From: cgzones@googlemail.com (cgzones) Date: Wed, 5 Apr 2017 20:33:47 +0200 Subject: [refpolicy] [PATCH] systemd related changes again In-Reply-To: <20170405045106.5r3a24caq6p353ui@athena.coker.com.au> References: <20170405045106.5r3a24caq6p353ui@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-04-05 6:51 GMT+02:00 Russell Coker via refpolicy : > With all the changes Chris requested. > > > Description: App changes related to systemd > Author: Russell Coker > Last-Update: 2017-04-05 > > Index: refpolicy-2.20170402/policy/modules/contrib/apache.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te > +++ refpolicy-2.20170402/policy/modules/contrib/apache.te > @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t) > > userdom_use_unpriv_users_fds(httpd_t) > > +ifdef(`init_systemd', ` > + systemd_use_passwd_agent(httpd_t) > +') > + > ifdef(`TODO',` > tunable_policy(`allow_httpd_mod_auth_pam',` > auth_domtrans_chk_passwd(httpd_t) > Index: refpolicy-2.20170402/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170402/policy/modules/contrib/cron.te > @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t) > init_read_state(crond_t) > init_rw_utmp(crond_t) > init_spec_domtrans_script(crond_t) > +init_stop_all_units(system_cronjob_t) > +init_start_all_units(system_cronjob_t) > +init_get_generic_units_status(system_cronjob_t) > +init_get_system_status(system_cronjob_t) > > auth_domtrans_chk_passwd(crond_t) > auth_manage_var_auth(crond_t) > @@ -417,6 +421,16 @@ optional_policy(` > ') > > optional_policy(` > + systemd_write_inherited_logind_sessions_pipes(crond_t) > +') > +optional_policy(` > + systemd_dbus_chat_logind(system_cronjob_t) > + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > + # so cron jobs can restart daemons > + init_stream_connect(system_cronjob_t) > +') > + > +optional_policy(` > udev_read_db(crond_t) > ') > > Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te > +++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te > @@ -340,6 +340,10 @@ optional_policy(` > ') > > optional_policy(` > + systemd_read_logind_sessions_files(NetworkManager_t) > +') > + > +optional_policy(` > udev_exec(NetworkManager_t) > udev_read_db(NetworkManager_t) > udev_read_pid_files(NetworkManager_t) > Index: refpolicy-2.20170402/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20170402/policy/modules/services/ssh.te > @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',` > ') > > optional_policy(` > + systemd_write_inherited_logind_sessions_pipes(sshd_t) > + systemd_dbus_chat_logind(sshd_t) > +') > + > +optional_policy(` > daemontools_service_domain(sshd_t, sshd_exec_t) > ') > > Index: refpolicy-2.20170402/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/udev.te > +++ refpolicy-2.20170402/policy/modules/system/udev.te > @@ -40,7 +40,7 @@ ifdef(`enable_mcs',` > > allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; > dontaudit udev_t self:capability sys_tty_config; > -allow udev_t self:capability2 block_suspend; > +allow udev_t self:capability2 { wake_alarm block_suspend }; > allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow udev_t self:process { execmem setfscreate }; > allow udev_t self:fd use; > @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev > files_read_usr_files(udev_t) > files_read_etc_runtime_files(udev_t) > files_read_etc_files(udev_t) > +files_read_kernel_modules(udev_t) > files_exec_etc_files(udev_t) > files_getattr_generic_locks(udev_t) > files_search_mnt(udev_t) > @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t) > auth_use_nsswitch(udev_t) > > init_read_utmp(udev_t) > +# systemd-udevd searches /run/systemd > +init_search_run(udev_t) > init_dontaudit_write_utmp(udev_t) > init_getattr_initctl(udev_t) > > +# for hdparm init script run by udev > +init_get_script_status(udev_t) > + > logging_search_logs(udev_t) > logging_send_syslog_msg(udev_t) > logging_send_audit_msgs(udev_t) > @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t) > sysnet_manage_config(udev_t) > sysnet_etc_filetrans_config(udev_t) > > +systemd_read_logind_sessions_files(udev_t) > +init_start_all_units(udev_t) > +init_stop_all_units(udev_t) > + > userdom_dontaudit_search_user_home_content(udev_t) > > ifdef(`distro_debian',` > Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te > +++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te > @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; > # > > allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; > -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; > +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; > allow logrotate_t self:fd use; > allow logrotate_t self:key manage_key_perms; > allow logrotate_t self:fifo_file rw_fifo_file_perms; > @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t) > auth_use_nsswitch(logrotate_t) > > init_all_labeled_script_domtrans(logrotate_t) > +init_get_generic_units_status(logrotate_t) > +init_get_all_units_status(logrotate_t) > +init_dbus_chat(logrotate_t) > +init_stream_connect(logrotate_t) > + > +dbus_system_bus_client(logrotate_t) > +init_write_pid_socket(logrotate_t) > > logging_manage_all_logs(logrotate_t) > logging_send_syslog_msg(logrotate_t) > @@ -126,6 +133,8 @@ ifdef(`distro_debian',` > logging_read_syslog_config(logrotate_t) > ') > > +init_manage_all_units(logrotate_t) > + > optional_policy(` > abrt_manage_cache(logrotate_t) > ') > Index: refpolicy-2.20170402/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20170402/policy/modules/system/lvm.te > @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_ > files_etc_filetrans(lvm_t, lvm_metadata_t, file) > files_search_mnt(lvm_t) > > +kernel_request_load_module(lvm_t) > kernel_get_sysvipc_info(lvm_t) > kernel_read_system_state(lvm_t) > # Read system variables in /proc/sys > @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) > # it has no reason to need this > kernel_dontaudit_getattr_core_if(lvm_t) > kernel_use_fds(lvm_t) > +# for systemd-cryptsetup > +kernel_read_crypto_sysctls(lvm_t) > kernel_search_debugfs(lvm_t) > > corecmd_exec_bin(lvm_t) > @@ -301,6 +304,8 @@ init_use_fds(lvm_t) > init_dontaudit_getattr_initctl(lvm_t) > init_use_script_ptys(lvm_t) > init_read_script_state(lvm_t) > +# for systemd-cryptsetup to talk to /run/systemd/journal/socket > +init_stream_connect(lvm_t) > > logging_send_syslog_msg(lvm_t) > > Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te > +++ refpolicy-2.20170402/policy/modules/contrib/dbus.te > @@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy > userdom_dontaudit_search_user_home_dirs(system_dbusd_t) > > optional_policy(` > + # for /run/systemd/users/* > + systemd_read_logind_pids(system_dbusd_t) > + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) > + systemd_write_logind_pid_pipes(system_dbusd_t) > +') > + > +optional_policy(` > bluetooth_stream_connect(system_dbusd_t) > ') > > Index: refpolicy-2.20170402/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20170402/policy/modules/system/unconfined.te > @@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',` > ') > > optional_policy(` > + init_unconfined(unconfined_t) > +') > + > +optional_policy(` > ada_domtrans(unconfined_t) > ') > > Index: refpolicy-2.20170402/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/logging.if > +++ refpolicy-2.20170402/policy/modules/system/logging.if > @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',` > # will write to the console. > term_write_console($1) > term_dontaudit_read_console($1) > + > + # because systemd is now using /run/systemd/journal/dev-log > + init_search_run($1) in logging_send_syslog_msg is already a init_search_run($1) statement > ') > > ######################################## > Index: refpolicy-2.20170402/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20170402/policy/modules/system/locallogin.te > @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',` > ') > ') > > +optional_policy(` > + systemd_dbus_chat_logind(local_login_t) > + systemd_write_inherited_logind_sessions_pipes(local_login_t) > +') > + > tunable_policy(`console_login',` > # Able to relabel /dev/console to user tty types. > term_relabel_console(local_login_t) > Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te > +++ refpolicy-2.20170402/policy/modules/contrib/policykit.te > @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t) > userdom_getattr_all_users(policykit_t) > userdom_read_all_users_state(policykit_t) > > +# for /run/systemd/machines > +systemd_read_machines(policykit_t) > + > +# for /run/systemd/seats/seat* > +systemd_read_logind_sessions_files(policykit_t) > + > +# for /run/systemd/users/* > +systemd_read_logind_pids(policykit_t) > + > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) > > Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if > +++ refpolicy-2.20170402/policy/modules/contrib/dbus.if > @@ -88,6 +88,10 @@ template(`dbus_role_template',` > ifdef(`hide_broken_symptoms',` > dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; > ') > + > + optional_policy(` > + systemd_read_logind_pids($1_dbusd_t) > + ') > ') > > ####################################### > Index: refpolicy-2.20170402/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170402/policy/modules/kernel/files.if > @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',` > allow $1 etc_t:service status; > ') > > +######################################## > +## > +## start etc_t service > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_start_etc_service',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:service start; > +') > + > +######################################## > +## > +## stop etc_t service > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_stop_etc_service',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:service stop; > +') > + > ####################################### > ## > ## Relabel from and to generic files in /etc. > Index: refpolicy-2.20170402/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20170402/policy/modules/system/unconfined.if > @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` > class dbus all_dbus_perms; > class nscd all_nscd_perms; > class passwd all_passwd_perms; > + class service all_service_perms; > ') > > # Use most Linux capabilities > @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` > files_unconfined($1) > fs_unconfined($1) > selinux_unconfined($1) > + files_get_etc_unit_status($1) > + files_start_etc_service($1) > + files_stop_etc_service($1) > > tunable_policy(`allow_execheap',` > # Allow making the stack executable via mprotect. > Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20170402/policy/modules/roles/sysadm.te > @@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t) > ubac_fd_exempt(sysadm_t) > > init_exec(sysadm_t) > -init_get_system_status(sysadm_t) > -init_disable(sysadm_t) > -init_enable(sysadm_t) > -init_reload(sysadm_t) > -init_reboot_system(sysadm_t) > -init_shutdown_system(sysadm_t) > -init_start_generic_units(sysadm_t) > -init_stop_generic_units(sysadm_t) > -init_reload_generic_units(sysadm_t) > +init_unconfined(sysadm_t) > > # Add/remove user home directories > userdom_manage_user_home_dirs(sysadm_t) > Index: refpolicy-2.20170402/policy/modules/system/lvm.fc > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc > +++ refpolicy-2.20170402/policy/modules/system/lvm.fc > @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',` > > /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) > +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) > Index: refpolicy-2.20170402/policy/modules/contrib/mta.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te > +++ refpolicy-2.20170402/policy/modules/contrib/mta.te > @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst > > init_use_script_ptys(system_mail_t) > init_use_fds(system_mail_t) > +init_rw_stream_sockets(system_mail_t) > > userdom_use_user_terminals(system_mail_t) > > Index: refpolicy-2.20170402/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20170402/policy/modules/services/xserver.te > @@ -285,6 +285,10 @@ files_search_pids(xauth_t) > fs_getattr_xattr_fs(xauth_t) > fs_search_auto_mountpoints(xauth_t) > > +allow xauth_t xdm_t:fd use; > +allow xauth_t xdm_t:fifo_file { getattr read }; > +allow xauth_t xdm_t:unix_stream_socket { read write }; > + > # cjp: why? > term_use_ptmx(xauth_t) > > Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if > @@ -399,7 +399,7 @@ interface(`sysnet_write_config',` > > ####################################### > ## > -## Create network config files. > +## relabel network config files. > ## > ## > ## > @@ -407,13 +407,13 @@ interface(`sysnet_write_config',` > ## > ## > # > -interface(`sysnet_create_config',` > +interface(`sysnet_relabel_config',` > gen_require(` > type net_conf_t; > ') > > files_search_etc($1) > - allow $1 net_conf_t:file create_file_perms; > + allow $1 net_conf_t:file { relabelfrom relabelto }; > ') > > ####################################### > @@ -455,6 +455,7 @@ interface(`sysnet_manage_config',` > type net_conf_t; > ') > > + files_search_etc($1) > allow $1 net_conf_t:file manage_file_perms; > > ifdef(`distro_debian',` > Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc > +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc > @@ -15,6 +15,8 @@ > > /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) > /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) > +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) > +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) in the longrun i'd like to run systemd-timesyncd in a seperate domain, cause it's onyl a ntp client, which should require less permissions than the ntp server my current trial: https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/patches/0010-systemd-timesyncd-and-notify.patch > > /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) > /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) > @@ -23,6 +25,7 @@ > /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) > /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) > > /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) > > Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te > +++ refpolicy-2.20170402/policy/modules/contrib/ntp.te > @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t) > dev_read_sysfs(ntpd_t) > dev_read_urand(ntpd_t) > dev_rw_realtime_clock(ntpd_t) > +clock_read_adjtime(ntpd_t) > > domain_use_interactive_fds(ntpd_t) > domain_dontaudit_list_all_domains_state(ntpd_t) > @@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t) > userdom_dontaudit_use_unpriv_user_fds(ntpd_t) > userdom_list_user_home_dirs(ntpd_t) > > +ifdef(`init_systemd',` > + dbus_system_bus_client(ntpd_t) > + dbus_connect_system_bus(ntpd_t) > + init_dbus_chat(ntpd_t) > + init_get_system_status(ntpd_t) > + allow ntpd_t self:capability { fowner setpcap }; > + init_reload(ntpd_t) > + > + # for /var/lib/systemd/clock > + init_list_var_lib_dirs(ntpd_t) > + > + # for /run/systemd/netif/links > + init_list_pid_dirs(ntpd_t) > + > + optional_policy(` > + unconfined_dbus_send(ntpd_t) > + ') > +') > + > optional_policy(` > cron_system_entry(ntpd_t, ntpdate_exec_t) > ') > Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te > +++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te > @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t) > > init_all_labeled_script_domtrans(devicekit_power_t) > init_read_utmp(devicekit_power_t) > +init_search_run(devicekit_power_t) > > miscfiles_read_localization(devicekit_power_t) > > Index: refpolicy-2.20170402/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/init.if > +++ refpolicy-2.20170402/policy/modules/system/init.if > @@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',` > filetrans_pattern($1, init_var_run_t, $2, $3, $4) > ') > > +###################################### > +## > +## Allow listing of the /run/systemd directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_list_pid_dirs',` > + gen_require(` > + type init_var_run_t; > + ') > + add files_search_pids($1) ? > + allow $1 init_var_run_t:dir list_dir_perms; > +') > + > ######################################## > ## > ## Get the attributes of initctl. > @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',` > allow $1 { init_script_file_type systemdunit }:service status; > ') > > +####################################### > +## > +## All perms on all systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_manage_all_units',` > + gen_require(` > + attribute systemdunit; > + class service all_service_perms; > + ') > + > + allow $1 systemdunit:service all_service_perms; > + allow $1 systemdunit:file getattr; > +') > + > ######################################## > ## > ## Start all systemd units. > @@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',` > > allow $1 { init_script_file_type systemdunit }:service reload; > ') > + > +######################################## > +## > +## Allow getting service status of initrc_exec_t scripts > +## > +## > +## > +## Target domain > +## > +## > +# > +interface(`init_get_script_status',` > + gen_require(` > + type initrc_exec_t; > + class service status; > + ') > + > + allow $1 initrc_exec_t:service status; > +') > + > +######################################## > +## > +## Allow unconfined access to send instructions to init > +## > +## > +## > +## Target domain > +## > +## > +# > +interface(`init_unconfined',` > + gen_require(` > + type initrc_exec_t; > + class service status; > + ') > + > + dev_manage_null_service($1) > + init_disable($1) > + init_enable($1) > + init_get_all_units_status($1) > + init_get_generic_units_status($1) > + init_get_system_status($1) > + init_manage_all_units($1) > + init_manage_script_service($1) > + init_reboot_system($1) > + init_reload($1) > + init_reload_all_units($1) > + init_shutdown_system($1) > + init_start_all_units($1) > + init_start_generic_units($1) > + init_stop_all_units($1) > + init_stop_generic_units($1) > + init_stop_system($1) > + init_telinit($1) > +') > Index: refpolicy-2.20170402/policy/modules/system/fstools.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/fstools.te > +++ refpolicy-2.20170402/policy/modules/system/fstools.te > @@ -146,6 +146,7 @@ term_use_console(fsadm_t) > init_use_fds(fsadm_t) > init_use_script_ptys(fsadm_t) > init_dontaudit_getattr_initctl(fsadm_t) > +init_rw_script_stream_sockets(fsadm_t) > > logging_send_syslog_msg(fsadm_t) > > Index: refpolicy-2.20170402/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20170402/policy/modules/system/systemd.if > @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip > > ###################################### > ## > +## Write systemd_login named pipe. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_write_logind_pid_pipes',` > + gen_require(` > + type systemd_logind_var_run_t; > + ') > + > + init_search_run($1) > + files_search_pids($1) > + allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; > +') > + > +###################################### > +## > ## Use inherited systemd > ## logind file descriptors. > ## > @@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',` > > ###################################### > ## > +## Read logind sessions files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_read_logind_sessions_files',` > + gen_require(` > + type systemd_sessions_var_run_t, systemd_logind_t; > + ') > + > + allow $1 systemd_logind_t:fd use; > + init_search_run($1) > + allow $1 systemd_sessions_var_run_t:dir list_dir_perms; > + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) > +') > + > +###################################### > +## > ## Write inherited logind sessions pipes. > ## > ## > @@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds' > allow systemd_passwd_agent_t $1:fd use; > ') > > +####################################### > +## > +## Allow a systemd_passwd_agent_t process to interact with a daemon > +## that needs a password from the sysadmin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_use_passwd_agent',` > + gen_require(` > + type systemd_passwd_agent_t; > + type systemd_passwd_var_run_t; > + ') > + > + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) > + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) > + > + allow systemd_passwd_agent_t $1:process signull; > + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; > +') > + > ######################################## > ## > ## Transition to systemd_passwd_var_run_t when creating dirs > @@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',` > > allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; > ') > + > +######################################## > +## > +## Allow reading /run/systemd/machines > +## > +## > +## > +## Domain that can access the machines files > +## > +## > +# > +interface(`systemd_read_machines',` > + gen_require(` > + type systemd_machined_var_run_t; > + ') > + > + allow $1 systemd_machined_var_run_t:dir list_dir_perms; > + allow $1 systemd_machined_var_run_t:file read_file_perms; > +') > Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te > +++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te > @@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t) > > corecmd_exec_all_executables(dpkg_script_t) > > -dev_manage_null_service(dpkg_script_t) > dev_list_sysfs(dpkg_script_t) > # Use named file transition to fix this > # dev_manage_generic_blk_files(dpkg_script_t) > @@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_ > auth_manage_shadow(dpkg_script_t) > > init_all_labeled_script_domtrans(dpkg_script_t) > -init_get_generic_units_status(dpkg_script_t) > init_use_script_fds(dpkg_script_t) > -init_get_system_status(dpkg_script_t) > -init_start_generic_units(dpkg_script_t) > -init_stop_generic_units(dpkg_script_t) > -init_reload(dpkg_script_t) > -init_stop_system(dpkg_script_t) > -init_telinit(dpkg_script_t) > init_manage_script_service(dpkg_script_t) > init_startstop_all_script_services(dpkg_script_t) > +init_unconfined(dpkg_script_t) > > libs_exec_ld_so(dpkg_script_t) > libs_exec_lib_files(dpkg_script_t) > Index: refpolicy-2.20170402/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/init.te > +++ refpolicy-2.20170402/policy/modules/system/init.te > @@ -697,9 +697,7 @@ ifdef(`distro_gentoo',` > seutil_read_default_contexts(initrc_t) > > # /lib/rcscripts/net/system.sh rewrites resolv.conf :( > - sysnet_create_config(initrc_t) > - sysnet_write_config(initrc_t) > - sysnet_setattr_config(initrc_t) > + sysnet_manage_config(initrc_t) > > optional_policy(` > abrt_manage_pid_files(initrc_t) > Index: refpolicy-2.20170402/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170402/policy/modules/system/systemd.te > @@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf > seutil_read_config(systemd_tmpfiles_t) > seutil_read_file_contexts(systemd_tmpfiles_t) > > -sysnet_create_config(systemd_tmpfiles_t) > +sysnet_manage_config(systemd_tmpfiles_t) > +sysnet_relabel_config(systemd_tmpfiles_t) > > systemd_log_parse_environment(systemd_tmpfiles_t) > > Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if > +++ refpolicy-2.20170402/policy/modules/contrib/ntp.if > @@ -200,6 +200,9 @@ interface(`ntp_admin',` > type ntpd_key_t, ntpd_pid_t, ntp_conf_t; > type ntpd_initrc_exec_t, ntp_drift_t; > type ntpd_unit_t; > + ifdef(`init_systemd',` > + class dbus send_msg; > + ') > ') > > allow $1 ntpd_t:process { ptrace signal_perms }; > @@ -223,4 +226,9 @@ interface(`ntp_admin',` > admin_pattern($1, ntpd_pid_t) > > ntp_run($1, $2) > + > + ifdef(`init_systemd',` > + allow $1 ntpd_t:dbus send_msg; > + allow ntpd_t $1:dbus send_msg; > + ') > ') > Index: refpolicy-2.20170402/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20170402.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20170402/policy/modules/services/ssh.if > @@ -271,6 +271,10 @@ template(`ssh_server_template', ` > files_read_var_lib_symlinks($1_t) > nx_spec_domtrans_server($1_t) > ') > + > + optional_policy(` > + systemd_read_logind_sessions_files($1_t) > + ') > ') > > ######################################## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy