I've done all the things pebenito asked, hopefully this is good enough now.
Description: Make systemd work
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-21
Index: refpolicy-2.20170221/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170221/policy/modules/system/udev.if
@@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',`
########################################
## <summary>
+## Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+ allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
## Read udev pid files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170221/policy/modules/kernel/devices.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/kernel/devices.te
+++ refpolicy-2.20170221/policy/modules/kernel/devices.te
@@ -21,6 +21,9 @@ files_mountpoint(device_t)
files_associate_tmp(device_t)
fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+optional_policy(`
+ systemd_tmpfilesd_managed(device_t, fifo_file)
+')
#
# Type for /dev/agpgart
Index: refpolicy-2.20170221/policy/modules/kernel/files.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/kernel/files.te
+++ refpolicy-2.20170221/policy/modules/kernel/files.te
@@ -174,6 +174,10 @@ type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(var_run_t, lnk_file)
+')
+
#
# var_spool_t is the type of /var/spool
#
Index: refpolicy-2.20170221/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170221/policy/modules/system/authlogin.te
@@ -30,6 +30,9 @@ role system_r types chkpwd_t;
type faillog_t;
logging_log_file(faillog_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(faillog_t, file)
+')
type lastlog_t;
logging_log_file(lastlog_t)
@@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_
#
type var_auth_t;
files_type(var_auth_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(var_auth_t, dir)
+')
type wtmp_t;
logging_log_file(wtmp_t)
Index: refpolicy-2.20170221/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170221/policy/modules/system/init.fc
@@ -57,6 +57,8 @@ ifdef(`distro_gentoo', `
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
ifdef(`distro_debian',`
Index: refpolicy-2.20170221/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/init.if
+++ refpolicy-2.20170221/policy/modules/system/init.if
@@ -164,10 +164,12 @@ interface(`init_ranged_domain',`
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
+ range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
+ range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
@@ -210,8 +212,10 @@ interface(`init_ranged_domain',`
interface(`init_daemon_domain',`
gen_require(`
type initrc_t;
+ type init_t;
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
')
typeattribute $1 daemon;
@@ -240,6 +244,10 @@ interface(`init_daemon_domain',`
init_domain($1, $2)
# this may be because of late labelling
kernel_dgram_send($1)
+
+ domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
')
optional_policy(`
@@ -400,8 +408,10 @@ interface(`init_system_domain',`
gen_require(`
type initrc_t;
role system_r;
+ attribute systemprocess;
')
+ typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
@@ -477,6 +487,24 @@ interface(`init_ranged_system_domain',`
')
')
+######################################
+## <summary>
+## Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dyntrans_pattern($1, init_t)
+')
+
########################################
## <summary>
## Mark the file type as a daemon pid file, allowing initrc_t
@@ -675,6 +703,7 @@ interface(`init_stream_connect',`
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')
########################################
@@ -1192,23 +1221,23 @@ interface(`init_write_initctl',`
#
interface(`init_telinit',`
gen_require(`
- type initctl_t;
+ type initctl_t, init_t;
')
+ corecmd_exec_bin($1)
+
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
init_exec($1)
- tunable_policy(`init_upstart',`
- gen_require(`
- type init_t;
- ')
-
- # upstart uses a datagram socket instead of initctl pipe
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 init_t:unix_dgram_socket sendto;
- ')
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ #576913
+ allow $1 init_t:unix_stream_socket connectto;
')
########################################
@@ -1217,7 +1246,7 @@ interface(`init_telinit',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1332,6 +1361,36 @@ interface(`init_domtrans_script',`
########################################
## <summary>
+## Execute labelled init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans_labelled_script',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type;
+ attribute initrc_transition_domain;
+ ')
+ typeattribute $1 initrc_transition_domain;
+
+ files_list_etc($1)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
## Execute a init script in a specified domain.
## </summary>
## <desc>
@@ -1402,8 +1461,10 @@ interface(`init_manage_script_service',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
@@ -1536,9 +1597,10 @@ interface(`init_run_daemon',`
interface(`init_startstop_all_script_services',`
gen_require(`
attribute init_script_file_type;
+ class service { start status stop reload };
')
- allow $1 init_script_file_type:service { start status stop };
+ allow $1 init_script_file_type:service { start status stop reload };
')
########################################
@@ -1746,12 +1808,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
- read_files_pattern($1, initrc_t, initrc_t)
- read_lnk_files_pattern($1, initrc_t, initrc_t)
- list_dirs_pattern($1, initrc_t, initrc_t)
-
- # should move this to separate interface
- allow $1 initrc_t:process getattr;
+ ps_process_pattern($1, initrc_t)
')
########################################
@@ -2335,7 +2392,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -2376,6 +2433,44 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
+#######################################
+## <summary>
+## Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+## Rename and unlink init_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`init_delete_pid_files',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ delete_files_pattern($1, init_var_run_t, init_var_run_t)
+ rename_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
@@ -2550,6 +2645,43 @@ interface(`init_start_all_units',`
allow $1 systemdunit:service start;
')
+#######################################
+## <summary>
+## Allow the specified domain to write to
+## init sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_pid_pipes',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
########################################
## <summary>
## Stop all systemd units.
Index: refpolicy-2.20170221/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/init.te
+++ refpolicy-2.20170221/policy/modules/system/init.te
@@ -16,13 +16,22 @@ gen_require(`
## </desc>
gen_tunable(init_upstart, false)
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(init_daemons_use_tty, false)
+
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
attribute systemdunit;
+attribute initrc_transition_domain;
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
# Mark file type as a daemon pid file
attribute daemonpidfile;
@@ -33,7 +42,7 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -66,6 +75,7 @@ type initrc_exec_t, init_script_file_typ
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
init_named_socket_activation(initrc_t, init_var_run_t)
+allow init_run_all_scripts_domain systemdunit:service { status start stop };
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -110,6 +120,7 @@ ifdef(`enable_mls',`
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -128,6 +139,9 @@ allow init_t initrc_t:unix_stream_socket
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -147,6 +161,7 @@ dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -199,6 +214,12 @@ ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
allow init_t self:capability2 { audit_read block_suspend };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -206,6 +227,13 @@ ifdef(`init_systemd',`
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow init_t daemon:udp_socket create_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+
+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -269,6 +297,9 @@ ifdef(`init_systemd',`
# for network namespaces
fs_read_nsfs_files(init_t)
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
@@ -355,6 +386,11 @@ optional_policy(`
')
optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -403,11 +439,14 @@ manage_fifo_files_pattern(initrc_t, init
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+allow initrc_t daemon:process siginh;
+
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +489,7 @@ corenet_sendrecv_all_client_packets(init
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
@@ -460,8 +500,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -469,17 +511,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -487,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -494,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -509,8 +553,12 @@ files_manage_generic_spool(initrc_t)
# cjp: not sure why these are here; should use mount policy
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -520,9 +568,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
@@ -532,6 +584,7 @@ mls_process_read_all_levels(initrc_t)
mls_process_write_all_levels(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -550,6 +603,11 @@ auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
+init_get_system_status(initrc_t)
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
libs_exec_ld_so(initrc_t)
@@ -563,7 +621,7 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
seutil_read_config(initrc_t)
@@ -571,7 +629,7 @@ userdom_read_user_home_content_files(ini
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
@@ -643,6 +701,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
alsa_read_lib(initrc_t)
')
@@ -663,7 +725,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
+ kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -698,6 +760,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
+ miscfiles_filetrans_named_content(initrc_t)
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -707,8 +770,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
+ bind_manage_config(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ devicekit_append_inherited_log_files(initrc_t)
+ ')
+
+ optional_policy(`
+ dirsrvadmin_read_config(initrc_t)
+ dirsrv_manage_var_run(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
+ ')
+
+ optional_policy(`
+ ldap_read_db_files(initrc_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
')
optional_policy(`
@@ -716,14 +806,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
+ optional_policy(`
+ rpcbind_stream_connect(initrc_t)
+ ')
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
+ sysnet_manage_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
+ sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
+ wdmd_manage_pid_files(initrc_t)
')
optional_policy(`
xserver_delete_log(initrc_t)
+ xserver_manage_user_fonts_dir(initrc_t)
')
')
@@ -735,6 +838,20 @@ ifdef(`distro_suse',`
')
ifdef(`init_systemd',`
+ allow init_t self:system { status reboot halt reload };
+
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+ allow initrc_t init_t:system { status reboot halt reload };
+ allow init_t self:capability2 audit_read;
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
@@ -746,11 +863,25 @@ ifdef(`init_systemd',`
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+ allow initrc_t systemd_unit_t:service reload;
manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+ allow initrc_t systemdunit:service reload;
+ allow initrc_t init_script_file_type:service { stop start status reload };
kernel_dgram_send(initrc_t)
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_kernel_sysctl(init_t)
+ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
+ kernel_setsched(init_t)
+
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
@@ -760,34 +891,90 @@ ifdef(`init_systemd',`
corecmd_bin_domtrans(init_t, initrc_t)
corecmd_shell_domtrans(init_t, initrc_t)
- files_read_boot_files(initrc_t)
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_manage_null_service(initrc_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+ # systemd writes to /dev/watchdog on shutdown
+ dev_write_watchdog(init_t)
