From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Thu, 18 May 2017 21:52:09 +0200 Subject: [refpolicy] [PATCH 2/3] Label systemd-tmpfiles static configuration files In-Reply-To: <20170518193110.27516-3-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> <20170518193110.27516-1-krzysztof.a.nowicki@gmail.com> <20170518193110.27516-3-krzysztof.a.nowicki@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy : > From: Krzysztof Nowicki > > Reuse the label from dynamically created configuration. > --- > policy/modules/system/modutils.te | 2 +- > policy/modules/system/systemd.fc | 6 ++++++ > policy/modules/system/systemd.if | 4 ++-- > policy/modules/system/systemd.te | 1 + > 4 files changed, 10 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index 1f7bdcd..625129f 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -118,7 +118,7 @@ ifdef(`init_systemd',` > # for /run/tmpfiles.d/kmod.conf > allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms; > # kmod needs to create /run/tmpdiles.d > - systemd_tmpfiles_creator(kmod_t) > + systemd_tmpfiles_config_creator(kmod_t) > > init_rw_stream_sockets(kmod_t) > ') > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc > index 57944e1..8bff2fa 100644 > --- a/policy/modules/system/systemd.fc > +++ b/policy/modules/system/systemd.fc > @@ -37,10 +37,16 @@ > /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) > /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) > > +# Systemd tmpfiles configuration > +/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) > + > /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) > /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) > /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) > > +# Systemd tmpfiles configuration factory > +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) What is the benefit of labeling this directory and the /usr/lib/tmpfiles.d one with a private type? Shouldn't the read-only like usr_t type do the job? Also afaik local changes should be made in /etc/tmpfiles.d > + > /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > > diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if > index 10f75de..4359d74 100644 > --- a/policy/modules/system/systemd.if > +++ b/policy/modules/system/systemd.if > @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',` > ## > ## > # > - interface(`systemd_tmpfiles_conf_file',` > +interface(`systemd_tmpfiles_conf_file',` > gen_require(` > attribute systemd_tmpfiles_conf_type; > ') > @@ -418,7 +418,7 @@ interface(`systemd_start_power_units',` > ## > ## > # > -interface(`systemd_tmpfiles_creator',` > +interface(`systemd_tmpfiles_config_creator',` > gen_require(` > type systemd_tmpfiles_conf_t; > ') > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index eb70c77..4535182 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; > allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; > > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; > +allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms; > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; > > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > -- > 2.10.2 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy