From: russell@coker.com.au (Russell Coker) Date: Sun, 2 Apr 2017 16:45:28 +1000 Subject: [refpolicy] [PATCH] systemd related changes Message-ID: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch has changes for other daemons that are related to systemd. Sometimes it's scripts calling systemd interfaces, and some are changes directly related to systemd (like the udev and lvm ones). Description: Make systemd work Author: Russell Coker Index: refpolicy-2.20170329/policy/modules/contrib/apache.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.te +++ refpolicy-2.20170329/policy/modules/contrib/apache.te @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) +ifdef(`init_systemd', ` + systemd_manage_passwd_run(httpd_t) +') + ifdef(`TODO',` tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) Index: refpolicy-2.20170329/policy/modules/contrib/cron.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/cron.te +++ refpolicy-2.20170329/policy/modules/contrib/cron.te @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t) init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) +init_stop_all_units(system_cronjob_t) +init_start_all_units(system_cronjob_t) +init_get_generic_units_status(system_cronjob_t) +init_get_system_status(system_cronjob_t) auth_domtrans_chk_passwd(crond_t) auth_manage_var_auth(crond_t) @@ -417,6 +421,17 @@ optional_policy(` ') optional_policy(` + systemd_use_logind_fds(crond_t) + systemd_write_inherited_logind_sessions_pipes(crond_t) +') +optional_policy(` + systemd_dbus_chat_logind(system_cronjob_t) + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # so cron jobs can restart daemons + init_stream_connect(system_cronjob_t) +') + +optional_policy(` udev_read_db(crond_t) ') Index: refpolicy-2.20170329/policy/modules/contrib/networkmanager.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/networkmanager.te +++ refpolicy-2.20170329/policy/modules/contrib/networkmanager.te @@ -340,6 +340,11 @@ optional_policy(` ') optional_policy(` + systemd_use_logind_fds(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) +') + +optional_policy(` udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) udev_read_pid_files(NetworkManager_t) Index: refpolicy-2.20170329/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/services/ssh.te +++ refpolicy-2.20170329/policy/modules/services/ssh.te @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',` ') optional_policy(` + systemd_write_inherited_logind_sessions_pipes(sshd_t) + systemd_dbus_chat_logind(sshd_t) +') + +optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') Index: refpolicy-2.20170329/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/udev.te +++ refpolicy-2.20170329/policy/modules/system/udev.te @@ -40,7 +40,7 @@ ifdef(`enable_mcs',` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; +allow udev_t self:capability2 { wake_alarm block_suspend }; allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) +files_read_kernel_modules(udev_t) files_exec_etc_files(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t) auth_use_nsswitch(udev_t) init_read_utmp(udev_t) +# systemd-udevd searches /run/systemd +init_search_run(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) +# for hdparm init script run by udev +initrc_service_status(udev_t) + logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) logging_send_audit_msgs(udev_t) @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) +systemd_read_logind_sessions_files(udev_t) +init_start_all_units(udev_t) +init_stop_all_units(udev_t) + userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_debian',` Index: refpolicy-2.20170329/policy/modules/contrib/logrotate.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/logrotate.te +++ refpolicy-2.20170329/policy/modules/contrib/logrotate.te @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; # allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) init_all_labeled_script_domtrans(logrotate_t) +init_get_generic_units_status(logrotate_t) +init_get_all_units_status(logrotate_t) +init_dbus_chat(logrotate_t) +init_stream_connect(logrotate_t) + +dbus_system_bus_client(logrotate_t) +init_write_pid_socket(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -126,6 +133,8 @@ ifdef(`distro_debian',` logging_read_syslog_config(logrotate_t) ') +init_manage_all_units(logrotate_t) + optional_policy(` abrt_manage_cache(logrotate_t) ') Index: refpolicy-2.20170329/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/lvm.te +++ refpolicy-2.20170329/policy/modules/system/lvm.te @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_ files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) +kernel_request_load_module(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) # Read system variables in /proc/sys @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) +# for systemd-cryptsetup +kernel_read_crypto_sysctls(lvm_t) kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) @@ -301,6 +304,8 @@ init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) +# for systemd-cryptsetup to talk to /run/systemd/journal/socket +init_stream_connect(lvm_t) logging_send_syslog_msg(lvm_t) Index: refpolicy-2.20170329/policy/modules/contrib/dbus.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.te +++ refpolicy-2.20170329/policy/modules/contrib/dbus.te @@ -144,6 +144,14 @@ userdom_dontaudit_use_unpriv_user_fds(sy userdom_dontaudit_search_user_home_dirs(system_dbusd_t) optional_policy(` + # for /run/systemd/users/* + systemd_read_logind_pids(system_dbusd_t) + systemd_use_logind_fds(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_login_write_pid_pipe(system_dbusd_t) +') + +optional_policy(` bluetooth_stream_connect(system_dbusd_t) ') Index: refpolicy-2.20170329/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20170329/policy/modules/system/unconfined.te @@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',` ') optional_policy(` + init_get_system_status(unconfined_t) + init_reload(unconfined_t) + init_manage_script_service(unconfined_t) + dev_manage_null_service(unconfined_t) + init_get_all_units_status(unconfined_t) + init_start_all_units(unconfined_t) + init_stop_all_units(unconfined_t) + init_reload_all_units(unconfined_t) +') + +optional_policy(` ada_domtrans(unconfined_t) ') Index: refpolicy-2.20170329/policy/modules/system/logging.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/logging.if +++ refpolicy-2.20170329/policy/modules/system/logging.if @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',` # will write to the console. term_write_console($1) term_dontaudit_read_console($1) + + # because systemd is now using /run/systemd/journal/dev-log + init_search_run($1) ') ######################################## Index: refpolicy-2.20170329/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20170329/policy/modules/system/locallogin.te @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',` ') ') +optional_policy(` + systemd_dbus_chat_logind(local_login_t) + systemd_write_inherited_logind_sessions_pipes(local_login_t) +') + tunable_policy(`console_login',` # Able to relabel /dev/console to user tty types. term_relabel_console(local_login_t) Index: refpolicy-2.20170329/policy/modules/contrib/policykit.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/policykit.te +++ refpolicy-2.20170329/policy/modules/contrib/policykit.te @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t) userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) +# for /run/systemd/machines +systemd_read_machines(policykit_t) + +# for /run/systemd/seats/seat* +systemd_read_logind_sessions_files(policykit_t) + +# for /run/systemd/users/* +systemd_read_logind_pids(policykit_t) + optional_policy(` dbus_system_domain(policykit_t, policykit_exec_t) Index: refpolicy-2.20170329/policy/modules/contrib/dbus.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.if +++ refpolicy-2.20170329/policy/modules/contrib/dbus.if @@ -88,6 +88,10 @@ template(`dbus_role_template',` ifdef(`hide_broken_symptoms',` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') + + optional_policy(` + systemd_read_logind_pids($1_dbusd_t) + ') ') ####################################### Index: refpolicy-2.20170329/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170329/policy/modules/kernel/files.if @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',` allow $1 etc_t:service status; ') +######################################## +## +## start etc_t service +## +## +## +## Domain allowed access. +## +## +# +interface(`files_etc_unit_start',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service start; +') + +######################################## +## +## stop etc_t service +## +## +## +## Domain allowed access. +## +## +# +interface(`files_etc_unit_stop',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service stop; +') + ####################################### ## ## Relabel from and to generic files in /etc. Index: refpolicy-2.20170329/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20170329/policy/modules/system/unconfined.if @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; + class service all_service_perms; ') # Use most Linux capabilities @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) + files_get_etc_unit_status($1) + files_etc_unit_start($1) + files_etc_unit_stop($1) tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. Index: refpolicy-2.20170329/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20170329/policy/modules/roles/sysadm.te @@ -44,9 +44,8 @@ init_enable(sysadm_t) init_reload(sysadm_t) init_reboot_system(sysadm_t) init_shutdown_system(sysadm_t) -init_start_generic_units(sysadm_t) -init_stop_generic_units(sysadm_t) -init_reload_generic_units(sysadm_t) +init_manage_all_units(sysadm_t) +init_manage_script_service(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) Index: refpolicy-2.20170329/policy/modules/system/lvm.fc =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc +++ refpolicy-2.20170329/policy/modules/system/lvm.fc @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',` /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) Index: refpolicy-2.20170329/policy/modules/contrib/mta.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/mta.te +++ refpolicy-2.20170329/policy/modules/contrib/mta.te @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst init_use_script_ptys(system_mail_t) init_use_fds(system_mail_t) +init_rw_stream_sockets(system_mail_t) userdom_use_user_terminals(system_mail_t) Index: refpolicy-2.20170329/policy/modules/kernel/terminal.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te +++ refpolicy-2.20170329/policy/modules/kernel/terminal.te @@ -19,6 +19,8 @@ dev_node(bsdpty_device_t) # type console_device_t; dev_node(console_device_t) +# for /dev/pts/0 +allow console_device_t devpts_t:filesystem associate; # # devpts_t is the type of the devpts file system and Index: refpolicy-2.20170329/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/services/xserver.te +++ refpolicy-2.20170329/policy/modules/services/xserver.te @@ -285,6 +285,10 @@ files_search_pids(xauth_t) fs_getattr_xattr_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) +allow xauth_t xdm_t:fd use; +allow xauth_t xdm_t:fifo_file { getattr read }; +allow xauth_t xdm_t:unix_stream_socket { read write }; + # cjp: why? term_use_ptmx(xauth_t) Index: refpolicy-2.20170329/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if @@ -413,7 +413,7 @@ interface(`sysnet_create_config',` ') files_search_etc($1) - allow $1 net_conf_t:file create_file_perms; + allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms }; ') ####################################### Index: refpolicy-2.20170329/policy/modules/contrib/ntp.fc =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.fc +++ refpolicy-2.20170329/policy/modules/contrib/ntp.fc @@ -15,6 +15,8 @@ /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) @@ -23,6 +25,7 @@ /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) Index: refpolicy-2.20170329/policy/modules/contrib/ntp.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.te +++ refpolicy-2.20170329/policy/modules/contrib/ntp.te @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t) dev_read_sysfs(ntpd_t) dev_read_urand(ntpd_t) dev_rw_realtime_clock(ntpd_t) +clock_read_adjtime(ntpd_t) domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) @@ -142,6 +143,26 @@ miscfiles_read_localization(ntpd_t) userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) +ifdef(`init_systemd',` + dbus_system_bus_client(ntpd_t) + dbus_connect_system_bus(ntpd_t) + init_dbus_chat(ntpd_t) + init_get_system_status(ntpd_t) + sysadm_dbus_chat(ntpd_t) + allow ntpd_t self:capability { fowner setpcap }; + init_reload(ntpd_t) + + # for /var/lib/systemd/clock + init_list_var_lib_dirs(ntpd_t) + + # for /run/systemd/netif/links + init_list_pid_dirs(ntpd_t) + + optional_policy(` + unconfined_dbus_send(ntpd_t) + ') +') + optional_policy(` cron_system_entry(ntpd_t, ntpdate_exec_t) ') Index: refpolicy-2.20170329/policy/modules/roles/sysadm.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if +++ refpolicy-2.20170329/policy/modules/roles/sysadm.if @@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',` allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ') + +######################################## +## +## talk to sysadm_t over dbus +## +## +## +## Domain allowed access. +## +## +# +interface(`sysadm_dbus_chat',` + gen_require(` + type sysadm_t; + ') + + allow sysadm_t $1:dbus send_msg; + allow $1 sysadm_t:dbus send_msg; +') Index: refpolicy-2.20170329/policy/modules/contrib/devicekit.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/contrib/devicekit.te +++ refpolicy-2.20170329/policy/modules/contrib/devicekit.te @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t) init_all_labeled_script_domtrans(devicekit_power_t) init_read_utmp(devicekit_power_t) +init_search_run(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) Index: refpolicy-2.20170329/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/init.if +++ refpolicy-2.20170329/policy/modules/system/init.if @@ -1227,6 +1227,24 @@ interface(`init_pid_filetrans',` filetrans_pattern($1, init_var_run_t, $2, $3, $4) ') +###################################### +## +## Allow listing of the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_list_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir list_dir_perms; +') + ######################################## ## ## Get the attributes of initctl. @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',` allow $1 { init_script_file_type systemdunit }:service status; ') +####################################### +## +## All perms on all systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_all_units',` + gen_require(` + attribute systemdunit; + class service all_service_perms; + ') + + allow $1 systemdunit:service all_service_perms; + allow $1 systemdunit:file getattr; +') + ######################################## ## ## Start all systemd units. @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',` allow $1 { init_script_file_type systemdunit }:service reload; ') + +######################################## +## +## Allow getting service status of initrc_exec_t scripts +## +## +## +## Target domain +## +## +# +interface(`initrc_service_status',` + gen_require(` + type initrc_exec_t; + class service status; + ') + + allow $1 initrc_exec_t:service status; +') Index: refpolicy-2.20170329/policy/modules/system/fstools.te =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/fstools.te +++ refpolicy-2.20170329/policy/modules/system/fstools.te @@ -146,6 +146,7 @@ term_use_console(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +init_rw_script_stream_sockets(fsadm_t) logging_send_syslog_msg(fsadm_t) Index: refpolicy-2.20170329/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if +++ refpolicy-2.20170329/policy/modules/system/systemd.if @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip ###################################### ## +## Write systemd_login named pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_write_pid_pipe',` + gen_require(` + type systemd_logind_var_run_t; + ') + + init_search_run($1) + files_search_pids($1) + allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; +') + +###################################### +## ## Use inherited systemd ## logind file descriptors. ## @@ -79,6 +99,26 @@ interface(`systemd_use_logind_fds',` ###################################### ## +## Read logind sessions files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_logind_sessions_files',` + gen_require(` + type systemd_sessions_var_run_t; + ') + + init_search_run($1) + allow $1 systemd_sessions_var_run_t:dir list_dir_perms; + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) +') + +###################################### +## ## Write inherited logind sessions pipes. ## ## @@ -188,6 +228,29 @@ interface(`systemd_use_passwd_agent_fds' allow systemd_passwd_agent_t $1:fd use; ') +####################################### +## +## Send generic signals to systemd_passwd_agent processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_passwd_run',` + gen_require(` + type systemd_passwd_agent_t; + type systemd_passwd_var_run_t; + ') + + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + + allow systemd_passwd_agent_t $1:process signull; + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; +') + ######################################## ## ## Transition to systemd_passwd_var_run_t when creating dirs @@ -383,3 +446,22 @@ interface(`systemd_tmpfilesd_managed',` allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') + +######################################## +## +## Allow reading /run/systemd/machines +## +## +## +## Domain that can access the machines files +## +## +# +interface(`systemd_read_machines',` + gen_require(` + type systemd_machined_var_run_t; + ') + + allow $1 systemd_machined_var_run_t:dir list_dir_perms; + allow $1 systemd_machined_var_run_t:file read_file_perms; +')