From: bigon@debian.org (Laurent Bigonville) Date: Wed, 6 Dec 2017 18:06:04 +0100 Subject: [refpolicy] [PATCH 2/2] Add private type for systemd logind inhibit files and pipes In-Reply-To: <20171206170604.3036-1-bigon@debian.org> References: <20171206170604.3036-1-bigon@debian.org> Message-ID: <20171206170604.3036-2-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Laurent Bigonville --- policy/modules/system/systemd.fc | 2 +- policy/modules/system/systemd.if | 20 ++++++++++++++++++++ policy/modules/system/systemd.te | 9 ++++++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 56e9bc13..183e0939 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -51,7 +51,7 @@ /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 8f914837..d875098a 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',` allow systemd_logind_t $1:process signal; ') +###################################### +## +## Write inherited logind inhibit pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_write_inherited_logind_inhibit_pipes',` + gen_require(` + type systemd_logind_inhibit_var_run_t; + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:fd use; + allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; +') + ######################################## ## ## Send and receive messages from diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 5051b87c..9a65b8f6 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -101,6 +101,9 @@ type systemd_logind_var_run_t; files_pid_file(systemd_logind_var_run_t) init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind") +type systemd_logind_inhibit_var_run_t; +files_pid_file(systemd_logind_inhibit_var_run_t) + type systemd_machined_t; type systemd_machined_exec_t; init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) @@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; -init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") + +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; -- 2.15.1