From: krzysztof.a.nowicki@gmail.com (krzysztof.a.nowicki at gmail.com) Date: Sun, 14 May 2017 17:24:01 +0200 Subject: [refpolicy] [PATCH 2/4] Distinguish between systemd-tmpfiles runtime and static config In-Reply-To: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> Message-ID: <20170514152403.369-3-krzysztof.a.nowicki@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Krzysztof Nowicki Label all static tmpfiles configuration under one type. Rename the type used for runtime configuration to indicate its purpose. --- policy/modules/system/modutils.te | 4 ++-- policy/modules/system/systemd.fc | 6 +++++- policy/modules/system/systemd.if | 16 ++++++++-------- policy/modules/system/systemd.te | 6 +++++- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 1f7bdcd..28a4e01 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -27,7 +27,7 @@ ifdef(`init_systemd',` type kmod_tmpfiles_conf_t; typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t }; systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t) - systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file) + systemd_tmpfiles_runtime_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file) ') ######################################## @@ -118,7 +118,7 @@ ifdef(`init_systemd',` # for /run/tmpfiles.d/kmod.conf allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms; # kmod needs to create /run/tmpdiles.d - systemd_tmpfiles_creator(kmod_t) + systemd_tmpfiles_runtime_config_creator(kmod_t) init_rw_stream_sockets(kmod_t) ') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 7fa03ad..82307e3 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -37,6 +37,10 @@ /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) +# Systemd tmpfiles configuration +/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) + /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) @@ -53,7 +57,7 @@ /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) -/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) +/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0) /run/tmpfiles\.d/.* <> /var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 10f75de..a750063 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',` ## ## # - interface(`systemd_tmpfiles_conf_file',` +interface(`systemd_tmpfiles_conf_file',` gen_require(` attribute systemd_tmpfiles_conf_type; ') @@ -418,13 +418,13 @@ interface(`systemd_start_power_units',` ## ## # -interface(`systemd_tmpfiles_creator',` +interface(`systemd_tmpfiles_runtime_config_creator',` gen_require(` - type systemd_tmpfiles_conf_t; + type systemd_tmpfiles_runtime_conf_t; ') - files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d") - allow $1 systemd_tmpfiles_conf_t:dir create; + files_pid_filetrans($1, systemd_tmpfiles_runtime_conf_t, dir, "tmpfiles.d") + allow $1 systemd_tmpfiles_runtime_conf_t:dir create; ') ######################################## @@ -454,13 +454,13 @@ interface(`systemd_tmpfiles_creator',` ## ## # -interface(`systemd_tmpfiles_conf_filetrans',` +interface(`systemd_tmpfiles_runtime_conf_filetrans',` gen_require(` - type systemd_tmpfiles_conf_t; + type systemd_tmpfiles_runtime_conf_t; ') files_search_pids($1) - filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4) + filetrans_pattern($1, systemd_tmpfiles_runtime_conf_t, $2, $3, $4) ') ####################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 7782528..2cbdba2 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -154,8 +154,12 @@ type systemd_tmpfiles_t; type systemd_tmpfiles_exec_t; init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) +type systemd_tmpfiles_runtime_conf_t; +files_config_file(systemd_tmpfiles_runtime_conf_t) + type systemd_tmpfiles_conf_t; files_config_file(systemd_tmpfiles_conf_t) +typeattribute systemd_tmpfiles_conf_t systemd_tmpfiles_conf_type; # # Unit file types @@ -783,7 +787,7 @@ manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; -allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; +allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir list_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; kernel_read_kernel_sysctls(systemd_tmpfiles_t) -- 2.10.2