From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 7 Dec 2017 18:51:57 -0500 Subject: [refpolicy] [PATCH 2/2] Add private type for systemd logind inhibit files and pipes In-Reply-To: <20171206170604.3036-2-bigon@debian.org> References: <20171206170604.3036-1-bigon@debian.org> <20171206170604.3036-2-bigon@debian.org> Message-ID: <7bf78d73-aaac-a6bc-319c-3362bab77a04@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/06/2017 12:06 PM, Laurent Bigonville via refpolicy wrote: > From: Laurent Bigonville > > --- > policy/modules/system/systemd.fc | 2 +- > policy/modules/system/systemd.if | 20 ++++++++++++++++++++ > policy/modules/system/systemd.te | 9 ++++++++- > 3 files changed, 29 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc > index 56e9bc13..183e0939 100644 > --- a/policy/modules/system/systemd.fc > +++ b/policy/modules/system/systemd.fc > @@ -51,7 +51,7 @@ > /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) > /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) > /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > -/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > +/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) > /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) > /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) > /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) > diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if > index 8f914837..d875098a 100644 > --- a/policy/modules/system/systemd.if > +++ b/policy/modules/system/systemd.if > @@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',` > allow systemd_logind_t $1:process signal; > ') > > +###################################### > +## > +## Write inherited logind inhibit pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_write_inherited_logind_inhibit_pipes',` > + gen_require(` > + type systemd_logind_inhibit_var_run_t; > + type systemd_logind_t; > + ') > + > + allow $1 systemd_logind_t:fd use; > + allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; > +') > + > ######################################## > ## > ## Send and receive messages from > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index 5051b87c..9a65b8f6 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -101,6 +101,9 @@ type systemd_logind_var_run_t; > files_pid_file(systemd_logind_var_run_t) > init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind") > > +type systemd_logind_inhibit_var_run_t; > +files_pid_file(systemd_logind_inhibit_var_run_t) > + > type systemd_machined_t; > type systemd_machined_exec_t; > init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) > @@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) > manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) > allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; > -init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") > + > +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) > +manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) > +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) > +init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") > > allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; > allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; I tend to agree with Dominick that this is probably not needed; however, I have merged it anyway. If it ends up being a problem, it is easy to remove. -- Chris PeBenito