy-2.20170402/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170402/policy/modules/system/fstools.te
> @@ -146,6 +146,7 @@ term_use_console(fsadm_t)
> init_use_fds(fsadm_t)
> init_use_script_ptys(fsadm_t)
> init_dontaudit_getattr_initctl(fsadm_t)
> +init_rw_script_stream_sockets(fsadm_t)
>
> logging_send_syslog_msg(fsadm_t)
>
> Index: refpolicy-2.20170402/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170402/policy/modules/system/systemd.if
> @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
>
> ######################################
> ## <summary>
> +## Write systemd_login named pipe.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_write_logind_pid_pipes',`
> + gen_require(`
> + type systemd_logind_var_run_t;
> + ')
> +
> + init_search_run($1)
> + files_search_pids($1)
> + allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
> +')
> +
> +######################################
> +## <summary>
> ## Use inherited systemd
> ## logind file descriptors.
> ## </summary>
> @@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
>
> ######################################
> ## <summary>
> +## Read logind sessions files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_logind_sessions_files',`
> + gen_require(`
> + type systemd_sessions_var_run_t, systemd_logind_t;
> + ')
> +
> + allow $1 systemd_logind_t:fd use;
> + init_search_run($1)
> + allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
> + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
> +')
> +
> +######################################
> +## <summary>
> ## Write inherited logind sessions pipes.
> ## </summary>
> ## <param name="domain">
> @@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds'
> allow systemd_passwd_agent_t $1:fd use;
> ')
>
> +#######################################
> +## <summary>
> +## Allow a systemd_passwd_agent_t process to interact with a daemon
> +## that needs a password from the sysadmin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_use_passwd_agent',`
> + gen_require(`
> + type systemd_passwd_agent_t;
> + type systemd_passwd_var_run_t;
> + ')
> +
> + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
> + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
> +
> + allow systemd_passwd_agent_t $1:process signull;
> + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> +')
> +
> ########################################
> ## <summary>
> ## Transition to systemd_passwd_var_run_t when creating dirs
> @@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',`
>
> allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> ')
> +
> +########################################
> +## <summary>
> +## Allow reading /run/systemd/machines
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can access the machines files
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_machines',`
> + gen_require(`
> + type systemd_machined_var_run_t;
> + ')
> +
> + allow $1 systemd_machined_var_run_t:dir list_dir_perms;
> + allow $1 systemd_machined_var_run_t:file read_file_perms;
> +')
> Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te
> @@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
>
> corecmd_exec_all_executables(dpkg_script_t)
>
> -dev_manage_null_service(dpkg_script_t)
> dev_list_sysfs(dpkg_script_t)
> # Use named file transition to fix this
> # dev_manage_generic_blk_files(dpkg_script_t)
> @@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_
> auth_manage_shadow(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> -init_get_generic_units_status(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> -init_get_system_status(dpkg_script_t)
> -init_start_generic_units(dpkg_script_t)
> -init_stop_generic_units(dpkg_script_t)
> -init_reload(dpkg_script_t)
> -init_stop_system(dpkg_script_t)
> -init_telinit(dpkg_script_t)
> init_manage_script_service(dpkg_script_t)
> init_startstop_all_script_services(dpkg_script_t)
> +init_unconfined(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
> Index: refpolicy-2.20170402/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170402/policy/modules/system/init.te
> @@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
> seutil_read_default_contexts(initrc_t)
>
> # /lib/rcscripts/net/system.sh rewrites resolv.conf :(
> - sysnet_create_config(initrc_t)
> - sysnet_write_config(initrc_t)
> - sysnet_setattr_config(initrc_t)
> + sysnet_manage_config(initrc_t)
>
> optional_policy(`
> abrt_manage_pid_files(initrc_t)
> Index: refpolicy-2.20170402/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170402/policy/modules/system/systemd.te
> @@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf
> seutil_read_config(systemd_tmpfiles_t)
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> -sysnet_create_config(systemd_tmpfiles_t)
> +sysnet_manage_config(systemd_tmpfiles_t)
> +sysnet_relabel_config(systemd_tmpfiles_t)
>
> systemd_log_parse_environment(systemd_tmpfiles_t)
>
> Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if
> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.if
> @@ -200,6 +200,9 @@ interface(`ntp_admin',`
> type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
> type ntpd_initrc_exec_t, ntp_drift_t;
> type ntpd_unit_t;
> + ifdef(`init_systemd',`
> + class dbus send_msg;
> + ')
> ')
>
> allow $1 ntpd_t:process { ptrace signal_perms };
> @@ -223,4 +226,9 @@ interface(`ntp_admin',`
> admin_pattern($1, ntpd_pid_t)
>
> ntp_run($1, $2)
> +
> + ifdef(`init_systemd',`
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> + ')
> ')
> Index: refpolicy-2.20170402/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170402.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170402/policy/modules/services/ssh.if
> @@ -271,6 +271,10 @@ template(`ssh_server_template', `
> files_read_var_lib_symlinks($1_t)
> nx_spec_domtrans_server($1_t)
> ')
> +
> + optional_policy(`
> + systemd_read_logind_sessions_files($1_t)
> + ')
> ')
>
> ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On 04/05/2017 02:33 PM, cgzones via refpolicy wrote:
> 2017-04-05 6:51 GMT+02:00 Russell Coker via refpolicy
>> --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc
>> +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc
>> @@ -15,6 +15,8 @@
>>
>> /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
>> /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
>> +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
>> +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
>
> in the longrun i'd like to run systemd-timesyncd in a seperate domain,
> cause it's onyl a ntp client, which should require less permissions
> than the ntp server
I agree.
--
Chris PeBenito
On Fri, 7 Apr 2017 07:31:23 AM Chris PeBenito via refpolicy wrote:
> > in the longrun i'd like to run systemd-timesyncd in a seperate domain,
> > cause it's onyl a ntp client, which should require less permissions
> > than the ntp server
>
> I agree.
I'd like to have fewer little almost-duplicate domains that make it more time-
consuming to maintain policy and more difficult to analyse it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/