From: Laurent Bigonville <[email protected]>
Initial policy for systemd-resolved, tested with systemd 230 on debian
---
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index a0b5f0b..a987681 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -17,6 +17,7 @@
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
# Systemd unit files
@@ -33,6 +34,7 @@
/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0bed23c..e42f3ca 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -80,6 +80,13 @@ type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+type systemd_resolved_t;
+type systemd_resolved_exec_t;
+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
+
type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -244,6 +251,39 @@ optional_policy(`
#########################################
#
+# Resolved local policy
+#
+
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
+
+allow systemd_resolved_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+
+kernel_read_crypto_sysctls(systemd_resolved_t)
+kernel_read_kernel_sysctls(systemd_resolved_t)
+kernel_read_system_state(systemd_resolved_t)
+
+corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+auth_use_nsswitch(systemd_resolved_t)
+
+seutil_read_file_contexts(systemd_resolved_t)
+
+systemd_log_parse_environment(systemd_resolved_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_resolved_t)
+')
+
+#########################################
+#
# Sessions local policy
#
--
2.8.1
On 5/26/2016 8:43 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Initial policy for systemd-resolved, tested with systemd 230 on debian
Merged.
> ---
> policy/modules/system/systemd.fc | 2 ++
> policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 42 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index a0b5f0b..a987681 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -17,6 +17,7 @@
> /usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
> /usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> +/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
>
> # Systemd unit files
> @@ -33,6 +34,7 @@
> /var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
>
> +/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
> /var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 0bed23c..e42f3ca 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -80,6 +80,13 @@ type systemd_nspawn_t;
> type systemd_nspawn_exec_t;
> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
>
> +type systemd_resolved_t;
> +type systemd_resolved_exec_t;
> +init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
> +
> +type systemd_resolved_var_run_t;
> +files_pid_file(systemd_resolved_var_run_t)
> +
> type systemd_run_t;
> type systemd_run_exec_t;
> init_daemon_domain(systemd_run_t, systemd_run_exec_t)
> @@ -244,6 +251,39 @@ optional_policy(`
>
> #########################################
> #
> +# Resolved local policy
> +#
> +
> +allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
> +allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
> +
> +allow systemd_resolved_t self:tcp_socket { accept listen };
> +
> +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
> +init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
> +
> +kernel_read_crypto_sysctls(systemd_resolved_t)
> +kernel_read_kernel_sysctls(systemd_resolved_t)
> +kernel_read_system_state(systemd_resolved_t)
> +
> +corenet_tcp_bind_generic_node(systemd_resolved_t)
> +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
> +corenet_udp_bind_generic_node(systemd_resolved_t)
> +corenet_udp_bind_llmnr_port(systemd_resolved_t)
> +
> +auth_use_nsswitch(systemd_resolved_t)
> +
> +seutil_read_file_contexts(systemd_resolved_t)
> +
> +systemd_log_parse_environment(systemd_resolved_t)
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_resolved_t)
> +')
> +
> +#########################################
> +#
> # Sessions local policy
> #
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com