+
# Allow initrc_t to check /etc/fstab "service." It appears that
# systemd is conflating files and services.
+ files_create_all_pid_pipes(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_create_lock_dirs(init_t)
+ files_delete_all_pids(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_exec_generic_pid_files(init_t)
files_get_etc_unit_status(initrc_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_list_var(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_manage_urandom_seed(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_read_boot_files(initrc_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_search_all(init_t)
files_setattr_pid_dirs(initrc_t)
+ files_unmount_all_file_type_fs(init_t)
- selinux_set_enforce_mode(initrc_t)
+ fs_getattr_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_all_fs(init_t)
+ fs_unmount_all_fs(init_t)
+ fs_search_cgroup_dirs(daemon)
- init_stream_connect(initrc_t)
+ init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
+ init_read_script_state(init_t)
init_rw_stream_sockets(initrc_t)
- init_get_all_units_status(initrc_t)
init_stop_all_units(initrc_t)
+ init_stream_connect(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
+ selinux_compute_create_context(init_t)
+ selinux_set_enforce_mode(initrc_t)
+ selinux_unmount_fs(init_t)
+ selinux_validate_context(init_t)
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(initrc_t)
+ seutil_read_file_contexts(init_t)
+ storage_getattr_removable_dev(init_t)
+ systemd_manage_all_units(init_t)
systemd_start_power_units(initrc_t)
+ term_relabel_ptys_dirs(init_t)
+
optional_policy(`
# create /var/lock/lvm/
lvm_create_lock_dirs(initrc_t)
')
')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -800,6 +987,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
')
optional_policy(`
@@ -821,6 +1010,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
')
optional_policy(`
@@ -837,6 +1027,12 @@ optional_policy(`
')
optional_policy(`
+ cron_read_pipes(initrc_t)
+ # managing /etc/cron.d/mailman content
+ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -853,9 +1049,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)
optional_policy(`
consolekit_dbus_chat(initrc_t)
+ consolekit_manage_log(initrc_t)
')
optional_policy(`
@@ -897,6 +1097,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
inn_exec_config(initrc_t)
')
@@ -937,6 +1142,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
+ lpd_manage_spool(init_t)
')
optional_policy(`
@@ -960,6 +1166,7 @@ optional_policy(`
optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -982,6 +1189,10 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -994,6 +1205,7 @@ optional_policy(`
puppet_rw_tmp(initrc_t)
')
+
optional_policy(`
quota_manage_flags(initrc_t)
')
@@ -1024,8 +1236,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
')
optional_policy(`
@@ -1043,10 +1253,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
+ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc, initrc_t, system_r)
')
+')
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -1062,7 +1274,6 @@ optional_policy(`
')
optional_policy(`
- udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
@@ -1079,6 +1290,10 @@ optional_policy(`
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
+ mcs_file_read_all(initrc_t)
+ mcs_file_write_all(initrc_t)
+ mcs_killall(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -1088,6 +1303,15 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
+
+optional_policy(`
+ rpm_read_db(initrc_t)
+ rpm_delete_db(initrc_t)
')
optional_policy(`
@@ -1113,3 +1337,152 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
+
+########################################
+#
+# Rules applied to all daemons
+#
+
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
+domain_dontaudit_use_interactive_fds(daemon)
+init_rw_script_stream_sockets(daemon)
+init_rw_stream_sockets(daemon)
+logging_append_all_inherited_logs(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
+tunable_policy(`init_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_ttys(daemon)
+ term_use_all_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_ttys(daemon)
+ term_dontaudit_use_all_ptys(daemon)
+ ')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream_sockets(daemon)
+')
+
+optional_policy(`
+ userdom_dontaudit_read_user_tmp_files(daemon)
+ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
+')
+
+optional_policy(`
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
+
+optional_policy(`
+ abrt_stream_connect(daemon)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+
+allow init_t var_run_t:dir relabelto;
+
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+')
+
+optional_policy(`
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
+')
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+ systemd_passwd_runtime_dirs(init_t)
+')
+
+optional_policy(`
+ lvm_rw_inherited_runtime_pipes(init_t)
+')
+
+# daemons started from init will
+# inherit fds from init for the console
+init_dontaudit_use_fds(daemon)
+term_dontaudit_use_console(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+allow init_t daemon:process siginh;
+
+optional_policy(`
+ nscd_socket_use(daemon)
+')
+
+optional_policy(`
+ puppet_rw_tmp(daemon)
+')
+
+allow initrc_t systemprocess:process siginh;
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
+userdom_dontaudit_write_user_tmp_files(systemprocess)
+
+tunable_policy(`init_daemons_use_tty',`
+ term_use_all_ttys(systemprocess)
+ term_use_all_ptys(systemprocess)
+',`
+ term_dontaudit_use_all_ttys(systemprocess)
+ term_dontaudit_use_all_ptys(systemprocess)
+')
+
+# these apps are often redirect output to random log files
+logging_append_all_inherited_logs(systemprocess)
+
+optional_policy(`
+ abrt_stream_connect(systemprocess)
+')
+
+optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
+optional_policy(`
+ puppet_rw_tmp(systemprocess)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(systemprocess)
+ unconfined_dontaudit_rw_stream_sockets(systemprocess)
+ userdom_dontaudit_read_user_tmp_files(systemprocess)
+')
+
+init_rw_script_stream_sockets(systemprocess)
+
+role system_r types systemprocess;
+role system_r types daemon;
+
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
+
Index: refpolicy-2.20170221/policy/modules/system/logging.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/logging.fc
+++ refpolicy-2.20170221/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -80,3 +81,10 @@ ifdef(`distro_redhat',`
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
Index: refpolicy-2.20170221/policy/modules/system/miscfiles.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/miscfiles.te
+++ refpolicy-2.20170221/policy/modules/system/miscfiles.te
@@ -40,6 +40,9 @@ files_type(locale_t)
#
type man_t alias catman_t;
files_type(man_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(man_t, dir)
+')
type man_cache_t;
files_type(man_cache_t)
Index: refpolicy-2.20170221/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170221/policy/modules/system/logging.te
@@ -94,6 +94,9 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
+ifdef(`init_systemd', `
+')
+
########################################
#
# Auditctl local policy
@@ -396,6 +399,9 @@ allow syslogd_t syslog_conf_t:file read_
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
+
+seutil_read_config(syslogd_t)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -405,6 +411,9 @@ files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
+# for systemd but can not be conditional
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -416,6 +425,7 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
@@ -503,19 +513,31 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
- # systemd-journald permissions
-
- allow syslogd_t self:capability { chown setgid setuid };
+ # for systemd-journal
+ allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ allow syslogd_t self:capability2 audit_read;
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+ allow syslogd_t init_var_run_t:file { read write create open };
+ allow syslogd_t var_run_t:dir create;
- kernel_use_fds(syslogd_t)
kernel_getattr_dgram_sockets(syslogd_t)
- kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_use_fds(syslogd_t)
+ dev_read_kmsg(syslogd_t)
+ dev_read_urand(syslogd_t)
+ dev_write_kmsg(syslogd_t)
+ domain_read_all_domains_state(syslogd_t)
+ init_create_pid_dirs(syslogd_t)
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_delete_pid_files(syslogd_t)
init_dgram_send(syslogd_t)
-
+ init_read_pid_pipes(syslogd_t)
+ init_read_state(syslogd_t)
+ systemd_manage_journal_files(syslogd_t)
udev_read_pid_files(syslogd_t)
')
Index: refpolicy-2.20170221/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170221/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
########################################
## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
@@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',`
')
########################################
+## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
## <summary>
## Read and write the TPM device.
## </summary>
Index: refpolicy-2.20170221/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170221/policy/modules/system/logging.if
@@ -822,6 +822,24 @@ interface(`logging_append_all_logs',`
########################################
## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_append_all_inherited_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
## Read all log files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170221/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170221/policy/modules/system/userdomain.if
@@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template',
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_t)
+ ')
')
#######################################
@@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
## Read and write a user TTYs and PTYs.
## </summary>
## <desc>
@@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users',
allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
Index: refpolicy-2.20170221/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20170221/policy/modules/system/authlogin.if
@@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_search_user_runtime($1)
+ userdom_read_user_tmpfs_files($1)
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
+
+ optional_policy(`
+ systemd_read_logind_state($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ systemd_use_passwd_agent_fds($1)
+ ')
')
########################################
Index: refpolicy-2.20170221/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20170221/policy/modules/kernel/terminal.if
@@ -500,6 +500,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
+## Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
Index: refpolicy-2.20170221/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20170221/policy/modules/system/lvm.if
@@ -187,3 +187,21 @@ interface(`lvm_admin',`
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
')
+
+########################################
+## <summary>
+## Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_inherited_runtime_pipes',`
+ gen_require(`
+ type lvm_var_run_t;
+ ')
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
Index: refpolicy-2.20170221/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170221/policy/modules/kernel/files.if
@@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid
########################################
## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
## Read all process ID files.
## </summary>
## <param name="domain">
@@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',`
########################################
## <summary>
+## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Delete all process IDs.
## </summary>
## <param name="domain">
@@ -6898,3 +6953,76 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
Index: refpolicy-2.20170221/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170221/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
')
files_search_pids($1)
- read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+ allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+ allow $1 systemd_logind_var_run_t:file read_file_perms;
')
######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
allow $1 systemd_logind_t:fd use;
')
+######################################
+## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_t, systemd_sessions_var_run_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_sessions_var_run_t:fifo_file write;
+ allow systemd_logind_t $1:process signal;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
')
+#######################################
+## <summary>
+## Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+## type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+ gen_require(`
+ type systemd_tmpfiles_t;
+ ')
+
+ allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
########################################
## <summary>
## Allow process to relabel to systemd_kmod_conf_t.
@@ -136,6 +180,82 @@ interface(`systemd_relabelto_kmod_files'
')
########################################
+## <summary>
+## allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that owns the fds
+## </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent_fds',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+## Transition to systemd_passwd_var_run_t when creating dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_runtime_dirs',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ ')
+
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+## manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ manage_dirs_pattern($1, systemdunit, systemdunit)
+ manage_files_pattern($1, systemdunit, systemdunit)
+ manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+## Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+ manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
Index: refpolicy-2.20170221/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170221/policy/modules/system/systemd.te
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
attribute systemd_log_parse_env_type;
type systemd_activate_t;
@@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t)
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
role system_r types systemd_cgroups_t;
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
+type systemd_journal_t;
+files_type(systemd_journal_t)
+
type systemd_cgroups_var_run_t;
files_pid_file(systemd_cgroups_var_run_t)
init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
@@ -57,6 +72,9 @@ type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -85,9 +103,18 @@ type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+kernel_unconfined(systemd_nspawn_t)
+
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
type systemd_resolved_t;
type systemd_resolved_exec_t;
@@ -108,6 +135,9 @@ type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -122,6 +152,12 @@ type systemd_kmod_conf_t;
files_config_file(systemd_kmod_conf_t)
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+logging_log_file(systemd_journal_t)
+
#
# Unit file types
#
@@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel
kernel_read_system_state(systemd_log_parse_env_type)
dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
init_read_state(systemd_log_parse_env_type)
-
logging_send_syslog_msg(systemd_log_parse_env_type)
+term_use_console(systemd_log_parse_env_type)
######################################
#
# Backlight local policy
#
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
-init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
-
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
-
+# for udev.conf
files_read_etc_files(systemd_backlight_t)
+init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
+# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)
#######################################
@@ -308,7 +343,6 @@ init_pid_filetrans(systemd_resolved_t, s
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
Index: refpolicy-2.20170221/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20170221/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,15 +33,21 @@
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
Index: refpolicy-2.20170221/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170221/policy/modules/system/unconfined.if
@@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',`
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
Index: refpolicy-2.20170221/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170221/policy/modules/contrib/cron.if
@@ -891,3 +891,22 @@ interface(`cron_admin',`
files_search_spool($1)
admin_pattern($1, cron_spool_type)
')
+
+########################################
+## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
On Tue, 21 Feb 2017 06:17:58 PM Russell Coker via refpolicy wrote:
> I've done all the things pebenito asked, hopefully this is good enough now.
Typo in the subject before...
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 02/21/17 02:17, Russell Coker via refpolicy wrote:
> I've done all the things pebenito asked, hopefully this is good enough now.
Merged. I made a some changes:
* moved some lines around
* the term_relabel_ptys_dirs() you added is a dupe of
term_relabel_pty_dirs(), which I fixed.
* I removed the initrc_t range transitions in init_ranged_domain()
* I removed init init_t domtrans pattern since it should be redundant
due to the init_domain() above it. I also removed the unix stream
socket rule as there is a socket activation interface below meant to
fill that purpose (and explicitly called by socket activated domains).
* There was a big block of additions at the end of init.te which I
cleaned out, though most of it was dropped as I'm still concerned about
applying all those rules to all daemons.
* I removed several calls to nonexistant interfaces
> Description: Make systemd work
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-21
>
> Index: refpolicy-2.20170221/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170221/policy/modules/system/udev.if
> @@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',`
>
> ########################################
> ## <summary>
> +## Allow process to relabelto udev database
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_relabelto_db',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 udev_var_run_t:file relabelto_file_perms;
> + allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read udev pid files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170221/policy/modules/kernel/devices.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/kernel/devices.te
> +++ refpolicy-2.20170221/policy/modules/kernel/devices.te
> @@ -21,6 +21,9 @@ files_mountpoint(device_t)
> files_associate_tmp(device_t)
> fs_xattr_type(device_t)
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> +optional_policy(`
> + systemd_tmpfilesd_managed(device_t, fifo_file)
> +')
>
> #
> # Type for /dev/agpgart
> Index: refpolicy-2.20170221/policy/modules/kernel/files.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/kernel/files.te
> +++ refpolicy-2.20170221/policy/modules/kernel/files.te
> @@ -174,6 +174,10 @@ type var_run_t;
> files_pid_file(var_run_t)
> files_mountpoint(var_run_t)
>
> +optional_policy(`
> + systemd_tmpfilesd_managed(var_run_t, lnk_file)
> +')
> +
> #
> # var_spool_t is the type of /var/spool
> #
> Index: refpolicy-2.20170221/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20170221/policy/modules/system/authlogin.te
> @@ -30,6 +30,9 @@ role system_r types chkpwd_t;
>
> type faillog_t;
> logging_log_file(faillog_t)
> +optional_policy(`
> + systemd_tmpfilesd_managed(faillog_t, file)
> +')
>
> type lastlog_t;
> logging_log_file(lastlog_t)
> @@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_
> #
> type var_auth_t;
> files_type(var_auth_t)
> +optional_policy(`
> + systemd_tmpfilesd_managed(var_auth_t, dir)
> +')
>
> type wtmp_t;
> logging_log_file(wtmp_t)
> Index: refpolicy-2.20170221/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170221/policy/modules/system/init.fc
> @@ -57,6 +57,8 @@ ifdef(`distro_gentoo', `
> /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20170221/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170221/policy/modules/system/init.if
> @@ -164,10 +164,12 @@ interface(`init_ranged_domain',`
>
> ifdef(`enable_mcs',`
> range_transition init_t $2:process $3;
> + range_transition initrc_t $2:process $3;
> ')
>
> ifdef(`enable_mls',`
> range_transition init_t $2:process $3;
> + range_transition initrc_t $2:process $3;
> mls_rangetrans_target($1)
> ')
> ')
> @@ -210,8 +212,10 @@ interface(`init_ranged_domain',`
> interface(`init_daemon_domain',`
> gen_require(`
> type initrc_t;
> + type init_t;
> role system_r;
> attribute daemon;
> + attribute initrc_transition_domain;
> ')
>
> typeattribute $1 daemon;
> @@ -240,6 +244,10 @@ interface(`init_daemon_domain',`
> init_domain($1, $2)
> # this may be because of late labelling
> kernel_dgram_send($1)
> +
> + domtrans_pattern(init_t, $2, $1)
> + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> + allow $1 init_t:unix_dgram_socket sendto;
> ')
>
> optional_policy(`
> @@ -400,8 +408,10 @@ interface(`init_system_domain',`
> gen_require(`
> type initrc_t;
> role system_r;
> + attribute systemprocess;
> ')
>
> + typeattribute $1 systemprocess;
> application_domain($1, $2)
>
> role system_r types $1;
> @@ -477,6 +487,24 @@ interface(`init_ranged_system_domain',`
> ')
> ')
>
> +######################################
> +## <summary>
> +## Allow domain dyntransition to init_t domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dyntrans',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + dyntrans_pattern($1, init_t)
> +')
> +
> ########################################
> ## <summary>
> ## Mark the file type as a daemon pid file, allowing initrc_t
> @@ -675,6 +703,7 @@ interface(`init_stream_connect',`
>
> stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
> files_search_pids($1)
> + allow $1 init_t:unix_stream_socket getattr;
> ')
>
> ########################################
> @@ -1192,23 +1221,23 @@ interface(`init_write_initctl',`
> #
> interface(`init_telinit',`
> gen_require(`
> - type initctl_t;
> + type initctl_t, init_t;
> ')
>
> + corecmd_exec_bin($1)
> +
> dev_list_all_dev_nodes($1)
> allow $1 initctl_t:fifo_file rw_fifo_file_perms;
>
> init_exec($1)
>
> - tunable_policy(`init_upstart',`
> - gen_require(`
> - type init_t;
> - ')
> -
> - # upstart uses a datagram socket instead of initctl pipe
> - allow $1 self:unix_dgram_socket create_socket_perms;
> - allow $1 init_t:unix_dgram_socket sendto;
> - ')
> + ps_process_pattern($1, init_t)
> + allow $1 init_t:process signal;
> + # upstart uses a datagram socket instead of initctl pipe
> + allow $1 self:unix_dgram_socket create_socket_perms;
> + allow $1 init_t:unix_dgram_socket sendto;
> + #576913
> + allow $1 init_t:unix_stream_socket connectto;
> ')
>
> ########################################
> @@ -1217,7 +1246,7 @@ interface(`init_telinit',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -1332,6 +1361,36 @@ interface(`init_domtrans_script',`
>
> ########################################
> ## <summary>
> +## Execute labelled init scripts with an automatic domain transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_domtrans_labelled_script',`
> + gen_require(`
> + type initrc_t;
> + attribute init_script_file_type;
> + attribute initrc_transition_domain;
> + ')
> + typeattribute $1 initrc_transition_domain;
> +
> + files_list_etc($1)
> + domtrans_pattern($1, init_script_file_type, initrc_t)
> +
> + ifdef(`enable_mcs',`
> + range_transition $1 init_script_file_type:process s0;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
> + ')
> +')
> +
> +########################################
> +## <summary>
> ## Execute a init script in a specified domain.
> ## </summary>
> ## <desc>
> @@ -1402,8 +1461,10 @@ interface(`init_manage_script_service',`
> interface(`init_labeled_script_domtrans',`
> gen_require(`
> type initrc_t;
> + attribute initrc_transition_domain;
> ')
>
> + typeattribute $1 initrc_transition_domain;
> domtrans_pattern($1, $2, initrc_t)
> files_search_etc($1)
> ')
> @@ -1536,9 +1597,10 @@ interface(`init_run_daemon',`
> interface(`init_startstop_all_script_services',`
> gen_require(`
> attribute init_script_file_type;
> + class service { start status stop reload };
> ')
>
> - allow $1 init_script_file_type:service { start status stop };
> + allow $1 init_script_file_type:service { start status stop reload };
> ')
>
> ########################################
> @@ -1746,12 +1808,7 @@ interface(`init_read_script_state',`
> ')
>
> kernel_search_proc($1)
> - read_files_pattern($1, initrc_t, initrc_t)
> - read_lnk_files_pattern($1, initrc_t, initrc_t)
> - list_dirs_pattern($1, initrc_t, initrc_t)
> -
> - # should move this to separate interface
> - allow $1 initrc_t:process getattr;
> + ps_process_pattern($1, initrc_t)
> ')
>
> ########################################
> @@ -2335,7 +2392,7 @@ interface(`init_dontaudit_rw_utmp',`
> type initrc_var_run_t;
> ')
>
> - dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
> + dontaudit $1 initrc_var_run_t:file rw_file_perms;
> ')
>
> ########################################
> @@ -2376,6 +2433,44 @@ interface(`init_pid_filetrans_utmp',`
> files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
> ')
>
> +#######################################
> +## <summary>
> +## Create a directory in the /run/systemd directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_create_pid_dirs',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:dir list_dir_perms;
> + create_dirs_pattern($1, init_var_run_t, init_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Rename and unlink init_var_run_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain
> +## </summary>
> +## </param>
> +#
> +interface(`init_delete_pid_files',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + delete_files_pattern($1, init_var_run_t, init_var_run_t)
> + rename_files_pattern($1, init_var_run_t, init_var_run_t)
> +')
> +
> ########################################
> ## <summary>
> ## Allow the specified domain to connect to daemon with a tcp socket
> @@ -2550,6 +2645,43 @@ interface(`init_start_all_units',`
> allow $1 systemdunit:service start;
> ')
>
> +#######################################
> +## <summary>
> +## Allow the specified domain to write to
> +## init sock file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_write_pid_socket',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:sock_file write;
> +')
> +
> +########################################
> +## <summary>
> +## Read init unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_pid_pipes',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
> +')
> +
> ########################################
> ## <summary>
> ## Stop all systemd units.
> Index: refpolicy-2.20170221/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170221/policy/modules/system/init.te
> @@ -16,13 +16,22 @@ gen_require(`
> ## </desc>
> gen_tunable(init_upstart, false)
>
> +## <desc>
> +## <p>
> +## Allow all daemons the ability to read/write terminals
> +## </p>
> +## </desc>
> +gen_tunable(init_daemons_use_tty, false)
> +
> attribute init_script_domain_type;
> attribute init_script_file_type;
> attribute init_run_all_scripts_domain;
> attribute systemdunit;
> +attribute initrc_transition_domain;
>
> # Mark process types as daemons
> attribute daemon;
> +attribute systemprocess;
>
> # Mark file type as a daemon pid file
> attribute daemonpidfile;
> @@ -33,7 +42,7 @@ attribute daemonrundir;
> #
> # init_t is the domain of the init process.
> #
> -type init_t;
> +type init_t, initrc_transition_domain;
> type init_exec_t;
> domain_type(init_t)
> domain_entry_file(init_t, init_exec_t)
> @@ -66,6 +75,7 @@ type initrc_exec_t, init_script_file_typ
> domain_type(initrc_t)
> domain_entry_file(initrc_t, initrc_exec_t)
> init_named_socket_activation(initrc_t, init_var_run_t)
> +allow init_run_all_scripts_domain systemdunit:service { status start stop };
> role system_r types initrc_t;
> # should be part of the true block
> # of the below init_upstart tunable
> @@ -110,6 +120,7 @@ ifdef(`enable_mls',`
>
> # Use capabilities. old rule:
> allow init_t self:capability ~sys_module;
> +allow init_t self:capability2 { wake_alarm block_suspend };
> # is ~sys_module really needed? observed:
> # sys_boot
> # sys_tty_config
> @@ -128,6 +139,9 @@ allow init_t initrc_t:unix_stream_socket
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
>
> +# for systemd to manage service file symlinks
> +allow init_t init_var_run_t:file manage_lnk_file_perms;
> +
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
>
> @@ -147,6 +161,7 @@ dev_rw_generic_chr_files(init_t)
>
> domain_getpgid_all_domains(init_t)
> domain_kill_all_domains(init_t)
> +domain_getattr_all_domains(init_t)
> domain_signal_all_domains(init_t)
> domain_signull_all_domains(init_t)
> domain_sigstop_all_domains(init_t)
> @@ -199,6 +214,12 @@ ifdef(`init_systemd',`
> # handle instances where an old labeled init script is encountered.
> typeattribute init_t init_run_all_scripts_domain;
>
> + allow init_t systemprocess:process { dyntransition siginh };
> + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
> + allow init_t systemprocess:unix_dgram_socket create_socket_perms;
> + allow systemprocess init_t:unix_dgram_socket sendto;
> + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
> +
> allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
> allow init_t self:capability2 { audit_read block_suspend };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -206,6 +227,13 @@ ifdef(`init_systemd',`
> allow init_t self:netlink_selinux_socket create_socket_perms;
> allow init_t self:unix_dgram_socket lock;
>
> + allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> + allow init_t daemon:unix_dgram_socket create_socket_perms;
> + allow init_t daemon:tcp_socket create_stream_socket_perms;
> + allow init_t daemon:udp_socket create_socket_perms;
> + allow daemon init_t:unix_dgram_socket sendto;
> +
> + allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
> @@ -269,6 +297,9 @@ ifdef(`init_systemd',`
> # for network namespaces
> fs_read_nsfs_files(init_t)
>
> + # need write to /var/run/systemd/notify
> + init_write_pid_socket(daemon)
> +
> # systemd_socket_activated policy
> mls_socket_write_all_levels(init_t)
>
> @@ -355,6 +386,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + udev_read_db(init_t)
> + udev_relabelto_db(init_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(init_t)
> ')
>
> @@ -403,11 +439,14 @@ manage_fifo_files_pattern(initrc_t, init
> allow initrc_t initrc_var_run_t:file manage_file_perms;
> files_pid_filetrans(initrc_t, initrc_var_run_t, file)
>
> +allow initrc_t daemon:process siginh;
> +
> can_exec(initrc_t, initrc_tmp_t)
> manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
> manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
> manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
> files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
> +allow initrc_t initrc_tmp_t:dir relabelfrom;
>
> manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
> manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
> @@ -450,6 +489,7 @@ corenet_sendrecv_all_client_packets(init
>
> dev_read_rand(initrc_t)
> dev_read_urand(initrc_t)
> +dev_dontaudit_read_kmsg(initrc_t)
> dev_write_kmsg(initrc_t)
> dev_write_rand(initrc_t)
> dev_write_urand(initrc_t)
> @@ -460,8 +500,10 @@ dev_write_framebuffer(initrc_t)
> dev_read_realtime_clock(initrc_t)
> dev_read_sound_mixer(initrc_t)
> dev_write_sound_mixer(initrc_t)
> +dev_setattr_generic_dirs(initrc_t)
> dev_setattr_all_chr_files(initrc_t)
> dev_rw_lvm_control(initrc_t)
> +dev_rw_generic_chr_files(initrc_t)
> dev_delete_lvm_control_dev(initrc_t)
> dev_manage_generic_symlinks(initrc_t)
> dev_manage_generic_files(initrc_t)
> @@ -469,17 +511,16 @@ dev_manage_generic_files(initrc_t)
> dev_delete_generic_symlinks(initrc_t)
> dev_getattr_all_blk_files(initrc_t)
> dev_getattr_all_chr_files(initrc_t)
> -# Early devtmpfs
> -dev_rw_generic_chr_files(initrc_t)
> +dev_rw_xserver_misc(initrc_t)
>
> domain_kill_all_domains(initrc_t)
> domain_signal_all_domains(initrc_t)
> domain_signull_all_domains(initrc_t)
> domain_sigstop_all_domains(initrc_t)
> +domain_sigstop_all_domains(initrc_t)
> domain_sigchld_all_domains(initrc_t)
> domain_read_all_domains_state(initrc_t)
> domain_getattr_all_domains(initrc_t)
> -domain_dontaudit_ptrace_all_domains(initrc_t)
> domain_getsession_all_domains(initrc_t)
> domain_use_interactive_fds(initrc_t)
> # for lsof which is used by alsa shutdown:
> @@ -487,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets
> domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
> domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
> domain_dontaudit_getattr_all_pipes(initrc_t)
> +domain_obj_id_change_exemption(initrc_t)
>
> files_getattr_all_dirs(initrc_t)
> files_getattr_all_files(initrc_t)
> @@ -494,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
> files_getattr_all_pipes(initrc_t)
> files_getattr_all_sockets(initrc_t)
> files_purge_tmp(initrc_t)
> -files_delete_all_locks(initrc_t)
> +files_manage_all_locks(initrc_t)
> +files_manage_boot_files(initrc_t)
> files_read_all_pids(initrc_t)
> +files_delete_root_files(initrc_t)
> files_delete_all_pids(initrc_t)
> files_delete_all_pid_dirs(initrc_t)
> files_read_etc_files(initrc_t)
> @@ -509,8 +553,12 @@ files_manage_generic_spool(initrc_t)
> # cjp: not sure why these are here; should use mount policy
> files_list_default(initrc_t)
> files_mounton_default(initrc_t)
> +files_manage_mnt_dirs(initrc_t)
> +files_manage_mnt_files(initrc_t)
>
> -fs_write_cgroup_files(initrc_t)
> +fs_delete_cgroup_dirs(initrc_t)
> +fs_list_cgroup_dirs(initrc_t)
> +fs_rw_cgroup_files(initrc_t)
> fs_list_inotifyfs(initrc_t)
> fs_register_binary_executable_type(initrc_t)
> # rhgb-console writes to ramfs
> @@ -520,9 +568,13 @@ fs_mount_all_fs(initrc_t)
> fs_unmount_all_fs(initrc_t)
> fs_remount_all_fs(initrc_t)
> fs_getattr_all_fs(initrc_t)
> +fs_search_all(initrc_t)
> +fs_getattr_nfsd_files(initrc_t)
>
> # initrc_t needs to do a pidof which requires ptrace
> mcs_ptrace_all(initrc_t)
> +mcs_file_read_all(initrc_t)
> +mcs_file_write_all(initrc_t)
> mcs_killall(initrc_t)
> mcs_process_set_categories(initrc_t)
>
> @@ -532,6 +584,7 @@ mls_process_read_all_levels(initrc_t)
> mls_process_write_all_levels(initrc_t)
> mls_rangetrans_source(initrc_t)
> mls_fd_share_all_levels(initrc_t)
> +mls_socket_write_to_clearance(initrc_t)
>
> selinux_get_enforce_mode(initrc_t)
>
> @@ -550,6 +603,11 @@ auth_delete_pam_pid(initrc_t)
> auth_delete_pam_console_data(initrc_t)
> auth_use_nsswitch(initrc_t)
>
> +init_get_system_status(initrc_t)
> +init_stream_connect(initrc_t)
> +init_start_all_units(initrc_t)
> +init_stop_all_units(initrc_t)
> +
> libs_rw_ld_so_cache(initrc_t)
> libs_exec_lib_files(initrc_t)
> libs_exec_ld_so(initrc_t)
> @@ -563,7 +621,7 @@ logging_read_audit_config(initrc_t)
>
> miscfiles_read_localization(initrc_t)
> # slapd needs to read cert files from its initscript
> -miscfiles_read_generic_certs(initrc_t)
> +miscfiles_manage_generic_cert_files(initrc_t)
>
> seutil_read_config(initrc_t)
>
> @@ -571,7 +629,7 @@ userdom_read_user_home_content_files(ini
> # Allow access to the sysadm TTYs. Note that this will give access to the
> # TTYs to any process in the initrc_t domain. Therefore, daemons and such
> # started from init should be placed in their own domain.
> -userdom_use_user_terminals(initrc_t)
> +userdom_use_inherited_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> kernel_getattr_core_if(initrc_t)
> @@ -643,6 +701,10 @@ ifdef(`distro_gentoo',`
> sysnet_setattr_config(initrc_t)
>
> optional_policy(`
> + abrt_manage_pid_files(initrc_t)
> + ')
> +
> + optional_policy(`
> alsa_read_lib(initrc_t)
> ')
>
> @@ -663,7 +725,7 @@ ifdef(`distro_redhat',`
>
> # Red Hat systems seem to have a stray
> # fd open from the initrd
> - kernel_dontaudit_use_fds(initrc_t)
> + kernel_use_fds(initrc_t)
> files_dontaudit_read_root_files(initrc_t)
>
> # These seem to be from the initrd
> @@ -698,6 +760,7 @@ ifdef(`distro_redhat',`
> miscfiles_rw_localization(initrc_t)
> miscfiles_setattr_localization(initrc_t)
> miscfiles_relabel_localization(initrc_t)
> + miscfiles_filetrans_named_content(initrc_t)
>
> miscfiles_read_fonts(initrc_t)
> miscfiles_read_hwdata(initrc_t)
> @@ -707,8 +770,35 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
> + abrt_manage_pid_files(initrc_t)
> + ')
> +
> + optional_policy(`
> bind_manage_config_dirs(initrc_t)
> + bind_manage_config(initrc_t)
> bind_write_config(initrc_t)
> + bind_setattr_zone_dirs(initrc_t)
> + ')
> +
> + optional_policy(`
> + devicekit_append_inherited_log_files(initrc_t)
> + ')
> +
> + optional_policy(`
> + dirsrvadmin_read_config(initrc_t)
> + dirsrv_manage_var_run(initrc_t)
> + ')
> +
> + optional_policy(`
> + gnome_manage_gconf_config(initrc_t)
> + ')
> +
> + optional_policy(`
> + ldap_read_db_files(initrc_t)
> + ')
> +
> + optional_policy(`
> + pulseaudio_stream_connect(initrc_t)
> ')
>
> optional_policy(`
> @@ -716,14 +806,27 @@ ifdef(`distro_redhat',`
> rpc_write_exports(initrc_t)
> rpc_manage_nfs_state_data(initrc_t)
> ')
> + optional_policy(`
> + rpcbind_stream_connect(initrc_t)
> + ')
>
> optional_policy(`
> sysnet_rw_dhcp_config(initrc_t)
> sysnet_manage_config(initrc_t)
> + sysnet_manage_dhcpc_state(initrc_t)
> + sysnet_relabelfrom_dhcpc_state(initrc_t)
> + sysnet_relabelfrom_net_conf(initrc_t)
> + sysnet_relabelto_net_conf(initrc_t)
> + sysnet_filetrans_named_content(initrc_t)
> + ')
> +
> + optional_policy(`
> + wdmd_manage_pid_files(initrc_t)
> ')
>
> optional_policy(`
> xserver_delete_log(initrc_t)
> + xserver_manage_user_fonts_dir(initrc_t)
> ')
> ')
>
> @@ -735,6 +838,20 @@ ifdef(`distro_suse',`
> ')
>
> ifdef(`init_systemd',`
> + allow init_t self:system { status reboot halt reload };
> +
> + allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> + allow init_t self:process { setsockcreate setfscreate setrlimit };
> + allow init_t self:process { getcap setcap };
> + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> + allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + # Until systemd is fixed
> + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> + allow init_t self:udp_socket create_socket_perms;
> + allow init_t self:netlink_route_socket create_netlink_socket_perms;
> + allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> + allow initrc_t init_t:system { status reboot halt reload };
> + allow init_t self:capability2 audit_read;
> manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> files_lock_filetrans(initrc_t, initrc_lock_t, file)
>
> @@ -746,11 +863,25 @@ ifdef(`init_systemd',`
> files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
>
> create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
> + allow initrc_t systemd_unit_t:service reload;
>
> manage_files_pattern(initrc_t, systemdunit, systemdunit)
> manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
> + allow initrc_t systemdunit:service reload;
> + allow initrc_t init_script_file_type:service { stop start status reload };
>
> kernel_dgram_send(initrc_t)
> + kernel_list_unlabeled(init_t)
> + kernel_read_network_state(init_t)
> + kernel_rw_kernel_sysctl(init_t)
> + kernel_rw_net_sysctls(init_t)
> + kernel_read_all_sysctls(init_t)
> + kernel_read_software_raid_state(init_t)
> + kernel_unmount_debugfs(init_t)
> + kernel_setsched(init_t)
> +
> + auth_relabel_login_records(init_t)
> + auth_relabel_pam_console_data_dirs(init_t)
>
> # run systemd misc initializations
> # in the initrc_t domain, as would be
> @@ -760,34 +891,90 @@ ifdef(`init_systemd',`
> corecmd_bin_domtrans(init_t, initrc_t)
> corecmd_shell_domtrans(init_t, initrc_t)
>
> - files_read_boot_files(initrc_t)
> + dev_write_kmsg(init_t)
> + dev_write_urand(init_t)
> + dev_rw_lvm_control(init_t)
> + dev_rw_autofs(init_t)
> + dev_manage_generic_symlinks(init_t)
> + dev_manage_generic_dirs(init_t)
> + dev_manage_generic_files(init_t)
> + dev_manage_null_service(initrc_t)
> + dev_read_generic_chr_files(init_t)
> + dev_relabel_generic_dev_dirs(init_t)
> + dev_relabel_all_dev_nodes(init_t)
> + dev_relabel_all_dev_files(init_t)
> + dev_manage_sysfs_dirs(init_t)
> + dev_relabel_sysfs_dirs(init_t)
> + # systemd writes to /dev/watchdog on shutdown
> + dev_write_watchdog(init_t)
> +
> # Allow initrc_t to check /etc/fstab "service." It appears that
> # systemd is conflating files and services.
> + files_create_all_pid_pipes(init_t)
> + files_create_all_pid_sockets(init_t)
> + files_create_all_spool_sockets(init_t)
> + files_create_lock_dirs(init_t)
> + files_delete_all_pids(init_t)
> + files_delete_all_spool_sockets(init_t)
> + files_exec_generic_pid_files(init_t)
> files_get_etc_unit_status(initrc_t)
> + files_list_locks(init_t)
> + files_list_spool(init_t)
> + files_list_var(init_t)
> + files_manage_all_pid_dirs(init_t)
> + files_manage_generic_tmp_dirs(init_t)
> + files_manage_urandom_seed(init_t)
> + files_mounton_all_mountpoints(init_t)
> + files_read_boot_files(initrc_t)
> + files_relabel_all_lock_dirs(init_t)
> + files_relabel_all_pid_dirs(init_t)
> + files_relabel_all_pid_files(init_t)
> + files_search_all(init_t)
> files_setattr_pid_dirs(initrc_t)
> + files_unmount_all_file_type_fs(init_t)
>
> - selinux_set_enforce_mode(initrc_t)
> + fs_getattr_all_fs(init_t)
> + fs_list_auto_mountpoints(init_t)
> + fs_manage_cgroup_dirs(init_t)
> + fs_manage_cgroup_files(init_t)
> + fs_manage_hugetlbfs_dirs(init_t)
> + fs_manage_tmpfs_dirs(init_t)
> + fs_mount_all_fs(init_t)
> + fs_remount_all_fs(init_t)
> + fs_unmount_all_fs(init_t)
> + fs_search_cgroup_dirs(daemon)
>
> - init_stream_connect(initrc_t)
> + init_get_all_units_status(initrc_t)
> init_manage_var_lib_files(initrc_t)
> + init_read_script_state(init_t)
> init_rw_stream_sockets(initrc_t)
> - init_get_all_units_status(initrc_t)
> init_stop_all_units(initrc_t)
> + init_stream_connect(initrc_t)
>
> # Create /etc/audit.rules.prev after firstboot remediation
> logging_manage_audit_config(initrc_t)
>
> + selinux_compute_create_context(init_t)
> + selinux_set_enforce_mode(initrc_t)
> + selinux_unmount_fs(init_t)
> + selinux_validate_context(init_t)
> # lvm2-activation-generator checks file labels
> seutil_read_file_contexts(initrc_t)
> + seutil_read_file_contexts(init_t)
>
> + storage_getattr_removable_dev(init_t)
> + systemd_manage_all_units(init_t)
> systemd_start_power_units(initrc_t)
>
> + term_relabel_ptys_dirs(init_t)
> +
> optional_policy(`
> # create /var/lock/lvm/
> lvm_create_lock_dirs(initrc_t)
> ')
> ')
>
> +
> optional_policy(`
> amavis_search_lib(initrc_t)
> amavis_setattr_pid_files(initrc_t)
> @@ -800,6 +987,8 @@ optional_policy(`
> optional_policy(`
> apache_read_config(initrc_t)
> apache_list_modules(initrc_t)
> + # webmin seems to cause this.
> + apache_search_sys_content(daemon)
> ')
>
> optional_policy(`
> @@ -821,6 +1010,7 @@ optional_policy(`
>
> optional_policy(`
> cgroup_stream_connect_cgred(initrc_t)
> + domain_setpriority_all_domains(initrc_t)
> ')
>
> optional_policy(`
> @@ -837,6 +1027,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_read_pipes(initrc_t)
> + # managing /etc/cron.d/mailman content
> + cron_manage_system_spool(initrc_t)
> +')
> +
> +optional_policy(`
> dev_getattr_printer_dev(initrc_t)
>
> cups_read_log(initrc_t)
> @@ -853,9 +1049,13 @@ optional_policy(`
> dbus_connect_system_bus(initrc_t)
> dbus_system_bus_client(initrc_t)
> dbus_read_config(initrc_t)
> + dbus_manage_lib_files(initrc_t)
> +
> + init_dbus_chat(initrc_t)
>
> optional_policy(`
> consolekit_dbus_chat(initrc_t)
> + consolekit_manage_log(initrc_t)
> ')
>
> optional_policy(`
> @@ -897,6 +1097,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_read_module_config(initrc_t)
> + modutils_domtrans_insmod(initrc_t)
> +')
> +
> +optional_policy(`
> inn_exec_config(initrc_t)
> ')
>
> @@ -937,6 +1142,7 @@ optional_policy(`
> lpd_list_spool(initrc_t)
>
> lpd_read_config(initrc_t)
> + lpd_manage_spool(init_t)
> ')
>
> optional_policy(`
> @@ -960,6 +1166,7 @@ optional_policy(`
>
> optional_policy(`
> mta_read_config(initrc_t)
> + mta_write_config(initrc_t)
> mta_dontaudit_read_spool_symlinks(initrc_t)
> ')
>
> @@ -982,6 +1189,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_stream_connect(initrc_t)
> +')
> +
> +optional_policy(`
> postgresql_manage_db(initrc_t)
> postgresql_read_config(initrc_t)
> ')
> @@ -994,6 +1205,7 @@ optional_policy(`
> puppet_rw_tmp(initrc_t)
> ')
>
> +
> optional_policy(`
> quota_manage_flags(initrc_t)
> ')
> @@ -1024,8 +1236,6 @@ optional_policy(`
> # bash tries ioctl for some reason
> files_dontaudit_ioctl_all_pids(initrc_t)
>
> - # why is this needed:
> - rpm_manage_db(initrc_t)
> ')
>
> optional_policy(`
> @@ -1043,10 +1253,12 @@ optional_policy(`
> squid_manage_logs(initrc_t)
> ')
>
> +ifdef(`enabled_mls',`
> optional_policy(`
> # allow init scripts to su
> su_restricted_domain_template(initrc, initrc_t, system_r)
> ')
> +')
>
> optional_policy(`
> ssh_dontaudit_read_server_keys(initrc_t)
> @@ -1062,7 +1274,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - udev_rw_db(initrc_t)
> udev_manage_pid_files(initrc_t)
> udev_manage_pid_dirs(initrc_t)
> udev_manage_rules_files(initrc_t)
> @@ -1079,6 +1290,10 @@ optional_policy(`
>
> optional_policy(`
> unconfined_domain(initrc_t)
> + domain_role_change_exemption(initrc_t)
> + mcs_file_read_all(initrc_t)
> + mcs_file_write_all(initrc_t)
> + mcs_killall(initrc_t)
>
> ifdef(`distro_redhat',`
> # system-config-services causes avc messages that should be dontaudited
> @@ -1088,6 +1303,15 @@ optional_policy(`
> optional_policy(`
> mono_domtrans(initrc_t)
> ')
> +
> + optional_policy(`
> + rtkit_scheduled(initrc_t)
> + ')
> +')
> +
> +optional_policy(`
> + rpm_read_db(initrc_t)
> + rpm_delete_db(initrc_t)
> ')
>
> optional_policy(`
> @@ -1113,3 +1337,152 @@ optional_policy(`
> optional_policy(`
> zebra_read_config(initrc_t)
> ')
> +
> +########################################
> +#
> +# Rules applied to all daemons
> +#
> +
> +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
> +allow daemon initrc_transition_domain:fd use;
> +
> +domain_dontaudit_use_interactive_fds(daemon)
> +init_rw_script_stream_sockets(daemon)
> +init_rw_stream_sockets(daemon)
> +logging_append_all_inherited_logs(daemon)
> +userdom_dontaudit_rw_stream(daemon)
> +
> +tunable_policy(`init_daemons_use_tty',`
> + term_use_unallocated_ttys(daemon)
> + term_use_generic_ptys(daemon)
> + term_use_all_ttys(daemon)
> + term_use_all_ptys(daemon)
> +',`
> + term_dontaudit_use_unallocated_ttys(daemon)
> + term_dontaudit_use_generic_ptys(daemon)
> + term_dontaudit_use_all_ttys(daemon)
> + term_dontaudit_use_all_ptys(daemon)
> + ')
> +
> +optional_policy(`
> + unconfined_dontaudit_rw_pipes(daemon)
> + unconfined_dontaudit_rw_stream_sockets(daemon)
> +')
> +
> +optional_policy(`
> + userdom_dontaudit_read_user_tmp_files(daemon)
> + userdom_dontaudit_write_user_tmp_files(daemon)
> +')
> +
> +optional_policy(`
> + # sudo service restart causes this
> + unconfined_signull(daemon)
> +')
> +
> +optional_policy(`
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_dontaudit_rw_nfs_files(daemon)
> + ')
> + tunable_policy(`use_samba_home_dirs',`
> + fs_dontaudit_rw_cifs_files(daemon)
> + ')
> +')
> +
> +optional_policy(`
> + abrt_stream_connect(daemon)
> +')
> +
> +optional_policy(`
> + fail2ban_read_lib_files(daemon)
> +')
> +
> +allow init_t var_run_t:dir relabelto;
> +
> +storage_raw_rw_fixed_disk(init_t)
> +
> +optional_policy(`
> + modutils_domtrans_insmod(init_t)
> +')
> +
> +optional_policy(`
> + postfix_list_spool(init_t)
> + mta_read_aliases(init_t)
> +')
> +
> +auth_use_nsswitch(init_t)
> +auth_rw_login_records(init_t)
> +
> +optional_policy(`
> + systemd_passwd_runtime_dirs(init_t)
> +')
> +
> +optional_policy(`
> + lvm_rw_inherited_runtime_pipes(init_t)
> +')
> +
> +# daemons started from init will
> +# inherit fds from init for the console
> +init_dontaudit_use_fds(daemon)
> +term_dontaudit_use_console(daemon)
> +# init script ptys are the stdin/out/err
> +# when using run_init
> +init_use_script_ptys(daemon)
> +
> +allow init_t daemon:process siginh;
> +
> +optional_policy(`
> + nscd_socket_use(daemon)
> +')
> +
> +optional_policy(`
> + puppet_rw_tmp(daemon)
> +')
> +
> +allow initrc_t systemprocess:process siginh;
> +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
> +allow systemprocess initrc_transition_domain:fd use;
> +
> +dontaudit systemprocess init_t:unix_stream_socket getattr;
> +
> +userdom_dontaudit_search_user_home_dirs(systemprocess)
> +userdom_dontaudit_rw_stream(systemprocess)
> +userdom_dontaudit_write_user_tmp_files(systemprocess)
> +
> +tunable_policy(`init_daemons_use_tty',`
> + term_use_all_ttys(systemprocess)
> + term_use_all_ptys(systemprocess)
> +',`
> + term_dontaudit_use_all_ttys(systemprocess)
> + term_dontaudit_use_all_ptys(systemprocess)
> +')
> +
> +# these apps are often redirect output to random log files
> +logging_append_all_inherited_logs(systemprocess)
> +
> +optional_policy(`
> + abrt_stream_connect(systemprocess)
> +')
> +
> +optional_policy(`
> + cron_rw_pipes(systemprocess)
> +')
> +
> +optional_policy(`
> + puppet_rw_tmp(systemprocess)
> +')
> +
> +optional_policy(`
> + unconfined_dontaudit_rw_pipes(systemprocess)
> + unconfined_dontaudit_rw_stream_sockets(systemprocess)
> + userdom_dontaudit_read_user_tmp_files(systemprocess)
> +')
> +
> +init_rw_script_stream_sockets(systemprocess)
> +
> +role system_r types systemprocess;
> +role system_r types daemon;
> +
> +#ifdef(`enable_mls',`
> +# mls_rangetrans_target(systemprocess)
> +#')
> +
> Index: refpolicy-2.20170221/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/logging.fc
> +++ refpolicy-2.20170221/policy/modules/system/logging.fc
> @@ -1,4 +1,5 @@
> /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> +/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>
> /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> @@ -80,3 +81,10 @@ ifdef(`distro_redhat',`
> /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
>
> /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +
> +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +
> +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> +
> +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> Index: refpolicy-2.20170221/policy/modules/system/miscfiles.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/miscfiles.te
> +++ refpolicy-2.20170221/policy/modules/system/miscfiles.te
> @@ -40,6 +40,9 @@ files_type(locale_t)
> #
> type man_t alias catman_t;
> files_type(man_t)
> +optional_policy(`
> + systemd_tmpfilesd_managed(man_t, dir)
> +')
>
> type man_cache_t;
> files_type(man_cache_t)
> Index: refpolicy-2.20170221/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170221/policy/modules/system/logging.te
> @@ -94,6 +94,9 @@ ifdef(`enable_mls',`
> init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
> ')
>
> +ifdef(`init_systemd', `
> +')
> +
> ########################################
> #
> # Auditctl local policy
> @@ -396,6 +399,9 @@ allow syslogd_t syslog_conf_t:file read_
> # Create and bind to /dev/log or /var/run/log.
> allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
> files_pid_filetrans(syslogd_t, devlog_t, sock_file)
> +init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
> +
> +seutil_read_config(syslogd_t)
>
> # create/append log files.
> manage_files_pattern(syslogd_t, var_log_t, var_log_t)
> @@ -405,6 +411,9 @@ files_search_spool(syslogd_t)
> # Allow access for syslog-ng
> allow syslogd_t var_log_t:dir { create setattr };
>
> +# for systemd but can not be conditional
> +files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
> +
> # manage temporary files
> manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> @@ -416,6 +425,7 @@ files_search_var_lib(syslogd_t)
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
> +allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
>
> kernel_read_system_state(syslogd_t)
> kernel_read_network_state(syslogd_t)
> @@ -503,19 +513,31 @@ userdom_dontaudit_use_unpriv_user_fds(sy
> userdom_dontaudit_search_user_home_dirs(syslogd_t)
>
> ifdef(`init_systemd',`
> - # systemd-journald permissions
> -
> - allow syslogd_t self:capability { chown setgid setuid };
> + # for systemd-journal
> + allow syslogd_t self:netlink_audit_socket connected_socket_perms;
> + allow syslogd_t self:capability2 audit_read;
> + allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
> allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
> + allow syslogd_t init_var_run_t:file { read write create open };
> + allow syslogd_t var_run_t:dir create;
>
> - kernel_use_fds(syslogd_t)
> kernel_getattr_dgram_sockets(syslogd_t)
> - kernel_rw_unix_dgram_sockets(syslogd_t)
> + kernel_read_ring_buffer(syslogd_t)
> kernel_rw_stream_sockets(syslogd_t)
> + kernel_rw_unix_dgram_sockets(syslogd_t)
> + kernel_use_fds(syslogd_t)
>
> + dev_read_kmsg(syslogd_t)
> + dev_read_urand(syslogd_t)
> + dev_write_kmsg(syslogd_t)
> + domain_read_all_domains_state(syslogd_t)
> + init_create_pid_dirs(syslogd_t)
> init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
> + init_delete_pid_files(syslogd_t)
> init_dgram_send(syslogd_t)
> -
> + init_read_pid_pipes(syslogd_t)
> + init_read_state(syslogd_t)
> + systemd_manage_journal_files(syslogd_t)
> udev_read_pid_files(syslogd_t)
> ')
>
> Index: refpolicy-2.20170221/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170221/policy/modules/kernel/devices.if
> @@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
>
> ########################################
> ## <summary>
> +## Allow full relabeling (to and from) of all device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`dev_relabel_all_dev_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + relabel_files_pattern($1, device_t, device_t)
> +')
> +
> +########################################
> +## <summary>
> ## List all of the device nodes in a device directory.
> ## </summary>
> ## <param name="domain">
> @@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',`
> ')
>
> ########################################
> +## <summary>
> +## Relabel hardware state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_relabel_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + relabel_dirs_pattern($1, sysfs_t, sysfs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read and write the TPM device.
> ## </summary>
> Index: refpolicy-2.20170221/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170221/policy/modules/system/logging.if
> @@ -822,6 +822,24 @@ interface(`logging_append_all_logs',`
>
> ########################################
> ## <summary>
> +## Append to all log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_append_all_inherited_logs',`
> + gen_require(`
> + attribute logfile;
> + ')
> +
> + allow $1 logfile:file { getattr append ioctl lock };
> +')
> +
> +########################################
> +## <summary>
> ## Read all log files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170221/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170221/policy/modules/system/userdomain.if
> @@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template',
> optional_policy(`
> setroubleshoot_stream_connect($1_t)
> ')
> +
> + optional_policy(`
> + systemd_dbus_chat_logind($1_t)
> + ')
> ')
>
> #######################################
> @@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',`
>
> ########################################
> ## <summary>
> +## Read and write a inherited user TTYs and PTYs.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read and write inherited user
> +## TTYs and PTYs. This will allow the domain to
> +## interact with the user via the terminal. Typically
> +## all interactive applications will require this
> +## access.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`userdom_use_inherited_user_terminals',`
> + gen_require(`
> + type user_tty_device_t, user_devpts_t;
> + ')
> +
> + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
> + allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read and write a user TTYs and PTYs.
> ## </summary>
> ## <desc>
> @@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users',
>
> allow $1 userdomain:dbus send_msg;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to write users
> +## temporary files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dontaudit_write_user_tmp_files',`
> + gen_require(`
> + type user_tmp_t;
> + ')
> +
> + dontaudit $1 user_tmp_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write
> +## unserdomain stream.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dontaudit_rw_stream',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
> +')
> Index: refpolicy-2.20170221/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20170221/policy/modules/system/authlogin.if
> @@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
> seutil_read_config($1)
> seutil_read_default_contexts($1)
>
> + userdom_search_user_runtime($1)
> + userdom_read_user_tmpfs_files($1)
> +
> tunable_policy(`allow_polyinstantiation',`
> files_polyinstantiate_all($1)
> ')
> +
> + optional_policy(`
> + systemd_read_logind_state($1)
> + systemd_write_inherited_logind_sessions_pipes($1)
> + systemd_use_passwd_agent_fds($1)
> + ')
> ')
>
> ########################################
> Index: refpolicy-2.20170221/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/kernel/terminal.if
> +++ refpolicy-2.20170221/policy/modules/kernel/terminal.if
> @@ -500,6 +500,24 @@ interface(`term_list_ptys',`
>
> ########################################
> ## <summary>
> +## Relabel the /dev/pts directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`term_relabel_ptys_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir relabel_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to read the
> ## /dev/pts directory.
> ## </summary>
> Index: refpolicy-2.20170221/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20170221/policy/modules/system/lvm.if
> @@ -187,3 +187,21 @@ interface(`lvm_admin',`
> files_search_tmp($1)
> admin_pattern($1, lvm_tmp_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read and write a lvm unnamed pipe.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lvm_rw_inherited_runtime_pipes',`
> + gen_require(`
> + type lvm_var_run_t;
> + ')
> +
> + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> +')
> Index: refpolicy-2.20170221/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170221/policy/modules/kernel/files.if
> @@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid
>
> ########################################
> ## <summary>
> +## manage all pidfile directories
> +## in the /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_all_pid_dirs',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + manage_dirs_pattern($1,pidfile,pidfile)
> +')
> +
> +########################################
> +## <summary>
> ## Read all process ID files.
> ## </summary>
> ## <param name="domain">
> @@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',`
>
> ########################################
> ## <summary>
> +## Execute generic programs in /var/run in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_generic_pid_files',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + exec_files_pattern($1, var_run_t, var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Relable all pid files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabel_all_pid_files',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + relabel_files_pattern($1, pidfile, pidfile)
> +')
> +
> +########################################
> +## <summary>
> ## Delete all process IDs.
> ## </summary>
> ## <param name="domain">
> @@ -6898,3 +6953,76 @@ interface(`files_unconfined',`
>
> typeattribute $1 files_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Create all pid sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_pid_sockets',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + allow $1 pidfile:sock_file create_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create all pid named pipes
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_pid_pipes',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + allow $1 pidfile:fifo_file create_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create all spool sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_spool_sockets',`
> + gen_require(`
> + attribute spoolfile;
> + ')
> +
> + allow $1 spoolfile:sock_file create_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Delete all spool sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_all_spool_sockets',`
> + gen_require(`
> + attribute spoolfile;
> + ')
> +
> + allow $1 spoolfile:sock_file delete_sock_file_perms;
> +')
> +
> Index: refpolicy-2.20170221/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170221/policy/modules/system/systemd.if
> @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
> ')
>
> files_search_pids($1)
> - read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
> + allow $1 systemd_logind_var_run_t:dir list_dir_perms;
> + allow $1 systemd_logind_var_run_t:file read_file_perms;
> ')
>
> ######################################
> @@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
> allow $1 systemd_logind_t:fd use;
> ')
>
> +######################################
> +## <summary>
> +## Write inherited logind sessions pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_write_inherited_logind_sessions_pipes',`
> + gen_require(`
> + type systemd_logind_t, systemd_sessions_var_run_t;
> + ')
> +
> + allow $1 systemd_logind_t:fd use;
> + allow $1 systemd_sessions_var_run_t:fifo_file write;
> + allow systemd_logind_t $1:process signal;
> +')
> +
> ########################################
> ## <summary>
> ## Send and receive messages from
> @@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
> write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
> ')
>
> +#######################################
> +## <summary>
> +## Allow systemd_tmpfiles_t to manage filesystem objects
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## type of object to manage
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## object class to manage
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_tmpfilesd_managed',`
> + gen_require(`
> + type systemd_tmpfiles_t;
> + ')
> +
> + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> +')
> +
> ########################################
> ## <summary>
> ## Allow process to relabel to systemd_kmod_conf_t.
> @@ -136,6 +180,82 @@ interface(`systemd_relabelto_kmod_files'
> ')
>
> ########################################
> +## <summary>
> +## allow systemd_passwd_agent to inherit fds
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that owns the fds
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_use_passwd_agent_fds',`
> + gen_require(`
> + type systemd_passwd_agent_t;
> + ')
> +
> + allow systemd_passwd_agent_t $1:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Transition to systemd_passwd_var_run_t when creating dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_passwd_runtime_dirs',`
> + gen_require(`
> + type systemd_passwd_var_run_t;
> + ')
> +
> + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
> + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
> +')
> +
> +########################################
> +## <summary>
> +## manage systemd unit dirs and the files in them
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + ')
> +
> + manage_dirs_pattern($1, systemdunit, systemdunit)
> + manage_files_pattern($1, systemdunit, systemdunit)
> + manage_lnk_files_pattern($1, systemdunit, systemdunit)
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to create/manage systemd_journal_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_journal_files',`
> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> + manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
> +')
> +
> +########################################
> ## <summary>
> ## Allow systemd_logind_t to read process state for cgroup file
> ## </summary>
> Index: refpolicy-2.20170221/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170221/policy/modules/system/systemd.te
> @@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
> ## </desc>
> gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +## <desc>
> +## <p>
> +## Allow systemd-nspawn to create a labelled namespace with the same types
> +## as parent environment
> +## </p>
> +## </desc>
> +gen_tunable(systemd_nspawn_labeled_namespace, false)
> +
> attribute systemd_log_parse_env_type;
>
> type systemd_activate_t;
> @@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t)
> domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
> role system_r types systemd_cgroups_t;
>
> +type systemd_notify_t;
> +type systemd_notify_exec_t;
> +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
> +
> +type systemd_journal_t;
> +files_type(systemd_journal_t)
> +
> type systemd_cgroups_var_run_t;
> files_pid_file(systemd_cgroups_var_run_t)
> init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
> @@ -57,6 +72,9 @@ type systemd_coredump_t;
> type systemd_coredump_exec_t;
> init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
>
> +type systemd_coredump_var_lib_t;
> +files_type(systemd_coredump_var_lib_t)
> +
> type systemd_detect_virt_t;
> type systemd_detect_virt_exec_t;
> init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
> @@ -85,9 +103,18 @@ type systemd_machined_t;
> type systemd_machined_exec_t;
> init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
>
> +type systemd_machined_var_run_t;
> +files_pid_file(systemd_machined_var_run_t)
> +init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
> +
> type systemd_nspawn_t;
> type systemd_nspawn_exec_t;
> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
> +kernel_unconfined(systemd_nspawn_t)
> +
> +type systemd_nspawn_var_run_t;
> +files_pid_file(systemd_nspawn_var_run_t)
> +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> type systemd_resolved_t;
> type systemd_resolved_exec_t;
> @@ -108,6 +135,9 @@ type systemd_passwd_agent_t;
> type systemd_passwd_agent_exec_t;
> init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
>
> +type systemd_passwd_var_run_t;
> +files_pid_file(systemd_passwd_var_run_t)
> +
> type systemd_sessions_t;
> type systemd_sessions_exec_t;
> init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
> @@ -122,6 +152,12 @@ type systemd_kmod_conf_t;
> files_config_file(systemd_kmod_conf_t)
> init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
>
> +manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> +manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> +allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> +allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
> +logging_log_file(systemd_journal_t)
> +
> #
> # Unit file types
> #
> @@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel
> kernel_read_system_state(systemd_log_parse_env_type)
>
> dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
> init_read_state(systemd_log_parse_env_type)
> -
> logging_send_syslog_msg(systemd_log_parse_env_type)
> +term_use_console(systemd_log_parse_env_type)
>
> ######################################
> #
> # Backlight local policy
> #
>
> +allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
> +
> allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
> -init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
> -
> systemd_log_parse_environment(systemd_backlight_t)
>
> # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
> dev_rw_sysfs(systemd_backlight_t)
> -
> +# for udev.conf
> files_read_etc_files(systemd_backlight_t)
>
> +init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> +# for /run/udev/data/+backlight*
> udev_read_pid_files(systemd_backlight_t)
>
> #######################################
> @@ -308,7 +343,6 @@ init_pid_filetrans(systemd_resolved_t, s
>
> kernel_read_crypto_sysctls(systemd_resolved_t)
> kernel_read_kernel_sysctls(systemd_resolved_t)
> -kernel_read_system_state(systemd_resolved_t)
>
> corenet_tcp_bind_generic_node(systemd_resolved_t)
> corenet_tcp_bind_llmnr_port(systemd_resolved_t)
> Index: refpolicy-2.20170221/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20170221/policy/modules/system/systemd.fc
> @@ -7,6 +7,7 @@
> /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
> /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>
> /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
> /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
> @@ -32,15 +33,21 @@
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
>
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> +/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
>
> /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
>
> /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
> -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
> /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> +/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> +/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
> +
> +/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
> +/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
> Index: refpolicy-2.20170221/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170221/policy/modules/system/unconfined.if
> @@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',`
>
> allow $1 unconfined_t:dbus acquire_svc;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write
> +## unconfined domain stream.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`unconfined_dontaudit_rw_stream_sockets',`
> + gen_require(`
> + type unconfined_t;
> + ')
> +
> + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
> +')
> Index: refpolicy-2.20170221/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170221/policy/modules/contrib/cron.if
> @@ -891,3 +891,22 @@ interface(`cron_admin',`
> files_search_spool($1)
> admin_pattern($1, cron_spool_type)
> ')
> +
> +########################################
> +## <summary>
> +## Search the directory containing user cron tables.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_manage_system_spool',`
> + gen_require(`
> + type cron_system_spool_t;
> + ')
> +
> + files_search_spool($1)
> + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
> +')
--
Chris PeBenito
On Tue, Feb 21, 2017 at 07:30:26PM +1100, Russell Coker via refpolicy wrote:
> On Tue, 21 Feb 2017 06:17:58 PM Russell Coker via refpolicy wrote:
> > I've done all the things pebenito asked, hopefully this is good enough now.
Hey Russell,
A gentoo user just replied to the bug about systemd support.
https://bugs.gentoo.org/528674#c13
I pointed him to this mailing list since it probably makes more sense if
you both combine your stuff together.
his patches are here: https://github.com/KrissN/hardened-refpolicy
-- Jason
On Sat, 25 Feb 2017 03:46:24 AM Jason Zaman via refpolicy wrote:
> On Tue, Feb 21, 2017 at 07:30:26PM +1100, Russell Coker via refpolicy wrote:
> > On Tue, 21 Feb 2017 06:17:58 PM Russell Coker via refpolicy wrote:
> > > I've done all the things pebenito asked, hopefully this is good enough
> > > now.
>
> Hey Russell,
>
> A gentoo user just replied to the bug about systemd support.
> https://bugs.gentoo.org/528674#c13
>
> I pointed him to this mailing list since it probably makes more sense if
> you both combine your stuff together.
>
> his patches are here: https://github.com/KrissN/hardened-refpolicy
The upstream refpolicy will work with systemd very soon. So there shouldn't
be any need for changes other than possibly some Gentoo specific things.
Probably the best thing to do would be to wait until more of my patches are
accepted upstream.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/