From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 23 Feb 2017 20:03:51 -0500 Subject: [refpolicy] [PATCH] first systemd patch - not hopefully good enough In-Reply-To: <20170221071757.ptxte6gnjhjn6edy@athena.coker.com.au> References: <20170221071757.ptxte6gnjhjn6edy@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/21/17 02:17, Russell Coker via refpolicy wrote: > I've done all the things pebenito asked, hopefully this is good enough now. Merged. I made a some changes: * moved some lines around * the term_relabel_ptys_dirs() you added is a dupe of term_relabel_pty_dirs(), which I fixed. * I removed the initrc_t range transitions in init_ranged_domain() * I removed init init_t domtrans pattern since it should be redundant due to the init_domain() above it. I also removed the unix stream socket rule as there is a socket activation interface below meant to fill that purpose (and explicitly called by socket activated domains). * There was a big block of additions at the end of init.te which I cleaned out, though most of it was dropped as I'm still concerned about applying all those rules to all daemons. * I removed several calls to nonexistant interfaces > Description: Make systemd work > Author: Russell Coker > Last-Update: 2017-02-21 > > Index: refpolicy-2.20170221/policy/modules/system/udev.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/udev.if > +++ refpolicy-2.20170221/policy/modules/system/udev.if > @@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',` > > ######################################## > ## > +## Allow process to relabelto udev database > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udev_relabelto_db',` > + gen_require(` > + type udev_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 udev_var_run_t:file relabelto_file_perms; > + allow $1 udev_var_run_t:lnk_file relabelto_file_perms; > +') > + > +######################################## > +## > ## Read udev pid files. > ## > ## > Index: refpolicy-2.20170221/policy/modules/kernel/devices.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/kernel/devices.te > +++ refpolicy-2.20170221/policy/modules/kernel/devices.te > @@ -21,6 +21,9 @@ files_mountpoint(device_t) > files_associate_tmp(device_t) > fs_xattr_type(device_t) > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); > +optional_policy(` > + systemd_tmpfilesd_managed(device_t, fifo_file) > +') > > # > # Type for /dev/agpgart > Index: refpolicy-2.20170221/policy/modules/kernel/files.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/kernel/files.te > +++ refpolicy-2.20170221/policy/modules/kernel/files.te > @@ -174,6 +174,10 @@ type var_run_t; > files_pid_file(var_run_t) > files_mountpoint(var_run_t) > > +optional_policy(` > + systemd_tmpfilesd_managed(var_run_t, lnk_file) > +') > + > # > # var_spool_t is the type of /var/spool > # > Index: refpolicy-2.20170221/policy/modules/system/authlogin.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/authlogin.te > +++ refpolicy-2.20170221/policy/modules/system/authlogin.te > @@ -30,6 +30,9 @@ role system_r types chkpwd_t; > > type faillog_t; > logging_log_file(faillog_t) > +optional_policy(` > + systemd_tmpfilesd_managed(faillog_t, file) > +') > > type lastlog_t; > logging_log_file(lastlog_t) > @@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_ > # > type var_auth_t; > files_type(var_auth_t) > +optional_policy(` > + systemd_tmpfilesd_managed(var_auth_t, dir) > +') > > type wtmp_t; > logging_log_file(wtmp_t) > Index: refpolicy-2.20170221/policy/modules/system/init.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/init.fc > +++ refpolicy-2.20170221/policy/modules/system/init.fc > @@ -57,6 +57,8 @@ ifdef(`distro_gentoo', ` > /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) > /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) > /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) > /run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) > > ifdef(`distro_debian',` > Index: refpolicy-2.20170221/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/init.if > +++ refpolicy-2.20170221/policy/modules/system/init.if > @@ -164,10 +164,12 @@ interface(`init_ranged_domain',` > > ifdef(`enable_mcs',` > range_transition init_t $2:process $3; > + range_transition initrc_t $2:process $3; > ') > > ifdef(`enable_mls',` > range_transition init_t $2:process $3; > + range_transition initrc_t $2:process $3; > mls_rangetrans_target($1) > ') > ') > @@ -210,8 +212,10 @@ interface(`init_ranged_domain',` > interface(`init_daemon_domain',` > gen_require(` > type initrc_t; > + type init_t; > role system_r; > attribute daemon; > + attribute initrc_transition_domain; > ') > > typeattribute $1 daemon; > @@ -240,6 +244,10 @@ interface(`init_daemon_domain',` > init_domain($1, $2) > # this may be because of late labelling > kernel_dgram_send($1) > + > + domtrans_pattern(init_t, $2, $1) > + allow init_t $1:unix_stream_socket create_stream_socket_perms; > + allow $1 init_t:unix_dgram_socket sendto; > ') > > optional_policy(` > @@ -400,8 +408,10 @@ interface(`init_system_domain',` > gen_require(` > type initrc_t; > role system_r; > + attribute systemprocess; > ') > > + typeattribute $1 systemprocess; > application_domain($1, $2) > > role system_r types $1; > @@ -477,6 +487,24 @@ interface(`init_ranged_system_domain',` > ') > ') > > +###################################### > +## > +## Allow domain dyntransition to init_t domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_dyntrans',` > + gen_require(` > + type init_t; > + ') > + > + dyntrans_pattern($1, init_t) > +') > + > ######################################## > ## > ## Mark the file type as a daemon pid file, allowing initrc_t > @@ -675,6 +703,7 @@ interface(`init_stream_connect',` > > stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) > files_search_pids($1) > + allow $1 init_t:unix_stream_socket getattr; > ') > > ######################################## > @@ -1192,23 +1221,23 @@ interface(`init_write_initctl',` > # > interface(`init_telinit',` > gen_require(` > - type initctl_t; > + type initctl_t, init_t; > ') > > + corecmd_exec_bin($1) > + > dev_list_all_dev_nodes($1) > allow $1 initctl_t:fifo_file rw_fifo_file_perms; > > init_exec($1) > > - tunable_policy(`init_upstart',` > - gen_require(` > - type init_t; > - ') > - > - # upstart uses a datagram socket instead of initctl pipe > - allow $1 self:unix_dgram_socket create_socket_perms; > - allow $1 init_t:unix_dgram_socket sendto; > - ') > + ps_process_pattern($1, init_t) > + allow $1 init_t:process signal; > + # upstart uses a datagram socket instead of initctl pipe > + allow $1 self:unix_dgram_socket create_socket_perms; > + allow $1 init_t:unix_dgram_socket sendto; > + #576913 > + allow $1 init_t:unix_stream_socket connectto; > ') > > ######################################## > @@ -1217,7 +1246,7 @@ interface(`init_telinit',` > ## > ## > ## > -## Domain allowed access. > +## Domain to not audit. > ## > ## > # > @@ -1332,6 +1361,36 @@ interface(`init_domtrans_script',` > > ######################################## > ## > +## Execute labelled init scripts with an automatic domain transition. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_domtrans_labelled_script',` > + gen_require(` > + type initrc_t; > + attribute init_script_file_type; > + attribute initrc_transition_domain; > + ') > + typeattribute $1 initrc_transition_domain; > + > + files_list_etc($1) > + domtrans_pattern($1, init_script_file_type, initrc_t) > + > + ifdef(`enable_mcs',` > + range_transition $1 init_script_file_type:process s0; > + ') > + > + ifdef(`enable_mls',` > + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; > + ') > +') > + > +######################################## > +## > ## Execute a init script in a specified domain. > ## > ## > @@ -1402,8 +1461,10 @@ interface(`init_manage_script_service',` > interface(`init_labeled_script_domtrans',` > gen_require(` > type initrc_t; > + attribute initrc_transition_domain; > ') > > + typeattribute $1 initrc_transition_domain; > domtrans_pattern($1, $2, initrc_t) > files_search_etc($1) > ') > @@ -1536,9 +1597,10 @@ interface(`init_run_daemon',` > interface(`init_startstop_all_script_services',` > gen_require(` > attribute init_script_file_type; > + class service { start status stop reload }; > ') > > - allow $1 init_script_file_type:service { start status stop }; > + allow $1 init_script_file_type:service { start status stop reload }; > ') > > ######################################## > @@ -1746,12 +1808,7 @@ interface(`init_read_script_state',` > ') > > kernel_search_proc($1) > - read_files_pattern($1, initrc_t, initrc_t) > - read_lnk_files_pattern($1, initrc_t, initrc_t) > - list_dirs_pattern($1, initrc_t, initrc_t) > - > - # should move this to separate interface > - allow $1 initrc_t:process getattr; > + ps_process_pattern($1, initrc_t) > ') > > ######################################## > @@ -2335,7 +2392,7 @@ interface(`init_dontaudit_rw_utmp',` > type initrc_var_run_t; > ') > > - dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; > + dontaudit $1 initrc_var_run_t:file rw_file_perms; > ') > > ######################################## > @@ -2376,6 +2433,44 @@ interface(`init_pid_filetrans_utmp',` > files_pid_filetrans($1, initrc_var_run_t, file, "utmp") > ') > > +####################################### > +## > +## Create a directory in the /run/systemd directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_create_pid_dirs',` > + gen_require(` > + type init_var_run_t; > + ') > + > + allow $1 init_var_run_t:dir list_dir_perms; > + create_dirs_pattern($1, init_var_run_t, init_var_run_t) > +') > + > +######################################## > +## > +## Rename and unlink init_var_run_t files > +## > +## > +## > +## domain > +## > +## > +# > +interface(`init_delete_pid_files',` > + gen_require(` > + type init_var_run_t; > + ') > + > + delete_files_pattern($1, init_var_run_t, init_var_run_t) > + rename_files_pattern($1, init_var_run_t, init_var_run_t) > +') > + > ######################################## > ## > ## Allow the specified domain to connect to daemon with a tcp socket > @@ -2550,6 +2645,43 @@ interface(`init_start_all_units',` > allow $1 systemdunit:service start; > ') > > +####################################### > +## > +## Allow the specified domain to write to > +## init sock file. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_write_pid_socket',` > + gen_require(` > + type init_var_run_t; > + ') > + > + allow $1 init_var_run_t:sock_file write; > +') > + > +######################################## > +## > +## Read init unnamed pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_pid_pipes',` > + gen_require(` > + type init_var_run_t; > + ') > + > + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) > +') > + > ######################################## > ## > ## Stop all systemd units. > Index: refpolicy-2.20170221/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/init.te > +++ refpolicy-2.20170221/policy/modules/system/init.te > @@ -16,13 +16,22 @@ gen_require(` > ## > gen_tunable(init_upstart, false) > > +## > +##

> +## Allow all daemons the ability to read/write terminals > +##

> +##
> +gen_tunable(init_daemons_use_tty, false) > + > attribute init_script_domain_type; > attribute init_script_file_type; > attribute init_run_all_scripts_domain; > attribute systemdunit; > +attribute initrc_transition_domain; > > # Mark process types as daemons > attribute daemon; > +attribute systemprocess; > > # Mark file type as a daemon pid file > attribute daemonpidfile; > @@ -33,7 +42,7 @@ attribute daemonrundir; > # > # init_t is the domain of the init process. > # > -type init_t; > +type init_t, initrc_transition_domain; > type init_exec_t; > domain_type(init_t) > domain_entry_file(init_t, init_exec_t) > @@ -66,6 +75,7 @@ type initrc_exec_t, init_script_file_typ > domain_type(initrc_t) > domain_entry_file(initrc_t, initrc_exec_t) > init_named_socket_activation(initrc_t, init_var_run_t) > +allow init_run_all_scripts_domain systemdunit:service { status start stop }; > role system_r types initrc_t; > # should be part of the true block > # of the below init_upstart tunable > @@ -110,6 +120,7 @@ ifdef(`enable_mls',` > > # Use capabilities. old rule: > allow init_t self:capability ~sys_module; > +allow init_t self:capability2 { wake_alarm block_suspend }; > # is ~sys_module really needed? observed: > # sys_boot > # sys_tty_config > @@ -128,6 +139,9 @@ allow init_t initrc_t:unix_stream_socket > allow init_t init_var_run_t:file manage_file_perms; > files_pid_filetrans(init_t, init_var_run_t, file) > > +# for systemd to manage service file symlinks > +allow init_t init_var_run_t:file manage_lnk_file_perms; > + > allow init_t initctl_t:fifo_file manage_fifo_file_perms; > dev_filetrans(init_t, initctl_t, fifo_file) > > @@ -147,6 +161,7 @@ dev_rw_generic_chr_files(init_t) > > domain_getpgid_all_domains(init_t) > domain_kill_all_domains(init_t) > +domain_getattr_all_domains(init_t) > domain_signal_all_domains(init_t) > domain_signull_all_domains(init_t) > domain_sigstop_all_domains(init_t) > @@ -199,6 +214,12 @@ ifdef(`init_systemd',` > # handle instances where an old labeled init script is encountered. > typeattribute init_t init_run_all_scripts_domain; > > + allow init_t systemprocess:process { dyntransition siginh }; > + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; > + allow init_t systemprocess:unix_dgram_socket create_socket_perms; > + allow systemprocess init_t:unix_dgram_socket sendto; > + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; > + > allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit }; > allow init_t self:capability2 { audit_read block_suspend }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > @@ -206,6 +227,13 @@ ifdef(`init_systemd',` > allow init_t self:netlink_selinux_socket create_socket_perms; > allow init_t self:unix_dgram_socket lock; > > + allow init_t daemon:unix_stream_socket create_stream_socket_perms; > + allow init_t daemon:unix_dgram_socket create_socket_perms; > + allow init_t daemon:tcp_socket create_stream_socket_perms; > + allow init_t daemon:udp_socket create_socket_perms; > + allow daemon init_t:unix_dgram_socket sendto; > + > + allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; > manage_files_pattern(init_t, init_var_run_t, init_var_run_t) > manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) > manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) > @@ -269,6 +297,9 @@ ifdef(`init_systemd',` > # for network namespaces > fs_read_nsfs_files(init_t) > > + # need write to /var/run/systemd/notify > + init_write_pid_socket(daemon) > + > # systemd_socket_activated policy > mls_socket_write_all_levels(init_t) > > @@ -355,6 +386,11 @@ optional_policy(` > ') > > optional_policy(` > + udev_read_db(init_t) > + udev_relabelto_db(init_t) > +') > + > +optional_policy(` > unconfined_domain(init_t) > ') > > @@ -403,11 +439,14 @@ manage_fifo_files_pattern(initrc_t, init > allow initrc_t initrc_var_run_t:file manage_file_perms; > files_pid_filetrans(initrc_t, initrc_var_run_t, file) > > +allow initrc_t daemon:process siginh; > + > can_exec(initrc_t, initrc_tmp_t) > manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) > manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) > manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) > files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) > +allow initrc_t initrc_tmp_t:dir relabelfrom; > > manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) > manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) > @@ -450,6 +489,7 @@ corenet_sendrecv_all_client_packets(init > > dev_read_rand(initrc_t) > dev_read_urand(initrc_t) > +dev_dontaudit_read_kmsg(initrc_t) > dev_write_kmsg(initrc_t) > dev_write_rand(initrc_t) > dev_write_urand(initrc_t) > @@ -460,8 +500,10 @@ dev_write_framebuffer(initrc_t) > dev_read_realtime_clock(initrc_t) > dev_read_sound_mixer(initrc_t) > dev_write_sound_mixer(initrc_t) > +dev_setattr_generic_dirs(initrc_t) > dev_setattr_all_chr_files(initrc_t) > dev_rw_lvm_control(initrc_t) > +dev_rw_generic_chr_files(initrc_t) > dev_delete_lvm_control_dev(initrc_t) > dev_manage_generic_symlinks(initrc_t) > dev_manage_generic_files(initrc_t) > @@ -469,17 +511,16 @@ dev_manage_generic_files(initrc_t) > dev_delete_generic_symlinks(initrc_t) > dev_getattr_all_blk_files(initrc_t) > dev_getattr_all_chr_files(initrc_t) > -# Early devtmpfs > -dev_rw_generic_chr_files(initrc_t) > +dev_rw_xserver_misc(initrc_t) > > domain_kill_all_domains(initrc_t) > domain_signal_all_domains(initrc_t) > domain_signull_all_domains(initrc_t) > domain_sigstop_all_domains(initrc_t) > +domain_sigstop_all_domains(initrc_t) > domain_sigchld_all_domains(initrc_t) > domain_read_all_domains_state(initrc_t) > domain_getattr_all_domains(initrc_t) > -domain_dontaudit_ptrace_all_domains(initrc_t) > domain_getsession_all_domains(initrc_t) > domain_use_interactive_fds(initrc_t) > # for lsof which is used by alsa shutdown: > @@ -487,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets > domain_dontaudit_getattr_all_tcp_sockets(initrc_t) > domain_dontaudit_getattr_all_dgram_sockets(initrc_t) > domain_dontaudit_getattr_all_pipes(initrc_t) > +domain_obj_id_change_exemption(initrc_t) > > files_getattr_all_dirs(initrc_t) > files_getattr_all_files(initrc_t) > @@ -494,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) > files_getattr_all_pipes(initrc_t) > files_getattr_all_sockets(initrc_t) > files_purge_tmp(initrc_t) > -files_delete_all_locks(initrc_t) > +files_manage_all_locks(initrc_t) > +files_manage_boot_files(initrc_t) > files_read_all_pids(initrc_t) > +files_delete_root_files(initrc_t) > files_delete_all_pids(initrc_t) > files_delete_all_pid_dirs(initrc_t) > files_read_etc_files(initrc_t) > @@ -509,8 +553,12 @@ files_manage_generic_spool(initrc_t) > # cjp: not sure why these are here; should use mount policy > files_list_default(initrc_t) > files_mounton_default(initrc_t) > +files_manage_mnt_dirs(initrc_t) > +files_manage_mnt_files(initrc_t) > > -fs_write_cgroup_files(initrc_t) > +fs_delete_cgroup_dirs(initrc_t) > +fs_list_cgroup_dirs(initrc_t) > +fs_rw_cgroup_files(initrc_t) > fs_list_inotifyfs(initrc_t) > fs_register_binary_executable_type(initrc_t) > # rhgb-console writes to ramfs > @@ -520,9 +568,13 @@ fs_mount_all_fs(initrc_t) > fs_unmount_all_fs(initrc_t) > fs_remount_all_fs(initrc_t) > fs_getattr_all_fs(initrc_t) > +fs_search_all(initrc_t) > +fs_getattr_nfsd_files(initrc_t) > > # initrc_t needs to do a pidof which requires ptrace > mcs_ptrace_all(initrc_t) > +mcs_file_read_all(initrc_t) > +mcs_file_write_all(initrc_t) > mcs_killall(initrc_t) > mcs_process_set_categories(initrc_t) > > @@ -532,6 +584,7 @@ mls_process_read_all_levels(initrc_t) > mls_process_write_all_levels(initrc_t) > mls_rangetrans_source(initrc_t) > mls_fd_share_all_levels(initrc_t) > +mls_socket_write_to_clearance(initrc_t) > > selinux_get_enforce_mode(initrc_t) > > @@ -550,6 +603,11 @@ auth_delete_pam_pid(initrc_t) > auth_delete_pam_console_data(initrc_t) > auth_use_nsswitch(initrc_t) > > +init_get_system_status(initrc_t) > +init_stream_connect(initrc_t) > +init_start_all_units(initrc_t) > +init_stop_all_units(initrc_t) > + > libs_rw_ld_so_cache(initrc_t) > libs_exec_lib_files(initrc_t) > libs_exec_ld_so(initrc_t) > @@ -563,7 +621,7 @@ logging_read_audit_config(initrc_t) > > miscfiles_read_localization(initrc_t) > # slapd needs to read cert files from its initscript > -miscfiles_read_generic_certs(initrc_t) > +miscfiles_manage_generic_cert_files(initrc_t) > > seutil_read_config(initrc_t) > > @@ -571,7 +629,7 @@ userdom_read_user_home_content_files(ini > # Allow access to the sysadm TTYs. Note that this will give access to the > # TTYs to any process in the initrc_t domain. Therefore, daemons and such > # started from init should be placed in their own domain. > -userdom_use_user_terminals(initrc_t) > +userdom_use_inherited_user_terminals(initrc_t) > > ifdef(`distro_debian',` > kernel_getattr_core_if(initrc_t) > @@ -643,6 +701,10 @@ ifdef(`distro_gentoo',` > sysnet_setattr_config(initrc_t) > > optional_policy(` > + abrt_manage_pid_files(initrc_t) > + ') > + > + optional_policy(` > alsa_read_lib(initrc_t) > ') > > @@ -663,7 +725,7 @@ ifdef(`distro_redhat',` > > # Red Hat systems seem to have a stray > # fd open from the initrd > - kernel_dontaudit_use_fds(initrc_t) > + kernel_use_fds(initrc_t) > files_dontaudit_read_root_files(initrc_t) > > # These seem to be from the initrd > @@ -698,6 +760,7 @@ ifdef(`distro_redhat',` > miscfiles_rw_localization(initrc_t) > miscfiles_setattr_localization(initrc_t) > miscfiles_relabel_localization(initrc_t) > + miscfiles_filetrans_named_content(initrc_t) > > miscfiles_read_fonts(initrc_t) > miscfiles_read_hwdata(initrc_t) > @@ -707,8 +770,35 @@ ifdef(`distro_redhat',` > ') > > optional_policy(` > + abrt_manage_pid_files(initrc_t) > + ') > + > + optional_policy(` > bind_manage_config_dirs(initrc_t) > + bind_manage_config(initrc_t) > bind_write_config(initrc_t) > + bind_setattr_zone_dirs(initrc_t) > + ') > + > + optional_policy(` > + devicekit_append_inherited_log_files(initrc_t) > + ') > + > + optional_policy(` > + dirsrvadmin_read_config(initrc_t) > + dirsrv_manage_var_run(initrc_t) > + ') > + > + optional_policy(` > + gnome_manage_gconf_config(initrc_t) > + ') > + > + optional_policy(` > + ldap_read_db_files(initrc_t) > + ') > + > + optional_policy(` > + pulseaudio_stream_connect(initrc_t) > ') > > optional_policy(` > @@ -716,14 +806,27 @@ ifdef(`distro_redhat',` > rpc_write_exports(initrc_t) > rpc_manage_nfs_state_data(initrc_t) > ') > + optional_policy(` > + rpcbind_stream_connect(initrc_t) > + ') > > optional_policy(` > sysnet_rw_dhcp_config(initrc_t) > sysnet_manage_config(initrc_t) > + sysnet_manage_dhcpc_state(initrc_t) > + sysnet_relabelfrom_dhcpc_state(initrc_t) > + sysnet_relabelfrom_net_conf(initrc_t) > + sysnet_relabelto_net_conf(initrc_t) > + sysnet_filetrans_named_content(initrc_t) > + ') > + > + optional_policy(` > + wdmd_manage_pid_files(initrc_t) > ') > > optional_policy(` > xserver_delete_log(initrc_t) > + xserver_manage_user_fonts_dir(initrc_t) > ') > ') > > @@ -735,6 +838,20 @@ ifdef(`distro_suse',` > ') > > ifdef(`init_systemd',` > + allow init_t self:system { status reboot halt reload }; > + > + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; > + allow init_t self:process { setsockcreate setfscreate setrlimit }; > + allow init_t self:process { getcap setcap }; > + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; > + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > + # Until systemd is fixed > + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; > + allow init_t self:udp_socket create_socket_perms; > + allow init_t self:netlink_route_socket create_netlink_socket_perms; > + allow init_t initrc_t:unix_dgram_socket create_socket_perms; > + allow initrc_t init_t:system { status reboot halt reload }; > + allow init_t self:capability2 audit_read; > manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) > files_lock_filetrans(initrc_t, initrc_lock_t, file) > > @@ -746,11 +863,25 @@ ifdef(`init_systemd',` > files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set) > > create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) > + allow initrc_t systemd_unit_t:service reload; > > manage_files_pattern(initrc_t, systemdunit, systemdunit) > manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) > + allow initrc_t systemdunit:service reload; > + allow initrc_t init_script_file_type:service { stop start status reload }; > > kernel_dgram_send(initrc_t) > + kernel_list_unlabeled(init_t) > + kernel_read_network_state(init_t) > + kernel_rw_kernel_sysctl(init_t) > + kernel_rw_net_sysctls(init_t) > + kernel_read_all_sysctls(init_t) > + kernel_read_software_raid_state(init_t) > + kernel_unmount_debugfs(init_t) > + kernel_setsched(init_t) > + > + auth_relabel_login_records(init_t) > + auth_relabel_pam_console_data_dirs(init_t) > > # run systemd misc initializations > # in the initrc_t domain, as would be > @@ -760,34 +891,90 @@ ifdef(`init_systemd',` > corecmd_bin_domtrans(init_t, initrc_t) > corecmd_shell_domtrans(init_t, initrc_t) > > - files_read_boot_files(initrc_t) > + dev_write_kmsg(init_t) > + dev_write_urand(init_t) > + dev_rw_lvm_control(init_t) > + dev_rw_autofs(init_t) > + dev_manage_generic_symlinks(init_t) > + dev_manage_generic_dirs(init_t) > + dev_manage_generic_files(init_t) > + dev_manage_null_service(initrc_t) > + dev_read_generic_chr_files(init_t) > + dev_relabel_generic_dev_dirs(init_t) > + dev_relabel_all_dev_nodes(init_t) > + dev_relabel_all_dev_files(init_t) > + dev_manage_sysfs_dirs(init_t) > + dev_relabel_sysfs_dirs(init_t) > + # systemd writes to /dev/watchdog on shutdown > + dev_write_watchdog(init_t) > + > # Allow initrc_t to check /etc/fstab "service." It appears that > # systemd is conflating files and services. > + files_create_all_pid_pipes(init_t) > + files_create_all_pid_sockets(init_t) > + files_create_all_spool_sockets(init_t) > + files_create_lock_dirs(init_t) > + files_delete_all_pids(init_t) > + files_delete_all_spool_sockets(init_t) > + files_exec_generic_pid_files(init_t) > files_get_etc_unit_status(initrc_t) > + files_list_locks(init_t) > + files_list_spool(init_t) > + files_list_var(init_t) > + files_manage_all_pid_dirs(init_t) > + files_manage_generic_tmp_dirs(init_t) > + files_manage_urandom_seed(init_t) > + files_mounton_all_mountpoints(init_t) > + files_read_boot_files(initrc_t) > + files_relabel_all_lock_dirs(init_t) > + files_relabel_all_pid_dirs(init_t) > + files_relabel_all_pid_files(init_t) > + files_search_all(init_t) > files_setattr_pid_dirs(initrc_t) > + files_unmount_all_file_type_fs(init_t) > > - selinux_set_enforce_mode(initrc_t) > + fs_getattr_all_fs(init_t) > + fs_list_auto_mountpoints(init_t) > + fs_manage_cgroup_dirs(init_t) > + fs_manage_cgroup_files(init_t) > + fs_manage_hugetlbfs_dirs(init_t) > + fs_manage_tmpfs_dirs(init_t) > + fs_mount_all_fs(init_t) > + fs_remount_all_fs(init_t) > + fs_unmount_all_fs(init_t) > + fs_search_cgroup_dirs(daemon) > > - init_stream_connect(initrc_t) > + init_get_all_units_status(initrc_t) > init_manage_var_lib_files(initrc_t) > + init_read_script_state(init_t) > init_rw_stream_sockets(initrc_t) > - init_get_all_units_status(initrc_t) > init_stop_all_units(initrc_t) > + init_stream_connect(initrc_t) > > # Create /etc/audit.rules.prev after firstboot remediation > logging_manage_audit_config(initrc_t) > > + selinux_compute_create_context(init_t) > + selinux_set_enforce_mode(initrc_t) > + selinux_unmount_fs(init_t) > + selinux_validate_context(init_t) > # lvm2-activation-generator checks file labels > seutil_read_file_contexts(initrc_t) > + seutil_read_file_contexts(init_t) > > + storage_getattr_removable_dev(init_t) > + systemd_manage_all_units(init_t) > systemd_start_power_units(initrc_t) > > + term_relabel_ptys_dirs(init_t) > + > optional_policy(` > # create /var/lock/lvm/ > lvm_create_lock_dirs(initrc_t) > ') > ') > > + > optional_policy(` > amavis_search_lib(initrc_t) > amavis_setattr_pid_files(initrc_t) > @@ -800,6 +987,8 @@ optional_policy(` > optional_policy(` > apache_read_config(initrc_t) > apache_list_modules(initrc_t) > + # webmin seems to cause this. > + apache_search_sys_content(daemon) > ') > > optional_policy(` > @@ -821,6 +1010,7 @@ optional_policy(` > > optional_policy(` > cgroup_stream_connect_cgred(initrc_t) > + domain_setpriority_all_domains(initrc_t) > ') > > optional_policy(` > @@ -837,6 +1027,12 @@ optional_policy(` > ') > > optional_policy(` > + cron_read_pipes(initrc_t) > + # managing /etc/cron.d/mailman content > + cron_manage_system_spool(initrc_t) > +') > + > +optional_policy(` > dev_getattr_printer_dev(initrc_t) > > cups_read_log(initrc_t) > @@ -853,9 +1049,13 @@ optional_policy(` > dbus_connect_system_bus(initrc_t) > dbus_system_bus_client(initrc_t) > dbus_read_config(initrc_t) > + dbus_manage_lib_files(initrc_t) > + > + init_dbus_chat(initrc_t) > > optional_policy(` > consolekit_dbus_chat(initrc_t) > + consolekit_manage_log(initrc_t) > ') > > optional_policy(` > @@ -897,6 +1097,11 @@ optional_policy(` > ') > > optional_policy(` > + modutils_read_module_config(initrc_t) > + modutils_domtrans_insmod(initrc_t) > +') > + > +optional_policy(` > inn_exec_config(initrc_t) > ') > > @@ -937,6 +1142,7 @@ optional_policy(` > lpd_list_spool(initrc_t) > > lpd_read_config(initrc_t) > + lpd_manage_spool(init_t) > ') > > optional_policy(` > @@ -960,6 +1166,7 @@ optional_policy(` > > optional_policy(` > mta_read_config(initrc_t) > + mta_write_config(initrc_t) > mta_dontaudit_read_spool_symlinks(initrc_t) > ') > > @@ -982,6 +1189,10 @@ optional_policy(` > ') > > optional_policy(` > + plymouthd_stream_connect(initrc_t) > +') > + > +optional_policy(` > postgresql_manage_db(initrc_t) > postgresql_read_config(initrc_t) > ') > @@ -994,6 +1205,7 @@ optional_policy(` > puppet_rw_tmp(initrc_t) > ') > > + > optional_policy(` > quota_manage_flags(initrc_t) > ') > @@ -1024,8 +1236,6 @@ optional_policy(` > # bash tries ioctl for some reason > files_dontaudit_ioctl_all_pids(initrc_t) > > - # why is this needed: > - rpm_manage_db(initrc_t) > ') > > optional_policy(` > @@ -1043,10 +1253,12 @@ optional_policy(` > squid_manage_logs(initrc_t) > ') > > +ifdef(`enabled_mls',` > optional_policy(` > # allow init scripts to su > su_restricted_domain_template(initrc, initrc_t, system_r) > ') > +') > > optional_policy(` > ssh_dontaudit_read_server_keys(initrc_t) > @@ -1062,7 +1274,6 @@ optional_policy(` > ') > > optional_policy(` > - udev_rw_db(initrc_t) > udev_manage_pid_files(initrc_t) > udev_manage_pid_dirs(initrc_t) > udev_manage_rules_files(initrc_t) > @@ -1079,6 +1290,10 @@ optional_policy(` > > optional_policy(` > unconfined_domain(initrc_t) > + domain_role_change_exemption(initrc_t) > + mcs_file_read_all(initrc_t) > + mcs_file_write_all(initrc_t) > + mcs_killall(initrc_t) > > ifdef(`distro_redhat',` > # system-config-services causes avc messages that should be dontaudited > @@ -1088,6 +1303,15 @@ optional_policy(` > optional_policy(` > mono_domtrans(initrc_t) > ') > + > + optional_policy(` > + rtkit_scheduled(initrc_t) > + ') > +') > + > +optional_policy(` > + rpm_read_db(initrc_t) > + rpm_delete_db(initrc_t) > ') > > optional_policy(` > @@ -1113,3 +1337,152 @@ optional_policy(` > optional_policy(` > zebra_read_config(initrc_t) > ') > + > +######################################## > +# > +# Rules applied to all daemons > +# > + > +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; > +allow daemon initrc_transition_domain:fd use; > + > +domain_dontaudit_use_interactive_fds(daemon) > +init_rw_script_stream_sockets(daemon) > +init_rw_stream_sockets(daemon) > +logging_append_all_inherited_logs(daemon) > +userdom_dontaudit_rw_stream(daemon) > + > +tunable_policy(`init_daemons_use_tty',` > + term_use_unallocated_ttys(daemon) > + term_use_generic_ptys(daemon) > + term_use_all_ttys(daemon) > + term_use_all_ptys(daemon) > +',` > + term_dontaudit_use_unallocated_ttys(daemon) > + term_dontaudit_use_generic_ptys(daemon) > + term_dontaudit_use_all_ttys(daemon) > + term_dontaudit_use_all_ptys(daemon) > + ') > + > +optional_policy(` > + unconfined_dontaudit_rw_pipes(daemon) > + unconfined_dontaudit_rw_stream_sockets(daemon) > +') > + > +optional_policy(` > + userdom_dontaudit_read_user_tmp_files(daemon) > + userdom_dontaudit_write_user_tmp_files(daemon) > +') > + > +optional_policy(` > + # sudo service restart causes this > + unconfined_signull(daemon) > +') > + > +optional_policy(` > + tunable_policy(`use_nfs_home_dirs',` > + fs_dontaudit_rw_nfs_files(daemon) > + ') > + tunable_policy(`use_samba_home_dirs',` > + fs_dontaudit_rw_cifs_files(daemon) > + ') > +') > + > +optional_policy(` > + abrt_stream_connect(daemon) > +') > + > +optional_policy(` > + fail2ban_read_lib_files(daemon) > +') > + > +allow init_t var_run_t:dir relabelto; > + > +storage_raw_rw_fixed_disk(init_t) > + > +optional_policy(` > + modutils_domtrans_insmod(init_t) > +') > + > +optional_policy(` > + postfix_list_spool(init_t) > + mta_read_aliases(init_t) > +') > + > +auth_use_nsswitch(init_t) > +auth_rw_login_records(init_t) > + > +optional_policy(` > + systemd_passwd_runtime_dirs(init_t) > +') > + > +optional_policy(` > + lvm_rw_inherited_runtime_pipes(init_t) > +') > + > +# daemons started from init will > +# inherit fds from init for the console > +init_dontaudit_use_fds(daemon) > +term_dontaudit_use_console(daemon) > +# init script ptys are the stdin/out/err > +# when using run_init > +init_use_script_ptys(daemon) > + > +allow init_t daemon:process siginh; > + > +optional_policy(` > + nscd_socket_use(daemon) > +') > + > +optional_policy(` > + puppet_rw_tmp(daemon) > +') > + > +allow initrc_t systemprocess:process siginh; > +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; > +allow systemprocess initrc_transition_domain:fd use; > + > +dontaudit systemprocess init_t:unix_stream_socket getattr; > + > +userdom_dontaudit_search_user_home_dirs(systemprocess) > +userdom_dontaudit_rw_stream(systemprocess) > +userdom_dontaudit_write_user_tmp_files(systemprocess) > + > +tunable_policy(`init_daemons_use_tty',` > + term_use_all_ttys(systemprocess) > + term_use_all_ptys(systemprocess) > +',` > + term_dontaudit_use_all_ttys(systemprocess) > + term_dontaudit_use_all_ptys(systemprocess) > +') > + > +# these apps are often redirect output to random log files > +logging_append_all_inherited_logs(systemprocess) > + > +optional_policy(` > + abrt_stream_connect(systemprocess) > +') > + > +optional_policy(` > + cron_rw_pipes(systemprocess) > +') > + > +optional_policy(` > + puppet_rw_tmp(systemprocess) > +') > + > +optional_policy(` > + unconfined_dontaudit_rw_pipes(systemprocess) > + unconfined_dontaudit_rw_stream_sockets(systemprocess) > + userdom_dontaudit_read_user_tmp_files(systemprocess) > +') > + > +init_rw_script_stream_sockets(systemprocess) > + > +role system_r types systemprocess; > +role system_r types daemon; > + > +#ifdef(`enable_mls',` > +# mls_rangetrans_target(systemprocess) > +#') > + > Index: refpolicy-2.20170221/policy/modules/system/logging.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/logging.fc > +++ refpolicy-2.20170221/policy/modules/system/logging.fc > @@ -1,4 +1,5 @@ > /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) > +/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) > > /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > @@ -80,3 +81,10 @@ ifdef(`distro_redhat',` > /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) > > /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) > + > +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) > +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) > + > +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) > + > +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) > Index: refpolicy-2.20170221/policy/modules/system/miscfiles.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/miscfiles.te > +++ refpolicy-2.20170221/policy/modules/system/miscfiles.te > @@ -40,6 +40,9 @@ files_type(locale_t) > # > type man_t alias catman_t; > files_type(man_t) > +optional_policy(` > + systemd_tmpfilesd_managed(man_t, dir) > +') > > type man_cache_t; > files_type(man_cache_t) > Index: refpolicy-2.20170221/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/logging.te > +++ refpolicy-2.20170221/policy/modules/system/logging.te > @@ -94,6 +94,9 @@ ifdef(`enable_mls',` > init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) > ') > > +ifdef(`init_systemd', ` > +') > + > ######################################## > # > # Auditctl local policy > @@ -396,6 +399,9 @@ allow syslogd_t syslog_conf_t:file read_ > # Create and bind to /dev/log or /var/run/log. > allow syslogd_t devlog_t:sock_file manage_sock_file_perms; > files_pid_filetrans(syslogd_t, devlog_t, sock_file) > +init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") > + > +seutil_read_config(syslogd_t) > > # create/append log files. > manage_files_pattern(syslogd_t, var_log_t, var_log_t) > @@ -405,6 +411,9 @@ files_search_spool(syslogd_t) > # Allow access for syslog-ng > allow syslogd_t var_log_t:dir { create setattr }; > > +# for systemd but can not be conditional > +files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") > + > # manage temporary files > manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > @@ -416,6 +425,7 @@ files_search_var_lib(syslogd_t) > # manage pid file > manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) > files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) > +allow syslogd_t syslogd_var_run_t:dir create_dir_perms; > > kernel_read_system_state(syslogd_t) > kernel_read_network_state(syslogd_t) > @@ -503,19 +513,31 @@ userdom_dontaudit_use_unpriv_user_fds(sy > userdom_dontaudit_search_user_home_dirs(syslogd_t) > > ifdef(`init_systemd',` > - # systemd-journald permissions > - > - allow syslogd_t self:capability { chown setgid setuid }; > + # for systemd-journal > + allow syslogd_t self:netlink_audit_socket connected_socket_perms; > + allow syslogd_t self:capability2 audit_read; > + allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; > allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; > + allow syslogd_t init_var_run_t:file { read write create open }; > + allow syslogd_t var_run_t:dir create; > > - kernel_use_fds(syslogd_t) > kernel_getattr_dgram_sockets(syslogd_t) > - kernel_rw_unix_dgram_sockets(syslogd_t) > + kernel_read_ring_buffer(syslogd_t) > kernel_rw_stream_sockets(syslogd_t) > + kernel_rw_unix_dgram_sockets(syslogd_t) > + kernel_use_fds(syslogd_t) > > + dev_read_kmsg(syslogd_t) > + dev_read_urand(syslogd_t) > + dev_write_kmsg(syslogd_t) > + domain_read_all_domains_state(syslogd_t) > + init_create_pid_dirs(syslogd_t) > init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") > + init_delete_pid_files(syslogd_t) > init_dgram_send(syslogd_t) > - > + init_read_pid_pipes(syslogd_t) > + init_read_state(syslogd_t) > + systemd_manage_journal_files(syslogd_t) > udev_read_pid_files(syslogd_t) > ') > > Index: refpolicy-2.20170221/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170221/policy/modules/kernel/devices.if > @@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',` > > ######################################## > ## > +## Allow full relabeling (to and from) of all device files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`dev_relabel_all_dev_files',` > + gen_require(` > + type device_t; > + ') > + > + relabel_files_pattern($1, device_t, device_t) > +') > + > +######################################## > +## > ## List all of the device nodes in a device directory. > ## > ## > @@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',` > ') > > ######################################## > +## > +## Relabel hardware state directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_relabel_sysfs_dirs',` > + gen_require(` > + type sysfs_t; > + ') > + > + relabel_dirs_pattern($1, sysfs_t, sysfs_t) > +') > + > +######################################## > ## > ## Read and write the TPM device. > ## > Index: refpolicy-2.20170221/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/logging.if > +++ refpolicy-2.20170221/policy/modules/system/logging.if > @@ -822,6 +822,24 @@ interface(`logging_append_all_logs',` > > ######################################## > ## > +## Append to all log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_append_all_inherited_logs',` > + gen_require(` > + attribute logfile; > + ') > + > + allow $1 logfile:file { getattr append ioctl lock }; > +') > + > +######################################## > +## > ## Read all log files. > ## > ## > Index: refpolicy-2.20170221/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170221/policy/modules/system/userdomain.if > @@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template', > optional_policy(` > setroubleshoot_stream_connect($1_t) > ') > + > + optional_policy(` > + systemd_dbus_chat_logind($1_t) > + ') > ') > > ####################################### > @@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',` > > ######################################## > ## > +## Read and write a inherited user TTYs and PTYs. > +## > +## > +##

> +## Allow the specified domain to read and write inherited user > +## TTYs and PTYs. This will allow the domain to > +## interact with the user via the terminal. Typically > +## all interactive applications will require this > +## access. > +##

> +##
> +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`userdom_use_inherited_user_terminals',` > + gen_require(` > + type user_tty_device_t, user_devpts_t; > + ') > + > + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; > + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; > +') > + > +######################################## > +## > ## Read and write a user TTYs and PTYs. > ## > ## > @@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users', > > allow $1 userdomain:dbus send_msg; > ') > + > +######################################## > +## > +## Do not audit attempts to write users > +## temporary files. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`userdom_dontaudit_write_user_tmp_files',` > + gen_require(` > + type user_tmp_t; > + ') > + > + dontaudit $1 user_tmp_t:file write; > +') > + > +######################################## > +## > +## Do not audit attempts to read and write > +## unserdomain stream. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`userdom_dontaudit_rw_stream',` > + gen_require(` > + attribute userdomain; > + ') > + > + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; > +') > Index: refpolicy-2.20170221/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20170221/policy/modules/system/authlogin.if > @@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',` > seutil_read_config($1) > seutil_read_default_contexts($1) > > + userdom_search_user_runtime($1) > + userdom_read_user_tmpfs_files($1) > + > tunable_policy(`allow_polyinstantiation',` > files_polyinstantiate_all($1) > ') > + > + optional_policy(` > + systemd_read_logind_state($1) > + systemd_write_inherited_logind_sessions_pipes($1) > + systemd_use_passwd_agent_fds($1) > + ') > ') > > ######################################## > Index: refpolicy-2.20170221/policy/modules/kernel/terminal.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/kernel/terminal.if > +++ refpolicy-2.20170221/policy/modules/kernel/terminal.if > @@ -500,6 +500,24 @@ interface(`term_list_ptys',` > > ######################################## > ## > +## Relabel the /dev/pts directory > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`term_relabel_ptys_dirs',` > + gen_require(` > + type devpts_t; > + ') > + > + allow $1 devpts_t:dir relabel_dir_perms; > +') > + > +######################################## > +## > ## Do not audit attempts to read the > ## /dev/pts directory. > ## > Index: refpolicy-2.20170221/policy/modules/system/lvm.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/lvm.if > +++ refpolicy-2.20170221/policy/modules/system/lvm.if > @@ -187,3 +187,21 @@ interface(`lvm_admin',` > files_search_tmp($1) > admin_pattern($1, lvm_tmp_t) > ') > + > +######################################## > +## > +## Read and write a lvm unnamed pipe. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`lvm_rw_inherited_runtime_pipes',` > + gen_require(` > + type lvm_var_run_t; > + ') > + > + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; > +') > Index: refpolicy-2.20170221/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170221/policy/modules/kernel/files.if > @@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid > > ######################################## > ## > +## manage all pidfile directories > +## in the /var/run directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_manage_all_pid_dirs',` > + gen_require(` > + attribute pidfile; > + ') > + > + manage_dirs_pattern($1,pidfile,pidfile) > +') > + > +######################################## > +## > ## Read all process ID files. > ## > ## > @@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',` > > ######################################## > ## > +## Execute generic programs in /var/run in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_exec_generic_pid_files',` > + gen_require(` > + type var_run_t; > + ') > + > + exec_files_pattern($1, var_run_t, var_run_t) > +') > + > +######################################## > +## > +## Relable all pid files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabel_all_pid_files',` > + gen_require(` > + attribute pidfile; > + ') > + > + relabel_files_pattern($1, pidfile, pidfile) > +') > + > +######################################## > +## > ## Delete all process IDs. > ## > ## > @@ -6898,3 +6953,76 @@ interface(`files_unconfined',` > > typeattribute $1 files_unconfined_type; > ') > + > +######################################## > +## > +## Create all pid sockets > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_all_pid_sockets',` > + gen_require(` > + attribute pidfile; > + ') > + > + allow $1 pidfile:sock_file create_sock_file_perms; > +') > + > +######################################## > +## > +## Create all pid named pipes > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_all_pid_pipes',` > + gen_require(` > + attribute pidfile; > + ') > + > + allow $1 pidfile:fifo_file create_fifo_file_perms; > +') > + > +######################################## > +## > +## Create all spool sockets > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_all_spool_sockets',` > + gen_require(` > + attribute spoolfile; > + ') > + > + allow $1 spoolfile:sock_file create_sock_file_perms; > +') > + > +######################################## > +## > +## Delete all spool sockets > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_delete_all_spool_sockets',` > + gen_require(` > + attribute spoolfile; > + ') > + > + allow $1 spoolfile:sock_file delete_sock_file_perms; > +') > + > Index: refpolicy-2.20170221/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20170221/policy/modules/system/systemd.if > @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',` > ') > > files_search_pids($1) > - read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) > + allow $1 systemd_logind_var_run_t:dir list_dir_perms; > + allow $1 systemd_logind_var_run_t:file read_file_perms; > ') > > ###################################### > @@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',` > allow $1 systemd_logind_t:fd use; > ') > > +###################################### > +## > +## Write inherited logind sessions pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_write_inherited_logind_sessions_pipes',` > + gen_require(` > + type systemd_logind_t, systemd_sessions_var_run_t; > + ') > + > + allow $1 systemd_logind_t:fd use; > + allow $1 systemd_sessions_var_run_t:fifo_file write; > + allow systemd_logind_t $1:process signal; > +') > + > ######################################## > ## > ## Send and receive messages from > @@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',` > write_files_pattern($1, var_run_t, systemd_kmod_conf_t) > ') > > +####################################### > +## > +## Allow systemd_tmpfiles_t to manage filesystem objects > +## > +## > +## > +## type of object to manage > +## > +## > +## > +## > +## object class to manage > +## > +## > +# > +interface(`systemd_tmpfilesd_managed',` > + gen_require(` > + type systemd_tmpfiles_t; > + ') > + > + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; > +') > + > ######################################## > ## > ## Allow process to relabel to systemd_kmod_conf_t. > @@ -136,6 +180,82 @@ interface(`systemd_relabelto_kmod_files' > ') > > ######################################## > +## > +## allow systemd_passwd_agent to inherit fds > +## > +## > +## > +## Domain that owns the fds > +## > +## > +# > +interface(`systemd_use_passwd_agent_fds',` > + gen_require(` > + type systemd_passwd_agent_t; > + ') > + > + allow systemd_passwd_agent_t $1:fd use; > +') > + > +######################################## > +## > +## Transition to systemd_passwd_var_run_t when creating dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_passwd_runtime_dirs',` > + gen_require(` > + type systemd_passwd_var_run_t; > + ') > + > + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") > + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") > +') > + > +######################################## > +## > +## manage systemd unit dirs and the files in them > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_manage_all_units',` > + gen_require(` > + attribute systemdunit; > + ') > + > + manage_dirs_pattern($1, systemdunit, systemdunit) > + manage_files_pattern($1, systemdunit, systemdunit) > + manage_lnk_files_pattern($1, systemdunit, systemdunit) > +') > + > +######################################## > +## > +## Allow domain to create/manage systemd_journal_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_manage_journal_files',` > + gen_require(` > + type systemd_logind_t; > + ') > + > + manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) > + manage_files_pattern($1, systemd_journal_t, systemd_journal_t) > +') > + > +######################################## > ## > ## Allow systemd_logind_t to read process state for cgroup file > ## > Index: refpolicy-2.20170221/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170221/policy/modules/system/systemd.te > @@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5) > ## > gen_tunable(systemd_tmpfiles_manage_all, false) > > +## > +##

