The following patch reorders systemd.te to have all the module policy sections
in alphabetical order and to add policy for coredump, hostnamed, machined,
notify, and passwd_agent. It also adds some interfaces needed by the added
policy.
Index: refpolicy-2.20170224/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170224/policy/modules/system/systemd.te
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
######################################
#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
-######################################
-#
# Backlight local policy
#
@@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
+######################################
+#
+# coredump local policy
+#
+
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
+
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
+
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+dev_write_kmsg(systemd_coredump_t)
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+fs_getattr_xattr_fs(systemd_coredump_t)
+logging_send_syslog_msg(systemd_coredump_t)
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pid_dirs(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+selinux_getattr_fs(systemd_coredump_t)
+seutil_search_default_contexts(systemd_coredump_t)
+
+
+#######################################
+#
+# Hostnamed policy
+#
+
+kernel_read_kernel_sysctls(systemd_hostnamed_t)
+
+files_read_etc_files(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+systemd_log_parse_environment(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
#######################################
#
# locale local policy
@@ -244,23 +275,23 @@ optional_policy(`
dbus_system_bus_client(systemd_locale_t)
')
-#######################################
+######################################
#
-# Hostnamed policy
+# systemd log parse enviroment
#
-kernel_read_kernel_sysctls(systemd_hostnamed_t)
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
-files_read_etc_files(systemd_hostnamed_t)
+kernel_read_system_state(systemd_log_parse_env_type)
-seutil_read_file_contexts(systemd_hostnamed_t)
+dev_write_kmsg(systemd_log_parse_env_type)
-systemd_log_parse_environment(systemd_hostnamed_t)
+term_use_console(systemd_log_parse_env_type)
-optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
- dbus_connect_system_bus(systemd_hostnamed_t)
-')
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
#########################################
#
@@ -325,6 +356,66 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+logging_send_syslog_msg(systemd_machined_t)
+
+read_initrc_files(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+seutil_search_default_contexts(systemd_machined_t)
+start_stop_init_var_run_service(systemd_machined_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_machined_t)
+ dbus_system_bus_client(systemd_machined_t)
+')
+
+optional_policy(`
+ init_dbus_chat(systemd_machined_t)
+ init_dbus_send_script(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+auth_use_nsswitch(systemd_notify_t)
+domain_use_interactive_fds(systemd_notify_t)
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+fs_getattr_cgroup_files(systemd_notify_t)
+init_rw_stream_sockets(systemd_notify_t)
+miscfiles_read_localization(systemd_notify_t)
+
########################################
#
# Nspawn local policy
@@ -332,6 +423,57 @@ optional_policy(`
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+files_read_etc_files(systemd_passwd_agent_t)
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+logging_send_syslog_msg(systemd_passwd_agent_t)
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ getty_use_fds(systemd_passwd_agent_t)
+')
#########################################
#
Index: refpolicy-2.20170224/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/init.if
+++ refpolicy-2.20170224/policy/modules/system/init.if
@@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`
########################################
## <summary>
+## Read initrc_t files for /proc/pid/cgroup etc
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`read_initrc_files',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:dir search;
+ allow $1 initrc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
@@ -733,6 +752,26 @@ interface(`init_stream_connect',`
allow $1 init_t:unix_stream_socket getattr;
')
+#######################################
+## <summary>
+## Start and stop a service file under /run/systemd/system
+## Should we have a different type for this?
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`start_stop_init_var_run_service',`
+ gen_require(`
+ type init_var_run_t;
+ class service { start status stop };
+ ')
+
+ allow $1 init_var_run_t:service { start status stop };
+')
+
########################################
## <summary>
## Inherit and use file descriptors from init.
@@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
')
########################################
+## <summary>
+## list /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
+########################################
## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170224/policy/modules/kernel/devices.if
@@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files
########################################
## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20170224/policy/modules/system/lvm.if
@@ -205,3 +205,21 @@ interface(`lvm_admin',`
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
')
+
+########################################
+## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')
On 02/24/17 05:45, Russell Coker via refpolicy wrote:
> The following patch reorders systemd.te to have all the module policy sections
> in alphabetical order and to add policy for coredump, hostnamed, machined,
> notify, and passwd_agent. It also adds some interfaces needed by the added
> policy.
I merged this, though moved some stuff and renamed an interface. I
dropped one piece, the one with init_var_run_t service status. I
believe these are transient units, and I think they should probably have
a new type (you asked the question in a comment in the patch)
> Index: refpolicy-2.20170224/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170224/policy/modules/system/systemd.te
> @@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
>
> ######################################
> #
> -# systemd log parse enviroment
> -#
> -
> -# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> -dontaudit systemd_log_parse_env_type self:capability net_admin;
> -
> -kernel_read_system_state(systemd_log_parse_env_type)
> -
> -dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
> -init_read_state(systemd_log_parse_env_type)
> -
> -logging_send_syslog_msg(systemd_log_parse_env_type)
> -
> -######################################
> -#
> # Backlight local policy
> #
>
> @@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)
>
> systemd_log_parse_environment(systemd_cgroups_t)
>
> +######################################
> +#
> +# coredump local policy
> +#
> +
> +allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> +allow systemd_coredump_t self:capability { setgid setuid setpcap };
> +allow systemd_coredump_t self:process { getcap setcap setfscreate };
> +
> +manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
> +
> +kernel_read_kernel_sysctls(systemd_coredump_t)
> +kernel_read_system_state(systemd_coredump_t)
> +kernel_rw_pipes(systemd_coredump_t)
> +kernel_use_fds(systemd_coredump_t)
> +
> +corecmd_exec_bin(systemd_coredump_t)
> +corecmd_read_all_executables(systemd_coredump_t)
> +dev_write_kmsg(systemd_coredump_t)
> +files_read_etc_files(systemd_coredump_t)
> +files_search_var_lib(systemd_coredump_t)
> +fs_getattr_xattr_fs(systemd_coredump_t)
> +logging_send_syslog_msg(systemd_coredump_t)
> +init_list_var_lib_dirs(systemd_coredump_t)
> +init_read_state(systemd_coredump_t)
> +init_search_pid_dirs(systemd_coredump_t)
> +init_write_pid_socket(systemd_coredump_t)
> +selinux_getattr_fs(systemd_coredump_t)
> +seutil_search_default_contexts(systemd_coredump_t)
> +
> +
> +#######################################
> +#
> +# Hostnamed policy
> +#
> +
> +kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +
> +files_read_etc_files(systemd_hostnamed_t)
> +
> +seutil_read_file_contexts(systemd_hostnamed_t)
> +
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_hostnamed_t)
> + dbus_connect_system_bus(systemd_hostnamed_t)
> +')
> +
> #######################################
> #
> # locale local policy
> @@ -244,23 +275,23 @@ optional_policy(`
> dbus_system_bus_client(systemd_locale_t)
> ')
>
> -#######################################
> +######################################
> #
> -# Hostnamed policy
> +# systemd log parse enviroment
> #
>
> -kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
>
> -files_read_etc_files(systemd_hostnamed_t)
> +kernel_read_system_state(systemd_log_parse_env_type)
>
> -seutil_read_file_contexts(systemd_hostnamed_t)
> +dev_write_kmsg(systemd_log_parse_env_type)
>
> -systemd_log_parse_environment(systemd_hostnamed_t)
> +term_use_console(systemd_log_parse_env_type)
>
> -optional_policy(`
> - dbus_system_bus_client(systemd_hostnamed_t)
> - dbus_connect_system_bus(systemd_hostnamed_t)
> -')
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
>
> #########################################
> #
> @@ -325,6 +356,66 @@ optional_policy(`
> dbus_connect_system_bus(systemd_logind_t)
> ')
>
> +#########################################
> +#
> +# machined local policy
> +#
> +
> +allow systemd_machined_t self:capability sys_ptrace;
> +allow systemd_machined_t self:process setfscreate;
> +allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
> +
> +manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
> +allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
> +
> +kernel_read_kernel_sysctls(systemd_machined_t)
> +kernel_read_system_state(systemd_machined_t)
> +
> +files_read_etc_files(systemd_machined_t)
> +fs_getattr_cgroup(systemd_machined_t)
> +fs_getattr_tmpfs(systemd_machined_t)
> +init_get_system_status(systemd_machined_t)
> +init_read_state(systemd_machined_t)
> +init_service_start(systemd_machined_t)
> +init_service_status(systemd_machined_t)
> +init_start_system(systemd_machined_t)
> +init_stop_system(systemd_machined_t)
> +logging_send_syslog_msg(systemd_machined_t)
> +
> +read_initrc_files(systemd_machined_t)
> +
> +selinux_getattr_fs(systemd_machined_t)
> +seutil_search_default_contexts(systemd_machined_t)
> +start_stop_init_var_run_service(systemd_machined_t)
> +
> +optional_policy(`
> + dbus_connect_system_bus(systemd_machined_t)
> + dbus_system_bus_client(systemd_machined_t)
> +')
> +
> +optional_policy(`
> + init_dbus_chat(systemd_machined_t)
> + init_dbus_send_script(systemd_machined_t)
> +')
> +
> +########################################
> +#
> +# systemd_notify local policy
> +#
> +allow systemd_notify_t self:capability chown;
> +allow systemd_notify_t self:process { fork setfscreate setsockcreate };
> +
> +allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
> +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
> +
> +auth_use_nsswitch(systemd_notify_t)
> +domain_use_interactive_fds(systemd_notify_t)
> +files_read_etc_files(systemd_notify_t)
> +files_read_usr_files(systemd_notify_t)
> +fs_getattr_cgroup_files(systemd_notify_t)
> +init_rw_stream_sockets(systemd_notify_t)
> +miscfiles_read_localization(systemd_notify_t)
> +
> ########################################
> #
> # Nspawn local policy
> @@ -332,6 +423,57 @@ optional_policy(`
>
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> +#######################################
> +#
> +# systemd_passwd_agent_t local policy
> +#
> +
> +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
> +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
> +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +
> +kernel_read_system_state(systemd_passwd_agent_t)
> +kernel_stream_connect(systemd_passwd_agent_t)
> +
> +auth_use_nsswitch(systemd_passwd_agent_t)
> +dev_create_generic_dirs(systemd_passwd_agent_t)
> +dev_read_generic_files(systemd_passwd_agent_t)
> +dev_write_generic_sock_files(systemd_passwd_agent_t)
> +dev_write_kmsg(systemd_passwd_agent_t)
> +files_read_etc_files(systemd_passwd_agent_t)
> +fs_getattr_xattr_fs(systemd_passwd_agent_t)
> +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
> +init_create_pid_dirs(systemd_passwd_agent_t)
> +init_read_pid_pipes(systemd_passwd_agent_t)
> +init_read_state(systemd_passwd_agent_t)
> +init_read_utmp(systemd_passwd_agent_t)
> +init_stream_connect(systemd_passwd_agent_t)
> +logging_send_syslog_msg(systemd_passwd_agent_t)
> +miscfiles_read_localization(systemd_passwd_agent_t)
> +
> +selinux_get_enforce_mode(systemd_passwd_agent_t)
> +selinux_getattr_fs(systemd_passwd_agent_t)
> +seutil_search_default_contexts(systemd_passwd_agent_t)
> +
> +term_read_console(systemd_passwd_agent_t)
> +userdom_use_user_ptys(systemd_passwd_agent_t)
> +
> +optional_policy(`
> + lvm_signull(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> + plymouthd_stream_connect(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> + getty_use_fds(systemd_passwd_agent_t)
> +')
>
> #########################################
> #
> Index: refpolicy-2.20170224/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170224/policy/modules/system/init.if
> @@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`
>
> ########################################
> ## <summary>
> +## Read initrc_t files for /proc/pid/cgroup etc
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain
> +## </summary>
> +## </param>
> +#
> +interface(`read_initrc_files',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:dir search;
> + allow $1 initrc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init (/sbin/init) with a domain transition.
> ## </summary>
> ## <param name="domain">
> @@ -733,6 +752,26 @@ interface(`init_stream_connect',`
> allow $1 init_t:unix_stream_socket getattr;
> ')
>
> +#######################################
> +## <summary>
> +## Start and stop a service file under /run/systemd/system
> +## Should we have a different type for this?
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`start_stop_init_var_run_service',`
> + gen_require(`
> + type init_var_run_t;
> + class service { start status stop };
> + ')
> +
> + allow $1 init_var_run_t:service { start status stop };
> +')
> +
> ########################################
> ## <summary>
> ## Inherit and use file descriptors from init.
> @@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
> ')
>
> ########################################
> +## <summary>
> +## list /var/lib/systemd/ dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_list_var_lib_dirs',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + allow $1 init_var_lib_t:dir list_dir_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Create files in /var/lib/systemd
> ## with an automatic type transition.
> Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> @@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
>
> ########################################
> ## <summary>
> +## Get attributes of cgroup files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_getattr_cgroup_files',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + getattr_files_pattern($1, cgroup_t, cgroup_t)
> + fs_search_tmpfs($1)
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read cgroup files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170224/policy/modules/kernel/devices.if
> @@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files
>
> ########################################
> ## <summary>
> +## write generic sock files in /dev.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_write_generic_sock_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + write_sock_files_pattern($1, device_t, device_t)
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit getattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20170224/policy/modules/system/lvm.if
> @@ -205,3 +205,21 @@ interface(`lvm_admin',`
> files_search_tmp($1)
> admin_pattern($1, lvm_tmp_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send lvm a null signal.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lvm_signull',`
> + gen_require(`
> + type lvm_t;
> + ')
> +
> + allow $1 lvm_t:process signull;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito