This is the next in my set of systemd patches.
Description: systemd-cgroups, hostnamed, and logind policy
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-28
Index: refpolicy-2.20170227/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170227/policy/modules/system/systemd.te
@@ -197,15 +197,26 @@ fs_register_binary_executable_type(syste
# Cgroups local policy
#
+allow systemd_cgroups_t self:capability net_admin;
+
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
kernel_dgram_send(systemd_cgroups_t)
-selinux_getattr_fs(systemd_cgroups_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_cgroups_t)
+
+# for /proc/1/environ
+init_read_state(systemd_cgroups_t)
+
# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
+selinux_get_fs_mount(systemd_cgroups_t)
+selinux_getattr_fs(systemd_cgroups_t)
+seutil_read_config(systemd_cgroups_t)
+
systemd_log_parse_environment(systemd_cgroups_t)
######################################
@@ -253,15 +264,18 @@ seutil_search_default_contexts(systemd_c
kernel_read_kernel_sysctls(systemd_hostnamed_t)
+dev_read_sysfs(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
-
seutil_read_file_contexts(systemd_hostnamed_t)
-
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(systemd_hostnamed_t)
')
#######################################
@@ -305,62 +319,119 @@ logging_send_syslog_msg(systemd_log_pars
# Logind local policy
#
-allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
-allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
-allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
-init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
-
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
-files_search_pids(systemd_logind_t)
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
+domain_obj_id_change_exemption(systemd_logind_t)
kernel_read_kernel_sysctls(systemd_logind_t)
auth_manage_faillog(systemd_logind_t)
-
-dev_rw_sysfs(systemd_logind_t)
-dev_rw_input_dev(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
-dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
+dev_manage_wireless(systemd_logind_t)
+dev_read_urand(systemd_logind_t)
+dev_rw_dri(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
-
files_read_etc_files(systemd_logind_t)
+files_search_pids(systemd_logind_t)
-fs_read_efivarfs_files(systemd_logind_t)
-
+fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
+fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
+fs_mount_tmpfs(systemd_logind_t)
+fs_read_cgroup_files(systemd_logind_t)
+fs_read_efivarfs_files(systemd_logind_t)
+fs_relabelfrom_tmpfs_dir(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
-storage_getattr_removable_dev(systemd_logind_t)
-storage_setattr_removable_dev(systemd_logind_t)
-storage_getattr_scsi_generic_dev(systemd_logind_t)
-storage_setattr_scsi_generic_dev(systemd_logind_t)
-
-term_use_unallocated_ttys(systemd_logind_t)
-
+init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
+init_get_system_status(systemd_logind_t)
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
+init_service_start(systemd_logind_t)
+init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
-init_service_status(systemd_logind_t)
-init_service_start(systemd_logind_t)
-
+init_start_system(systemd_logind_t)
+init_stop_system(systemd_logind_t)
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
locallogin_read_state(systemd_logind_t)
-systemd_log_parse_environment(systemd_logind_t)
+selinux_get_enforce_mode(systemd_logind_t)
+selinux_get_fs_mount(systemd_logind_t)
+seutil_read_config(systemd_logind_t)
+seutil_read_default_contexts(systemd_logind_t)
+seutil_read_file_contexts(systemd_logind_t)
+storage_getattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
+systemd_log_parse_environment(systemd_logind_t)
+
+term_setattr_unallocated_ttys(systemd_logind_t)
+term_use_unallocated_ttys(systemd_logind_t)
+udev_list_pids(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)
+userdom_manage_tmp_role(system_r, systemd_logind_t)
+userdom_manage_tmpfs_role(system_r, systemd_logind_t)
+userdom_manage_user_runtime_dirs(systemd_logind_t)
+userdom_manage_user_runtime_root_dirs(systemd_logind_t)
+userdom_mounton_user_runtime_dirs(systemd_logind_t)
+userdom_read_all_users_state(systemd_logind_t)
+userdom_relabel_user_tmpfs_files(systemd_logind_t)
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+userdom_setattr_user_ttys(systemd_logind_t)
+userdom_unlink_user_runtime_files(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
optional_policy(`
- dbus_system_bus_client(systemd_logind_t)
dbus_connect_system_bus(systemd_logind_t)
+ dbus_system_bus_client(systemd_logind_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(systemd_logind_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+ read_xserver_files(systemd_logind_t)
+ relabelto_setattr_xconsole_pipes(systemd_tmpfiles_t)
+ xserver_dbus_chat(systemd_logind_t)
+ xserver_dbus_chat_xdm(systemd_logind_t)
+ xserver_read_xdm_state(systemd_logind_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(systemd_logind_t)
')
#########################################
Index: refpolicy-2.20170227/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170227/policy/modules/kernel/devices.if
@@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',`
########################################
## <summary>
+## manage the wireless device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_wireless',`
+ gen_require(`
+ type device_t, wireless_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170227/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170227/policy/modules/kernel/filesystem.if
@@ -4069,6 +4069,24 @@ interface(`fs_relabelfrom_tmpfs',`
########################################
## <summary>
+## Relabel from tmpfs_t dir
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_dir',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
## Get the attributes of tmpfs directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170227/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170227/policy/modules/system/udev.if
@@ -282,6 +282,25 @@ interface(`udev_search_pids',`
########################################
## <summary>
+## list udev pid content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_list_pids',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## udev pid directories
## </summary>
Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170227/policy/modules/system/userdomain.if
@@ -2824,6 +2824,26 @@ interface(`userdom_read_user_tmpfs_files
########################################
## <summary>
+## relabel to/from user tmpfs files type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom };
+ allow $1 user_tmpfs_t:file { relabelto relabelfrom };
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -2938,6 +2958,42 @@ interface(`userdom_relabelto_user_runtim
')
########################################
+## <summary>
+## Relabel from user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelfrom_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
+## unlink user runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_user_runtime_files',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:file unlink;
+')
+
+########################################
## <summary>
## Create objects in the pid directory
## with an automatic type transition to
Index: refpolicy-2.20170227/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170227/policy/modules/services/xserver.if
@@ -682,6 +682,24 @@ interface(`xserver_setattr_console_pipes
########################################
## <summary>
+## Label the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`relabelto_setattr_xconsole_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto setattr };
+')
+
+########################################
+## <summary>
## Read and write the X windows console named pipe.
## </summary>
## <param name="domain">
@@ -1331,6 +1349,25 @@ interface(`xserver_kill',`
########################################
## <summary>
+## Allow reading xserver_t files to get cgroup and sessionid
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`read_xserver_files',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:dir search;
+ allow $1 xserver_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read and write X server Sys V Shared
## memory segments.
## </summary>
@@ -1426,6 +1463,25 @@ interface(`xserver_read_tmp_files',`
')
########################################
+## <summary>
+## talk to xserver_t by dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:dbus send_msg;
+ allow xserver_t $1:dbus send_msg;
+')
+
+########################################
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
On 02/28/17 04:45, Russell Coker via refpolicy wrote:
> This is the next in my set of systemd patches.
>
>
> Description: systemd-cgroups, hostnamed, and logind policy
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-28
>
> Index: refpolicy-2.20170227/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170227/policy/modules/system/systemd.te
> @@ -197,15 +197,26 @@ fs_register_binary_executable_type(syste
> # Cgroups local policy
> #
>
> +allow systemd_cgroups_t self:capability net_admin;
> +
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> kernel_dgram_send(systemd_cgroups_t)
>
> -selinux_getattr_fs(systemd_cgroups_t)
> +# for /proc/cmdline
> +kernel_read_system_state(systemd_cgroups_t)
> +
> +# for /proc/1/environ
> +init_read_state(systemd_cgroups_t)
> +
>
> # write to /run/systemd/cgroups-agent
> init_dgram_send(systemd_cgroups_t)
> init_stream_connect(systemd_cgroups_t)
>
> +selinux_get_fs_mount(systemd_cgroups_t)
> +selinux_getattr_fs(systemd_cgroups_t)
> +seutil_read_config(systemd_cgroups_t)
> +
> systemd_log_parse_environment(systemd_cgroups_t)
In the future, please don't rearrange lines; make a separate patch for
rearranging. It's difficult to keep track if the lines are
added/removed or moved (particularly in latter hunks)
> ######################################
> @@ -253,15 +264,18 @@ seutil_search_default_contexts(systemd_c
>
> kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> +dev_read_sysfs(systemd_hostnamed_t)
> files_read_etc_files(systemd_hostnamed_t)
> -
> seutil_read_file_contexts(systemd_hostnamed_t)
> -
> systemd_log_parse_environment(systemd_hostnamed_t)
>
> optional_policy(`
> - dbus_system_bus_client(systemd_hostnamed_t)
> dbus_connect_system_bus(systemd_hostnamed_t)
> + dbus_system_bus_client(systemd_hostnamed_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_chat(systemd_hostnamed_t)
> ')
>
> #######################################
> @@ -305,62 +319,119 @@ logging_send_syslog_msg(systemd_log_pars
> # Logind local policy
> #
>
> -allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
> -allow systemd_logind_t self:process getcap;
> +allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:process { getcap setfscreate };
> allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
>
> -allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
> -init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> -
> +allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
> +allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
> +allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
> -files_search_pids(systemd_logind_t)
> +allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
>
> +domain_obj_id_change_exemption(systemd_logind_t)
These two lines are out of place.
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> auth_manage_faillog(systemd_logind_t)
> -
> -dev_rw_sysfs(systemd_logind_t)
> -dev_rw_input_dev(systemd_logind_t)
> dev_getattr_dri_dev(systemd_logind_t)
> -dev_setattr_dri_dev(systemd_logind_t)
> +dev_getattr_kvm_dev(systemd_logind_t)
> dev_getattr_sound_dev(systemd_logind_t)
> +dev_manage_wireless(systemd_logind_t)
> +dev_read_urand(systemd_logind_t)
> +dev_rw_dri(systemd_logind_t)
> +dev_rw_input_dev(systemd_logind_t)
> +dev_rw_sysfs(systemd_logind_t)
> +dev_setattr_dri_dev(systemd_logind_t)
> +dev_setattr_kvm_dev(systemd_logind_t)
> dev_setattr_sound_dev(systemd_logind_t)
> -
> files_read_etc_files(systemd_logind_t)
> +files_search_pids(systemd_logind_t)
>
> -fs_read_efivarfs_files(systemd_logind_t)
> -
> +fs_getattr_cgroup(systemd_logind_t)
> fs_getattr_tmpfs(systemd_logind_t)
> +fs_getattr_tmpfs_dirs(systemd_logind_t)
> +fs_list_tmpfs(systemd_logind_t)
> +fs_mount_tmpfs(systemd_logind_t)
> +fs_read_cgroup_files(systemd_logind_t)
> +fs_read_efivarfs_files(systemd_logind_t)
> +fs_relabelfrom_tmpfs_dir(systemd_logind_t)
> +fs_unmount_tmpfs(systemd_logind_t)
>
> -storage_getattr_removable_dev(systemd_logind_t)
> -storage_setattr_removable_dev(systemd_logind_t)
> -storage_getattr_scsi_generic_dev(systemd_logind_t)
> -storage_setattr_scsi_generic_dev(systemd_logind_t)
> -
> -term_use_unallocated_ttys(systemd_logind_t)
> -
> +init_dbus_send_script(systemd_logind_t)
> init_get_all_units_status(systemd_logind_t)
> +init_get_system_status(systemd_logind_t)
> +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
This line goes with the systemd_logind_var_run_t above.
> +init_service_start(systemd_logind_t)
> +init_service_status(systemd_logind_t)
> init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> -init_service_status(systemd_logind_t)
> -init_service_start(systemd_logind_t)
> -
> +init_start_system(systemd_logind_t)
> +init_stop_system(systemd_logind_t)
> +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
This line goes with the systemd_logind_var_lib_t above
> locallogin_read_state(systemd_logind_t)
>
> -systemd_log_parse_environment(systemd_logind_t)
> +selinux_get_enforce_mode(systemd_logind_t)
> +selinux_get_fs_mount(systemd_logind_t)
> +seutil_read_config(systemd_logind_t)
> +seutil_read_default_contexts(systemd_logind_t)
> +seutil_read_file_contexts(systemd_logind_t)
> +storage_getattr_removable_dev(systemd_logind_t)
> +storage_getattr_scsi_generic_dev(systemd_logind_t)
> +storage_setattr_removable_dev(systemd_logind_t)
> +storage_setattr_scsi_generic_dev(systemd_logind_t)
> systemd_start_power_units(systemd_logind_t)
> +systemd_log_parse_environment(systemd_logind_t)
Could use some empty lines. Also some of the SELinux-related ones might
be better served by seutil_libselinux_linked().
> +term_setattr_unallocated_ttys(systemd_logind_t)
> +term_use_unallocated_ttys(systemd_logind_t)
>
> +udev_list_pids(systemd_logind_t)
> udev_read_db(systemd_logind_t)
> udev_read_pid_files(systemd_logind_t)
>
> +userdom_manage_tmp_role(system_r, systemd_logind_t)
> +userdom_manage_tmpfs_role(system_r, systemd_logind_t)
These two really weren't intended to be used in this way. They're for
building roles.
> +userdom_manage_user_runtime_dirs(systemd_logind_t)
> +userdom_manage_user_runtime_root_dirs(systemd_logind_t)
> +userdom_mounton_user_runtime_dirs(systemd_logind_t)
> +userdom_read_all_users_state(systemd_logind_t)
> +userdom_relabel_user_tmpfs_files(systemd_logind_t)
> +userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
> +userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> +userdom_setattr_user_ttys(systemd_logind_t)
> +userdom_unlink_user_runtime_files(systemd_logind_t)
> userdom_use_user_ttys(systemd_logind_t)
>
> optional_policy(`
> - dbus_system_bus_client(systemd_logind_t)
> dbus_connect_system_bus(systemd_logind_t)
> + dbus_system_bus_client(systemd_logind_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_chat(systemd_logind_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_chat_power(systemd_logind_t)
> +')
> +
> +optional_policy(`
> + policykit_dbus_chat(systemd_logind_t)
> +')
> +
> +optional_policy(`
> + read_xserver_files(systemd_logind_t)
> + relabelto_setattr_xconsole_pipes(systemd_tmpfiles_t)
> + xserver_dbus_chat(systemd_logind_t)
> + xserver_dbus_chat_xdm(systemd_logind_t)
> + xserver_read_xdm_state(systemd_logind_t)
> +')
> +
> +optional_policy(`
> + unconfined_dbus_send(systemd_logind_t)
> ')
>
> #########################################
> Index: refpolicy-2.20170227/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170227/policy/modules/kernel/devices.if
> @@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',`
>
> ########################################
> ## <summary>
> +## manage the wireless device.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_manage_wireless',`
> + gen_require(`
> + type device_t, wireless_device_t;
> + ')
> +
> + manage_chr_files_pattern($1, device_t, wireless_device_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read and write Xen devices.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170227/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170227/policy/modules/kernel/filesystem.if
> @@ -4069,6 +4069,24 @@ interface(`fs_relabelfrom_tmpfs',`
>
> ########################################
> ## <summary>
> +## Relabel from tmpfs_t dir
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_dir',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of tmpfs directories.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170227/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170227/policy/modules/system/udev.if
> @@ -282,6 +282,25 @@ interface(`udev_search_pids',`
>
> ########################################
> ## <summary>
> +## list udev pid content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_list_pids',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 udev_var_run_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## udev pid directories
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170227/policy/modules/system/userdomain.if
> @@ -2824,6 +2824,26 @@ interface(`userdom_read_user_tmpfs_files
>
> ########################################
> ## <summary>
> +## relabel to/from user tmpfs files type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_tmpfs_files',`
I'd rather have this split into _files and _dirs.
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom };
> + allow $1 user_tmpfs_t:file { relabelto relabelfrom };
> + fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Search users runtime directories.
> ## </summary>
> ## <param name="domain">
> @@ -2938,6 +2958,42 @@ interface(`userdom_relabelto_user_runtim
> ')
>
> ########################################
> +## <summary>
> +## Relabel from user runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_relabelfrom_user_runtime_dirs',`
> + gen_require(`
> + type user_runtime_t;
> + ')
> +
> + allow $1 user_runtime_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
> +## unlink user runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_unlink_user_runtime_files',`
"delete" rather than "unlink" in the interface name. Also, what about
user_runtime_t dir access?
> + gen_require(`
> + type user_runtime_t;
> + ')
> +
> + allow $1 user_runtime_t:file unlink;
> +')
> +
> +########################################
> ## <summary>
> ## Create objects in the pid directory
> ## with an automatic type transition to
> Index: refpolicy-2.20170227/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170227/policy/modules/services/xserver.if
> @@ -682,6 +682,24 @@ interface(`xserver_setattr_console_pipes
>
> ########################################
> ## <summary>
> +## Label the X windows console named pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`relabelto_setattr_xconsole_pipes',`
Needs a proper name (xserver_*). Since there is relabel access, it
would be "relabel" rathern than "relabelto". I'd also prefer to split
out at least the setattr perm to a separate interface.
> + gen_require(`
> + type xconsole_device_t;
> + ')
> +
> + allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto setattr };
> +')
> +
> +########################################
> +## <summary>
> ## Read and write the X windows console named pipe.
> ## </summary>
> ## <param name="domain">
> @@ -1331,6 +1349,25 @@ interface(`xserver_kill',`
>
> ########################################
> ## <summary>
> +## Allow reading xserver_t files to get cgroup and sessionid
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`read_xserver_files',`
xserver_read_state()
> + gen_require(`
> + type xserver_t;
> + ')
> +
> + allow $1 xserver_t:dir search;
> + allow $1 xserver_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read and write X server Sys V Shared
> ## memory segments.
> ## </summary>
> @@ -1426,6 +1463,25 @@ interface(`xserver_read_tmp_files',`
> ')
>
> ########################################
> +## <summary>
> +## talk to xserver_t by dbus
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_dbus_chat',`
> + gen_require(`
> + type xserver_t;
> + ')
> +
> + allow $1 xserver_t:dbus send_msg;
> + allow xserver_t $1:dbus send_msg;
> +')
> +
> +########################################
> ## <summary>
> ## Interface to provide X object permissions on a given X server to
> ## an X client domain. Gives the domain permission to read the
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito