From: krzysztof.a.nowicki@gmail.com (Krzysztof Nowicki) Date: Thu, 18 May 2017 21:31:09 +0200 Subject: [refpolicy] [PATCH 2/3] Label systemd-tmpfiles static configuration files In-Reply-To: <20170518193110.27516-1-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> <20170518193110.27516-1-krzysztof.a.nowicki@gmail.com> Message-ID: <20170518193110.27516-3-krzysztof.a.nowicki@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Krzysztof Nowicki Reuse the label from dynamically created configuration. --- policy/modules/system/modutils.te | 2 +- policy/modules/system/systemd.fc | 6 ++++++ policy/modules/system/systemd.if | 4 ++-- policy/modules/system/systemd.te | 1 + 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 1f7bdcd..625129f 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -118,7 +118,7 @@ ifdef(`init_systemd',` # for /run/tmpfiles.d/kmod.conf allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms; # kmod needs to create /run/tmpdiles.d - systemd_tmpfiles_creator(kmod_t) + systemd_tmpfiles_config_creator(kmod_t) init_rw_stream_sockets(kmod_t) ') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 57944e1..8bff2fa 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -37,10 +37,16 @@ /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) +# Systemd tmpfiles configuration +/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) + /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) +# Systemd tmpfiles configuration factory +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) + /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 10f75de..4359d74 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',` ## ## # - interface(`systemd_tmpfiles_conf_file',` +interface(`systemd_tmpfiles_conf_file',` gen_require(` attribute systemd_tmpfiles_conf_type; ') @@ -418,7 +418,7 @@ interface(`systemd_start_power_units',` ## ## # -interface(`systemd_tmpfiles_creator',` +interface(`systemd_tmpfiles_config_creator',` gen_require(` type systemd_tmpfiles_conf_t; ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index eb70c77..4535182 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; +allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; kernel_read_kernel_sysctls(systemd_tmpfiles_t) -- 2.10.2