> +## Allow systemd-nspawn to create a labelled namespace with the same types > +## as parent environment > +##

> +##
> +gen_tunable(systemd_nspawn_labeled_namespace, false) > + > attribute systemd_log_parse_env_type; > > type systemd_activate_t; > @@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t) > domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t) > role system_r types systemd_cgroups_t; > > +type systemd_notify_t; > +type systemd_notify_exec_t; > +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) > + > +type systemd_journal_t; > +files_type(systemd_journal_t) > + > type systemd_cgroups_var_run_t; > files_pid_file(systemd_cgroups_var_run_t) > init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups") > @@ -57,6 +72,9 @@ type systemd_coredump_t; > type systemd_coredump_exec_t; > init_system_domain(systemd_coredump_t, systemd_coredump_exec_t) > > +type systemd_coredump_var_lib_t; > +files_type(systemd_coredump_var_lib_t) > + > type systemd_detect_virt_t; > type systemd_detect_virt_exec_t; > init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) > @@ -85,9 +103,18 @@ type systemd_machined_t; > type systemd_machined_exec_t; > init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) > > +type systemd_machined_var_run_t; > +files_pid_file(systemd_machined_var_run_t) > +init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") > + > type systemd_nspawn_t; > type systemd_nspawn_exec_t; > init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) > +kernel_unconfined(systemd_nspawn_t) > + > +type systemd_nspawn_var_run_t; > +files_pid_file(systemd_nspawn_var_run_t) > +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) > > type systemd_resolved_t; > type systemd_resolved_exec_t; > @@ -108,6 +135,9 @@ type systemd_passwd_agent_t; > type systemd_passwd_agent_exec_t; > init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) > > +type systemd_passwd_var_run_t; > +files_pid_file(systemd_passwd_var_run_t) > + > type systemd_sessions_t; > type systemd_sessions_exec_t; > init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) > @@ -122,6 +152,12 @@ type systemd_kmod_conf_t; > files_config_file(systemd_kmod_conf_t) > init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) > > +manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) > +manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) > +allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; > +allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; > +logging_log_file(systemd_journal_t) > + > # > # Unit file types > # > @@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel > kernel_read_system_state(systemd_log_parse_env_type) > > dev_write_kmsg(systemd_log_parse_env_type) > - > -term_use_console(systemd_log_parse_env_type) > - > init_read_state(systemd_log_parse_env_type) > - > logging_send_syslog_msg(systemd_log_parse_env_type) > +term_use_console(systemd_log_parse_env_type) > > ###################################### > # > # Backlight local policy > # > > +allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms }; > + > allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms; > -init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) > manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) > - > systemd_log_parse_environment(systemd_backlight_t) > > # Allow systemd-backlight to write to /sys/class/backlight/*/brightness > dev_rw_sysfs(systemd_backlight_t) > - > +# for udev.conf > files_read_etc_files(systemd_backlight_t) > > +init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) > +# for /run/udev/data/+backlight* > udev_read_pid_files(systemd_backlight_t) > > ####################################### > @@ -308,7 +343,6 @@ init_pid_filetrans(systemd_resolved_t, s > > kernel_read_crypto_sysctls(systemd_resolved_t) > kernel_read_kernel_sysctls(systemd_resolved_t) > -kernel_read_system_state(systemd_resolved_t) > > corenet_tcp_bind_generic_node(systemd_resolved_t) > corenet_tcp_bind_llmnr_port(systemd_resolved_t) > Index: refpolicy-2.20170221/policy/modules/system/systemd.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/systemd.fc > +++ refpolicy-2.20170221/policy/modules/system/systemd.fc > @@ -7,6 +7,7 @@ > /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) > /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) > /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) > +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) > > /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) > /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) > @@ -32,15 +33,21 @@ > /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) > > /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) > +/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) > /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) > > /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > > /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) > -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) > /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > +/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) > +/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) > /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0) > + > +/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) > +/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) > Index: refpolicy-2.20170221/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20170221/policy/modules/system/unconfined.if > @@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',` > > allow $1 unconfined_t:dbus acquire_svc; > ') > + > +######################################## > +## > +## Do not audit attempts to read and write > +## unconfined domain stream. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`unconfined_dontaudit_rw_stream_sockets',` > + gen_require(` > + type unconfined_t; > + ') > + > + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; > +') > Index: refpolicy-2.20170221/policy/modules/contrib/cron.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/cron.if > +++ refpolicy-2.20170221/policy/modules/contrib/cron.if > @@ -891,3 +891,22 @@ interface(`cron_admin',` > files_search_spool($1) > admin_pattern($1, cron_spool_type) > ') > + > +######################################## > +## > +## Search the directory containing user cron tables. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cron_manage_system_spool',` > + gen_require(` > + type cron_system_spool_t; > + ') > + > + files_search_spool($1) > + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) > +') -- Chris PeBenito