On 1/4/19 2:51 AM, Russell Coker wrote:
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
Index: refpolicy-2.20180701/policy/modules/admin/sudo.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/sudo.if
+++ refpolicy-2.20180701/policy/modules/admin/sudo.if
@@ -154,6 +154,9 @@ template(`sudo_role_template',`
optional_policy(`
dbus_system_bus_client($1_sudo_t)
+ ifdef(`init_systemd',`
+ init_dbus_chat($1_sudo_t)
+ ')
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20180701/policy/modules/services/dbus.if
@@ -318,6 +318,25 @@ interface(`dbus_read_lib_files',`
########################################
## <summary>
+## Relabel system dbus lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_relabel_lib_dirs',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## system dbus lib files.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/init.if
+++ refpolicy-2.20180701/policy/modules/system/init.if
@@ -1134,6 +1134,25 @@ interface(`init_dbus_chat',`
########################################
## <summary>
+## read/follow symlinks under /var/lib/systemd/
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_var_lib_links',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+ allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## List /var/lib/systemd/ dir
## </summary>
## <param name="domain">
@@ -1304,23 +1323,13 @@ interface(`init_pid_filetrans',`
## </param>
#
interface(`init_getattr_initctl',`
- ifdef(`init_systemd',`
- # stat /run/systemd/initctl/fifo
- gen_require(`
- type init_var_run_t;
- ')
-
- allow $1 init_var_run_t:fifo_file getattr;
- allow $1 init_var_run_t:dir list_dir_perms;
- ',`
- gen_require(`
- type initctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- files_search_pids($1)
- allow $1 initctl_t:fifo_file getattr;
+ gen_require(`
+ type initctl_t;
')
+
+ files_search_pids($1)
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file getattr;
')
########################################
@@ -1859,6 +1868,25 @@ interface(`init_ptrace',`
########################################
## <summary>
+## get init process stats
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_getattr',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process getattr;
+')
+
+########################################
+## <summary>
## Write an init script unnamed pipe.
## </summary>
## <param name="domain">
@@ -2822,6 +2850,25 @@ interface(`init_search_units',`
fs_search_tmpfs($1)
')
+######################################
+## <summary>
+## read systemd unit lnk files (usually under /run/systemd/units/)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_unit_links',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+ allow $1 init_var_run_t:lnk_file read_lnk_file_perms;
+')
+
########################################
## <summary>
## Get status of generic systemd units.
@@ -3030,3 +3077,21 @@ interface(`init_admin',`
init_stop_system($1)
init_telinit($1)
')
+
+########################################
+## <summary>
+## Allow getting init_t rlimit
+## </summary>
+## <param name="domain">
+## <summary>
+## Source domain
+## </summary>
+## </param>
+#
+interface(`init_getrlimit',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process getrlimit;
+')
Index: refpolicy-2.20180701/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180701/policy/modules/system/systemd.if
@@ -307,6 +307,8 @@ interface(`systemd_use_passwd_agent',`
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:dir search;
+ allow systemd_passwd_agent_t $1:file read_file_perms;
I'd rather see something like ps_process_pattern().
Otherwise merged.
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
@@ -828,3 +830,22 @@ interface(`systemd_getattr_updated_runti
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
+#######################################
+## <summary>
+## Allow domain to list dirs under /run/systemd/netif
+## </summary>
+## <param name="domain">
+## <summary>
+## domain permitted the access
+## </summary>
+## </param>
+#
+interface(`systemd_list_netif',`
+ gen_require(`
+ type systemd_networkd_var_run_t;
+ ')
+
+ init_list_pids($1)
+ allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20180701/policy/modules/services/ntp.te
@@ -142,6 +142,8 @@ ifdef(`init_systemd',`
dbus_connect_system_bus(ntpd_t)
init_dbus_chat(ntpd_t)
init_get_system_status(ntpd_t)
+ # for /var/lib/systemd/timesync
+ init_read_var_lib_links(ntpd_t)
allow ntpd_t self:capability { fowner setpcap };
init_read_state(ntpd_t)
init_reload(ntpd_t)
@@ -150,7 +152,7 @@ ifdef(`init_systemd',`
init_list_var_lib_dirs(ntpd_t)
# for /run/systemd/netif/links
- init_list_pids(ntpd_t)
+ systemd_list_netif(ntpd_t)
optional_policy(`
unconfined_dbus_send(ntpd_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -736,6 +736,7 @@ term_setattr_generic_ptys(systemd_nspawn
term_use_ptmx(systemd_nspawn_t)
init_domtrans_script(systemd_nspawn_t)
+init_getrlimit(systemd_nspawn_t)
init_kill_scripts(systemd_nspawn_t)
init_read_state(systemd_nspawn_t)
init_search_run(systemd_nspawn_t)
@@ -1027,6 +1028,7 @@ tunable_policy(`systemd_tmpfiles_manage_
optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
+ dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180701/policy/modules/system/logging.te
@@ -541,15 +541,19 @@ ifdef(`init_systemd',`
dev_read_urand(syslogd_t)
dev_write_kmsg(syslogd_t)
+ domain_getattr_all_domains(syslogd_t)
domain_read_all_domains_state(syslogd_t)
init_create_pid_dirs(syslogd_t)
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_getattr(syslogd_t)
init_rename_pid_files(syslogd_t)
init_delete_pid_files(syslogd_t)
init_dgram_send(syslogd_t)
init_read_pid_pipes(syslogd_t)
init_read_state(syslogd_t)
+ # for /run/systemd/units/invocation:* links
+ init_read_unit_links(syslogd_t)
systemd_manage_journal_files(syslogd_t)
--
Chris PeBenito
