From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 3 Apr 2017 19:22:24 -0400 Subject: [refpolicy] [PATCH] systemd related changes In-Reply-To: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au> References: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au> Message-ID: <6949cff0-2ae0-0e95-0bfd-b2d6edab0ea1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/02/2017 02:45 AM, Russell Coker via refpolicy wrote: > This patch has changes for other daemons that are related to systemd. > Sometimes it's scripts calling systemd interfaces, and some are changes > directly related to systemd (like the udev and lvm ones). > > > Description: Make systemd work > Author: Russell Coker > > Index: refpolicy-2.20170329/policy/modules/contrib/apache.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.te > +++ refpolicy-2.20170329/policy/modules/contrib/apache.te > @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t) > > userdom_use_unpriv_users_fds(httpd_t) > > +ifdef(`init_systemd', ` > + systemd_manage_passwd_run(httpd_t) > +') > + > ifdef(`TODO',` > tunable_policy(`allow_httpd_mod_auth_pam',` > auth_domtrans_chk_passwd(httpd_t) > Index: refpolicy-2.20170329/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170329/policy/modules/contrib/cron.te > @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t) > init_read_state(crond_t) > init_rw_utmp(crond_t) > init_spec_domtrans_script(crond_t) > +init_stop_all_units(system_cronjob_t) > +init_start_all_units(system_cronjob_t) > +init_get_generic_units_status(system_cronjob_t) > +init_get_system_status(system_cronjob_t) > > auth_domtrans_chk_passwd(crond_t) > auth_manage_var_auth(crond_t) > @@ -417,6 +421,17 @@ optional_policy(` > ') > > optional_policy(` > + systemd_use_logind_fds(crond_t) > + systemd_write_inherited_logind_sessions_pipes(crond_t) It looks like there are several instances of inheriting the logind fds and writing the inherited pipes. Is there some pattern? > +') > +optional_policy(` > + systemd_dbus_chat_logind(system_cronjob_t) > + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > + # so cron jobs can restart daemons > + init_stream_connect(system_cronjob_t) > +') > + > +optional_policy(` > udev_read_db(crond_t) > ') > > Index: refpolicy-2.20170329/policy/modules/contrib/networkmanager.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/networkmanager.te > +++ refpolicy-2.20170329/policy/modules/contrib/networkmanager.te > @@ -340,6 +340,11 @@ optional_policy(` > ') > > optional_policy(` > + systemd_use_logind_fds(NetworkManager_t) > + systemd_read_logind_sessions_files(NetworkManager_t) > +') > + > +optional_policy(` > udev_exec(NetworkManager_t) > udev_read_db(NetworkManager_t) > udev_read_pid_files(NetworkManager_t) > Index: refpolicy-2.20170329/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20170329/policy/modules/services/ssh.te > @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',` > ') > > optional_policy(` > + systemd_write_inherited_logind_sessions_pipes(sshd_t) > + systemd_dbus_chat_logind(sshd_t) > +') > + > +optional_policy(` > daemontools_service_domain(sshd_t, sshd_exec_t) > ') > > Index: refpolicy-2.20170329/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/udev.te > +++ refpolicy-2.20170329/policy/modules/system/udev.te > @@ -40,7 +40,7 @@ ifdef(`enable_mcs',` > > allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; > dontaudit udev_t self:capability sys_tty_config; > -allow udev_t self:capability2 block_suspend; > +allow udev_t self:capability2 { wake_alarm block_suspend }; > allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow udev_t self:process { execmem setfscreate }; > allow udev_t self:fd use; > @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev > files_read_usr_files(udev_t) > files_read_etc_runtime_files(udev_t) > files_read_etc_files(udev_t) > +files_read_kernel_modules(udev_t) > files_exec_etc_files(udev_t) > files_getattr_generic_locks(udev_t) > files_search_mnt(udev_t) > @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t) > auth_use_nsswitch(udev_t) > > init_read_utmp(udev_t) > +# systemd-udevd searches /run/systemd > +init_search_run(udev_t) > init_dontaudit_write_utmp(udev_t) > init_getattr_initctl(udev_t) > > +# for hdparm init script run by udev > +initrc_service_status(udev_t) > + > logging_search_logs(udev_t) > logging_send_syslog_msg(udev_t) > logging_send_audit_msgs(udev_t) > @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t) > sysnet_manage_config(udev_t) > sysnet_etc_filetrans_config(udev_t) > > +systemd_read_logind_sessions_files(udev_t) > +init_start_all_units(udev_t) > +init_stop_all_units(udev_t) > + > userdom_dontaudit_search_user_home_content(udev_t) > > ifdef(`distro_debian',` > Index: refpolicy-2.20170329/policy/modules/contrib/logrotate.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/logrotate.te > +++ refpolicy-2.20170329/policy/modules/contrib/logrotate.te > @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; > # > > allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; > -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; > +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; > allow logrotate_t self:fd use; > allow logrotate_t self:key manage_key_perms; > allow logrotate_t self:fifo_file rw_fifo_file_perms; > @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t) > auth_use_nsswitch(logrotate_t) > > init_all_labeled_script_domtrans(logrotate_t) > +init_get_generic_units_status(logrotate_t) > +init_get_all_units_status(logrotate_t) > +init_dbus_chat(logrotate_t) > +init_stream_connect(logrotate_t) > + > +dbus_system_bus_client(logrotate_t) > +init_write_pid_socket(logrotate_t) > > logging_manage_all_logs(logrotate_t) > logging_send_syslog_msg(logrotate_t) > @@ -126,6 +133,8 @@ ifdef(`distro_debian',` > logging_read_syslog_config(logrotate_t) > ') > > +init_manage_all_units(logrotate_t) > + > optional_policy(` > abrt_manage_cache(logrotate_t) > ') > Index: refpolicy-2.20170329/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20170329/policy/modules/system/lvm.te > @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_ > files_etc_filetrans(lvm_t, lvm_metadata_t, file) > files_search_mnt(lvm_t) > > +kernel_request_load_module(lvm_t) > kernel_get_sysvipc_info(lvm_t) > kernel_read_system_state(lvm_t) > # Read system variables in /proc/sys > @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) > # it has no reason to need this > kernel_dontaudit_getattr_core_if(lvm_t) > kernel_use_fds(lvm_t) > +# for systemd-cryptsetup > +kernel_read_crypto_sysctls(lvm_t) > kernel_search_debugfs(lvm_t) > > corecmd_exec_bin(lvm_t) > @@ -301,6 +304,8 @@ init_use_fds(lvm_t) > init_dontaudit_getattr_initctl(lvm_t) > init_use_script_ptys(lvm_t) > init_read_script_state(lvm_t) > +# for systemd-cryptsetup to talk to /run/systemd/journal/socket > +init_stream_connect(lvm_t) > > logging_send_syslog_msg(lvm_t) > > Index: refpolicy-2.20170329/policy/modules/contrib/dbus.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.te > +++ refpolicy-2.20170329/policy/modules/contrib/dbus.te > @@ -144,6 +144,14 @@ userdom_dontaudit_use_unpriv_user_fds(sy > userdom_dontaudit_search_user_home_dirs(system_dbusd_t) > > optional_policy(` > + # for /run/systemd/users/* > + systemd_read_logind_pids(system_dbusd_t) > + systemd_use_logind_fds(system_dbusd_t) > + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) > + systemd_login_write_pid_pipe(system_dbusd_t) > +') > + > +optional_policy(` > bluetooth_stream_connect(system_dbusd_t) > ') > > Index: refpolicy-2.20170329/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20170329/policy/modules/system/unconfined.te > @@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',` > ') > > optional_policy(` > + init_get_system_status(unconfined_t) > + init_reload(unconfined_t) > + init_manage_script_service(unconfined_t) > + dev_manage_null_service(unconfined_t) > + init_get_all_units_status(unconfined_t) > + init_start_all_units(unconfined_t) > + init_stop_all_units(unconfined_t) > + init_reload_all_units(unconfined_t) > +') Perhaps we should make an init_unconfined() or systemd_unconfined(). > +optional_policy(` > ada_domtrans(unconfined_t) > ') > > Index: refpolicy-2.20170329/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/logging.if > +++ refpolicy-2.20170329/policy/modules/system/logging.if > @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',` > # will write to the console. > term_write_console($1) > term_dontaudit_read_console($1) > + > + # because systemd is now using /run/systemd/journal/dev-log > + init_search_run($1) > ') > > ######################################## > Index: refpolicy-2.20170329/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20170329/policy/modules/system/locallogin.te > @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',` > ') > ') > > +optional_policy(` > + systemd_dbus_chat_logind(local_login_t) > + systemd_write_inherited_logind_sessions_pipes(local_login_t) > +') > + > tunable_policy(`console_login',` > # Able to relabel /dev/console to user tty types. > term_relabel_console(local_login_t) > Index: refpolicy-2.20170329/policy/modules/contrib/policykit.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/policykit.te > +++ refpolicy-2.20170329/policy/modules/contrib/policykit.te > @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t) > userdom_getattr_all_users(policykit_t) > userdom_read_all_users_state(policykit_t) > > +# for /run/systemd/machines > +systemd_read_machines(policykit_t) > + > +# for /run/systemd/seats/seat* > +systemd_read_logind_sessions_files(policykit_t) > + > +# for /run/systemd/users/* > +systemd_read_logind_pids(policykit_t) > + > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) > > Index: refpolicy-2.20170329/policy/modules/contrib/dbus.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.if > +++ refpolicy-2.20170329/policy/modules/contrib/dbus.if > @@ -88,6 +88,10 @@ template(`dbus_role_template',` > ifdef(`hide_broken_symptoms',` > dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; > ') > + > + optional_policy(` > + systemd_read_logind_pids($1_dbusd_t) > + ') > ') > > ####################################### > Index: refpolicy-2.20170329/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170329/policy/modules/kernel/files.if > @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',` > allow $1 etc_t:service status; > ') > > +######################################## > +## > +## start etc_t service > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_etc_unit_start',` Here (and below): files_start_etc_service() and files_stop_... > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:service start; > +') > + > +######################################## > +## > +## stop etc_t service > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_etc_unit_stop',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:service stop; > +') > + > ####################################### > ## > ## Relabel from and to generic files in /etc. > Index: refpolicy-2.20170329/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20170329/policy/modules/system/unconfined.if > @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` > class dbus all_dbus_perms; > class nscd all_nscd_perms; > class passwd all_passwd_perms; > + class service all_service_perms; > ') > > # Use most Linux capabilities > @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` > files_unconfined($1) > fs_unconfined($1) > selinux_unconfined($1) > + files_get_etc_unit_status($1) > + files_etc_unit_start($1) > + files_etc_unit_stop($1) > > tunable_policy(`allow_execheap',` > # Allow making the stack executable via mprotect. > Index: refpolicy-2.20170329/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20170329/policy/modules/roles/sysadm.te > @@ -44,9 +44,8 @@ init_enable(sysadm_t) > init_reload(sysadm_t) > init_reboot_system(sysadm_t) > init_shutdown_system(sysadm_t) > -init_start_generic_units(sysadm_t) > -init_stop_generic_units(sysadm_t) > -init_reload_generic_units(sysadm_t) > +init_manage_all_units(sysadm_t) > +init_manage_script_service(sysadm_t) > > # Add/remove user home directories > userdom_manage_user_home_dirs(sysadm_t) > Index: refpolicy-2.20170329/policy/modules/system/lvm.fc > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc > +++ refpolicy-2.20170329/policy/modules/system/lvm.fc > @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',` > > /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) > +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > Index: refpolicy-2.20170329/policy/modules/contrib/mta.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/mta.te > +++ refpolicy-2.20170329/policy/modules/contrib/mta.te > @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst > > init_use_script_ptys(system_mail_t) > init_use_fds(system_mail_t) > +init_rw_stream_sockets(system_mail_t) > > userdom_use_user_terminals(system_mail_t) > > Index: refpolicy-2.20170329/policy/modules/kernel/terminal.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.te > @@ -19,6 +19,8 @@ dev_node(bsdpty_device_t) > # > type console_device_t; > dev_node(console_device_t) > +# for /dev/pts/0 > +allow console_device_t devpts_t:filesystem associate; This doesn't seem right. Why would a pty be the console? > # > # devpts_t is the type of the devpts file system and > Index: refpolicy-2.20170329/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20170329/policy/modules/services/xserver.te > @@ -285,6 +285,10 @@ files_search_pids(xauth_t) > fs_getattr_xattr_fs(xauth_t) > fs_search_auto_mountpoints(xauth_t) > > +allow xauth_t xdm_t:fd use; > +allow xauth_t xdm_t:fifo_file { getattr read }; > +allow xauth_t xdm_t:unix_stream_socket { read write }; > + > # cjp: why? > term_use_ptmx(xauth_t) > > Index: refpolicy-2.20170329/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if > @@ -413,7 +413,7 @@ interface(`sysnet_create_config',` > ') > > files_search_etc($1) > - allow $1 net_conf_t:file create_file_perms; > + allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms }; This should be two new interfaces instead (sysnet_relabel_config() and sysnet_manage_config()) > ') > > ####################################### > Index: refpolicy-2.20170329/policy/modules/contrib/ntp.fc > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.fc > +++ refpolicy-2.20170329/policy/modules/contrib/ntp.fc > @@ -15,6 +15,8 @@ > > /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) > /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) > +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) > +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) > /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) > @@ -23,6 +25,7 @@ > /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) > /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) > > /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) > > Index: refpolicy-2.20170329/policy/modules/contrib/ntp.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.te > +++ refpolicy-2.20170329/policy/modules/contrib/ntp.te > @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t) > dev_read_sysfs(ntpd_t) > dev_read_urand(ntpd_t) > dev_rw_realtime_clock(ntpd_t) > +clock_read_adjtime(ntpd_t) > > domain_use_interactive_fds(ntpd_t) > domain_dontaudit_list_all_domains_state(ntpd_t) > @@ -142,6 +143,26 @@ miscfiles_read_localization(ntpd_t) > userdom_dontaudit_use_unpriv_user_fds(ntpd_t) > userdom_list_user_home_dirs(ntpd_t) > > +ifdef(`init_systemd',` > + dbus_system_bus_client(ntpd_t) > + dbus_connect_system_bus(ntpd_t) > + init_dbus_chat(ntpd_t) > + init_get_system_status(ntpd_t) > + sysadm_dbus_chat(ntpd_t) > + allow ntpd_t self:capability { fowner setpcap }; > + init_reload(ntpd_t) > + > + # for /var/lib/systemd/clock > + init_list_var_lib_dirs(ntpd_t) > + > + # for /run/systemd/netif/links > + init_list_pid_dirs(ntpd_t) > + > + optional_policy(` > + unconfined_dbus_send(ntpd_t) > + ') > +') > + > optional_policy(` > cron_system_entry(ntpd_t, ntpdate_exec_t) > ') > Index: refpolicy-2.20170329/policy/modules/roles/sysadm.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if > +++ refpolicy-2.20170329/policy/modules/roles/sysadm.if > @@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',` > > allow $1 sysadm_t:fifo_file rw_fifo_file_perms; > ') > + > +######################################## > +## > +## talk to sysadm_t over dbus > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sysadm_dbus_chat',` > + gen_require(` > + type sysadm_t; > + ') > + > + allow sysadm_t $1:dbus send_msg; > + allow $1 sysadm_t:dbus send_msg; > +') There is no hard rule, but typically my preference is for the server side to provide the interface. That doesn't seem to fit sysadm. > Index: refpolicy-2.20170329/policy/modules/contrib/devicekit.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/contrib/devicekit.te > +++ refpolicy-2.20170329/policy/modules/contrib/devicekit.te > @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t) > > init_all_labeled_script_domtrans(devicekit_power_t) > init_read_utmp(devicekit_power_t) > +init_search_run(devicekit_power_t) > > miscfiles_read_localization(devicekit_power_t) > > Index: refpolicy-2.20170329/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/init.if > +++ refpolicy-2.20170329/policy/modules/system/init.if > @@ -1227,6 +1227,24 @@ interface(`init_pid_filetrans',` > filetrans_pattern($1, init_var_run_t, $2, $3, $4) > ') > > +###################################### > +## > +## Allow listing of the /run/systemd directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_list_pid_dirs',` > + gen_require(` > + type init_var_run_t; > + ') > + > + allow $1 init_var_run_t:dir list_dir_perms; > +') > + > ######################################## > ## > ## Get the attributes of initctl. > @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',` > allow $1 { init_script_file_type systemdunit }:service status; > ') > > +####################################### > +## > +## All perms on all systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_manage_all_units',` > + gen_require(` > + attribute systemdunit; > + class service all_service_perms; > + ') > + > + allow $1 systemdunit:service all_service_perms; > + allow $1 systemdunit:file getattr; > +') > + > ######################################## > ## > ## Start all systemd units. > @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',` > > allow $1 { init_script_file_type systemdunit }:service reload; > ') > + > +######################################## > +## > +## Allow getting service status of initrc_exec_t scripts > +## > +## > +## > +## Target domain > +## > +## > +# > +interface(`initrc_service_status',` I think this was merged in the last patch but renamed init_get_script_status(). > + gen_require(` > + type initrc_exec_t; > + class service status; > + ') > + > + allow $1 initrc_exec_t:service status; > +') > Index: refpolicy-2.20170329/policy/modules/system/fstools.te > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/fstools.te > +++ refpolicy-2.20170329/policy/modules/system/fstools.te > @@ -146,6 +146,7 @@ term_use_console(fsadm_t) > init_use_fds(fsadm_t) > init_use_script_ptys(fsadm_t) > init_dontaudit_getattr_initctl(fsadm_t) > +init_rw_script_stream_sockets(fsadm_t) > > logging_send_syslog_msg(fsadm_t) > > Index: refpolicy-2.20170329/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20170329/policy/modules/system/systemd.if > @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip > > ###################################### > ## > +## Write systemd_login named pipe. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_login_write_pid_pipe',` systemd_write_logind_pid_pipes() > + gen_require(` > + type systemd_logind_var_run_t; > + ') > + > + init_search_run($1) > + files_search_pids($1) > + allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; > +') > + > +###################################### > +## > ## Use inherited systemd > ## logind file descriptors. > ## > @@ -79,6 +99,26 @@ interface(`systemd_use_logind_fds',` > > ###################################### > ## > +## Read logind sessions files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_read_logind_sessions_files',` > + gen_require(` > + type systemd_sessions_var_run_t; > + ') > + > + init_search_run($1) > + allow $1 systemd_sessions_var_run_t:dir list_dir_perms; > + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) > +') > + > +###################################### > +## > ## Write inherited logind sessions pipes. > ## > ## > @@ -188,6 +228,29 @@ interface(`systemd_use_passwd_agent_fds' > allow systemd_passwd_agent_t $1:fd use; > ') > > +####################################### > +## > +## Send generic signals to systemd_passwd_agent processes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_manage_passwd_run',` > + gen_require(` > + type systemd_passwd_agent_t; > + type systemd_passwd_var_run_t; > + ') > + > + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) > + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) > + > + allow systemd_passwd_agent_t $1:process signull; > + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; This looks like it should be 2-4 interfaces, but I'm not sure how many. > +') > + > ######################################## > ## > ## Transition to systemd_passwd_var_run_t when creating dirs > @@ -383,3 +446,22 @@ interface(`systemd_tmpfilesd_managed',` > > allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; > ') > + > +######################################## > +## > +## Allow reading /run/systemd/machines > +## > +## > +## > +## Domain that can access the machines files > +## > +## > +# > +interface(`systemd_read_machines',` > + gen_require(` > + type systemd_machined_var_run_t; > + ') > + > + allow $1 systemd_machined_var_run_t:dir list_dir_perms; > + allow $1 systemd_machined_var_run_t:file read_file_perms; > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito