Here's the latest version of this patch with the previous issues addressed. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20210908/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/system/systemd.if +++ refpolicy-2.20210908/policy/modules/system/systemd.if @@ -102,6 +102,8 @@ template(`systemd_role_template',` seutil_search_default_contexts($1_systemd_t) seutil_read_file_contexts($1_systemd_t) + userdom_search_user_home_dirs($1_systemd_t) + # for machinectl shell term_user_pty($1_systemd_t, user_devpts_t) allow $1_systemd_t user_devpts_t:chr_file rw_file_perms; @@ -169,6 +171,10 @@ template(`systemd_role_template',` systemd_watch_passwd_runtime_dirs($3) optional_policy(` + dirmngr_tmp_dir_search($1_systemd_t) + ') + + optional_policy(` xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd") xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd") xdg_read_config_files($1_systemd_t) @@ -791,6 +797,24 @@ interface(`systemd_write_logind_runtime_ ###################################### ## <summary> +## Watch systemd-logind runtime dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_watch_logind_runtime_dirs',` + gen_require(` + type systemd_logind_runtime_t; + ') + + allow $1 systemd_logind_runtime_t:dir watch; +') + +###################################### +## <summary> ## Use inherited systemd ## logind file descriptors. ## </summary> @@ -851,6 +875,24 @@ interface(`systemd_write_inherited_login ###################################### ## <summary> +## Watch logind sessions dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_watch_logind_sessions_dirs',` + gen_require(` + type systemd_sessions_runtime_t; + ') + + allow $1 systemd_sessions_runtime_t:dir watch; +') + +###################################### +## <summary> ## Write inherited logind inhibit pipes. ## </summary> ## <param name="domain"> @@ -1023,6 +1065,24 @@ interface(`systemd_connect_machined',` ######################################## ## <summary> +## Allow watching /run/systemd/machines +## </summary> +## <param name="domain"> +## <summary> +## Domain that can watch the machines files +## </summary> +## </param> +# +interface(`systemd_watch_machines_dirs',` + gen_require(` + type systemd_machined_runtime_t; + ') + + allow $1 systemd_machined_runtime_t:dir watch; +') + +######################################## +## <summary> ## Send and receive messages from ## systemd hostnamed over dbus. ## </summary> @@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine allow $1 systemd_machined_t:fd use; allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; ') + +######################################## +## <summary> +## run systemd-nspawn in systemd_nspawn_t domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role of the object to create. +## </summary> +## </param> +# +interface(`systemd_run_nspawn', ` + gen_require(` + type systemd_nspawn_t, systemd_nspawn_exec_t; + ') + + role $2 types systemd_nspawn_t; + domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t) +') + +######################################## +## <summary> +## send datagrams to systemd_nspawn_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_dgram_nspawn', ` + gen_require(` + type systemd_nspawn_t, systemd_nspawn_var_run_t; + ') + + dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t) +') Index: refpolicy-2.20210908/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te +++ refpolicy-2.20210908/policy/modules/system/systemd.te @@ -142,6 +142,7 @@ type systemd_logind_t; type systemd_logind_exec_t; init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) +init_stream_connect(systemd_logind_t) type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t; files_runtime_file(systemd_logind_inhibit_runtime_t) @@ -191,6 +192,9 @@ type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) mcs_killall(systemd_nspawn_t) +type systemd_nspawn_devpts_t; +term_login_pty(systemd_nspawn_devpts_t) + type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t; files_runtime_file(systemd_nspawn_runtime_t) @@ -281,10 +285,13 @@ files_type(systemd_update_run_t) type systemd_conf_home_t; init_unit_file(systemd_conf_home_t) -xdg_config_content(systemd_conf_home_t) type systemd_data_home_t; -xdg_data_content(systemd_data_home_t) + +optional_policy(` + xdg_config_content(systemd_conf_home_t) + xdg_data_content(systemd_data_home_t) +') type systemd_user_runtime_notify_t; userdom_user_runtime_content(systemd_user_runtime_notify_t) @@ -327,6 +334,8 @@ allow systemd_backlight_t systemd_backli init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) +kernel_read_kernel_sysctls(systemd_backlight_t) + systemd_log_parse_environment(systemd_backlight_t) # Allow systemd-backlight to write to /sys/class/backlight/*/brightness @@ -392,28 +401,37 @@ ifdef(`enable_mls',` # allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; +allow systemd_coredump_t self:unix_stream_socket connectto; allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; +dontaudit systemd_coredump_t self:capability net_admin; allow systemd_coredump_t self:process { getcap setcap setfscreate }; +allow systemd_coredump_t self:cap_userns sys_ptrace; manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) allow systemd_coredump_t systemd_coredump_var_lib_t:file map; kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t) +kernel_read_crypto_sysctls(systemd_coredump_t) kernel_read_kernel_sysctls(systemd_coredump_t) kernel_read_system_state(systemd_coredump_t) kernel_rw_pipes(systemd_coredump_t) kernel_use_fds(systemd_coredump_t) corecmd_exec_bin(systemd_coredump_t) -corecmd_read_all_executables(systemd_coredump_t) +corecmd_mmap_all_executables(systemd_coredump_t) dev_write_kmsg(systemd_coredump_t) +domain_read_all_domains_state(systemd_coredump_t) + files_getattr_all_mountpoints(systemd_coredump_t) files_read_etc_files(systemd_coredump_t) files_search_var_lib(systemd_coredump_t) +fs_getattr_cgroup(systemd_coredump_t) +fs_getattr_tmpfs(systemd_coredump_t) fs_getattr_xattr_fs(systemd_coredump_t) +fs_search_cgroup_dirs(systemd_coredump_t) fs_search_tmpfs(systemd_coredump_t) selinux_getattr_fs(systemd_coredump_t) @@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump seutil_search_default_contexts(systemd_coredump_t) + ####################################### # # Systemd generator local policy @@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file allow systemd_generator_t self:capability dac_override; allow systemd_generator_t self:process setfscreate; +allow systemd_generator_t self:tcp_socket create; +allow systemd_generator_t self:udp_socket create; +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; + allow systemd_generator_t systemd_unit_t:file getattr; +kernel_dontaudit_getattr_proc(systemd_generator_t) +kernel_read_kernel_sysctls(systemd_generator_t) +kernel_read_network_state(systemd_generator_t) +kernel_read_system_state(systemd_generator_t) +kernel_search_network_sysctl(systemd_generator_t) +kernel_use_fds(systemd_generator_t) + +corecmd_exec_bin(systemd_generator_t) corecmd_exec_shell(systemd_generator_t) -corecmd_getattr_bin_files(systemd_generator_t) dev_read_sysfs(systemd_generator_t) +dev_read_urand(systemd_generator_t) dev_write_kmsg(systemd_generator_t) dev_write_sysfs_dirs(systemd_generator_t) -files_read_etc_files(systemd_generator_t) +application_exec(systemd_generator_t) +domain_read_all_entry_files(systemd_generator_t) +files_exec_etc_files(systemd_generator_t) files_search_runtime(systemd_generator_t) files_list_boot(systemd_generator_t) files_read_boot_files(systemd_generator_t) files_read_config_files(systemd_generator_t) files_search_all_mountpoints(systemd_generator_t) files_list_usr(systemd_generator_t) +files_getattr_usr_files(systemd_generator_t) -fs_list_efivars(systemd_generator_t) fs_getattr_cgroup(systemd_generator_t) +fs_getattr_tmpfs(systemd_generator_t) fs_getattr_xattr_fs(systemd_generator_t) +fs_list_efivars(systemd_generator_t) +fs_rw_tmpfs_files(systemd_generator_t) +fs_search_nfs(systemd_generator_t) init_create_runtime_files(systemd_generator_t) init_read_all_script_files(systemd_generator_t) @@ -472,10 +509,10 @@ init_list_unit_dirs(systemd_generator_t) init_read_generic_units_symlinks(systemd_generator_t) init_read_script_files(systemd_generator_t) -kernel_use_fds(systemd_generator_t) -kernel_read_system_state(systemd_generator_t) -kernel_read_kernel_sysctls(systemd_generator_t) -kernel_dontaudit_getattr_proc(systemd_generator_t) +miscfiles_read_localization(systemd_generator_t) + +selinux_getattr_fs(systemd_generator_t) +seutil_search_default_contexts(systemd_generator_t) storage_raw_read_fixed_disk(systemd_generator_t) @@ -487,6 +524,8 @@ ifdef(`distro_gentoo',` corecmd_shell_entry_type(systemd_generator_t) ') +udev_search_runtime(systemd_generator_t) + optional_policy(` fstools_exec(systemd_generator_t) ') @@ -495,7 +534,21 @@ optional_policy(` lvm_exec(systemd_generator_t) lvm_map_config(systemd_generator_t) lvm_read_config(systemd_generator_t) - miscfiles_read_localization(systemd_generator_t) +') + +optional_policy(` + # for /lib/systemd/system-generators/openvpn-generator + openvpn_read_config(systemd_generator_t) +') + +optional_policy(` + # it runs postconf + # maybe /lib/systemd/system-generators/postfix-instance-generator + postfix_read_config(systemd_generator_t) +') + +optional_policy(` + tmpreaper_exec(systemd_generator_t) ') ####################################### @@ -531,6 +584,10 @@ optional_policy(` networkmanager_dbus_chat(systemd_hostnamed_t) ') +optional_policy(` + unconfined_dbus_send(systemd_hostnamed_t) +') + ######################################### # # hw local policy @@ -599,6 +656,7 @@ logging_send_syslog_msg(systemd_log_pars # allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config }; +allow systemd_logind_t self:lockdown integrity; allow systemd_logind_t self:process { getcap setfscreate }; allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -646,11 +704,13 @@ dev_setattr_video_dev(systemd_logind_t) domain_obj_id_change_exemption(systemd_logind_t) +files_search_boot(systemd_logind_t) files_search_runtime(systemd_logind_t) fs_getattr_cgroup(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t) fs_getattr_tmpfs_dirs(systemd_logind_t) +fs_getattr_xattr_fs(systemd_logind_t) fs_list_tmpfs(systemd_logind_t) fs_mount_tmpfs(systemd_logind_t) fs_read_cgroup_files(systemd_logind_t) @@ -682,6 +742,7 @@ init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) init_start_system(systemd_logind_t) init_stop_system(systemd_logind_t) +init_stream_connect(systemd_logind_t) # for /run/systemd/transient/* init_restart_units(systemd_logind_t) @@ -748,6 +809,11 @@ optional_policy(` ') optional_policy(` + dpkg_dbus_chat(systemd_logind_t) + dpkg_read_state(systemd_logind_t) +') + +optional_policy(` devicekit_dbus_chat_disk(systemd_logind_t) devicekit_dbus_chat_power(systemd_logind_t) ') @@ -790,6 +856,9 @@ allow systemd_machined_t systemd_machine manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms; +allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms; +allow systemd_machined_t systemd_userdb_runtime_t:sock_file { create unlink }; + kernel_read_kernel_sysctls(systemd_machined_t) kernel_read_system_state(systemd_machined_t) @@ -908,6 +977,10 @@ sysnet_read_config(systemd_networkd_t) systemd_log_parse_environment(systemd_networkd_t) optional_policy(` + bluetooth_dbus_chat(systemd_hostnamed_t) +') + +optional_policy(` dbus_system_bus_client(systemd_networkd_t) dbus_connect_system_bus(systemd_networkd_t) dbus_watch_system_bus_runtime_dirs(systemd_networkd_t) @@ -948,8 +1021,8 @@ miscfiles_read_localization(systemd_noti # Nspawn local policy # -allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill }; -allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill }; +allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot audit_control }; allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms; @@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm # for /run/systemd/nspawn/incoming in chroot allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; +term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t) +allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms; + +kernel_getattr_core_if(systemd_nspawn_t) +kernel_getattr_proc(systemd_nspawn_t) +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) + kernel_mount_proc(systemd_nspawn_t) kernel_mounton_sysctl_dirs(systemd_nspawn_t) kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) kernel_mounton_message_if(systemd_nspawn_t) kernel_mounton_proc(systemd_nspawn_t) +kernel_mounton_sysctl_files(systemd_nspawn_t) +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) + +kernel_read_irq_sysctls(systemd_nspawn_t) +kernel_read_network_state(systemd_nspawn_t) kernel_read_kernel_sysctls(systemd_nspawn_t) +kernel_read_sysctl(systemd_nspawn_t) kernel_read_system_state(systemd_nspawn_t) kernel_remount_proc(systemd_nspawn_t) +kernel_request_load_module(systemd_nspawn_t) +kernel_search_network_sysctl(systemd_nspawn_t) corecmd_exec_shell(systemd_nspawn_t) corecmd_search_bin(systemd_nspawn_t) @@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t) dev_read_rand(systemd_nspawn_t) dev_read_urand(systemd_nspawn_t) +files_getattr_default_dirs(systemd_nspawn_t) files_getattr_tmp_dirs(systemd_nspawn_t) files_manage_etc_files(systemd_nspawn_t) files_manage_mnt_dirs(systemd_nspawn_t) @@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw fs_getattr_cgroup(systemd_nspawn_t) fs_getattr_tmpfs(systemd_nspawn_t) +fs_getattr_xattr_fs(systemd_nspawn_t) +fs_manage_cgroup_dirs(systemd_nspawn_t) +fs_manage_cgroup_files(systemd_nspawn_t) +fs_manage_tmpfs_blk_files(systemd_nspawn_t) fs_manage_tmpfs_chr_files(systemd_nspawn_t) +fs_mount_cgroup(systemd_nspawn_t) fs_mount_tmpfs(systemd_nspawn_t) +fs_mounton_cgroup(systemd_nspawn_t) +fs_read_nsfs_files(systemd_nspawn_t) fs_remount_tmpfs(systemd_nspawn_t) fs_remount_xattr_fs(systemd_nspawn_t) -fs_read_cgroup_files(systemd_nspawn_t) term_getattr_generic_ptys(systemd_nspawn_t) term_getattr_pty_fs(systemd_nspawn_t) @@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t) term_search_ptys(systemd_nspawn_t) term_setattr_generic_ptys(systemd_nspawn_t) term_use_ptmx(systemd_nspawn_t) +term_use_generic_ptys(systemd_nspawn_t) init_domtrans_script(systemd_nspawn_t) init_getrlimit(systemd_nspawn_t) @@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn init_spec_domtrans_script(systemd_nspawn_t) miscfiles_manage_localization(systemd_nspawn_t) +mount_exec(systemd_nspawn_t) + udev_read_runtime_files(systemd_nspawn_t) +sysnet_exec_ifconfig(systemd_nspawn_t) + # for writing inside chroot sysnet_manage_config(systemd_nspawn_t) @@ -1055,11 +1155,13 @@ tunable_policy(`systemd_nspawn_labeled_n allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file) allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms; + fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file) fs_getattr_cgroup(systemd_nspawn_t) fs_manage_cgroup_dirs(systemd_nspawn_t) fs_manage_tmpfs_dirs(systemd_nspawn_t) fs_manage_tmpfs_files(systemd_nspawn_t) + fs_manage_tmpfs_sockets(systemd_nspawn_t) fs_manage_tmpfs_symlinks(systemd_nspawn_t) fs_mount_cgroup(systemd_nspawn_t) fs_mounton_cgroup(systemd_nspawn_t) @@ -1077,8 +1179,11 @@ tunable_policy(`systemd_nspawn_labeled_n init_domtrans(systemd_nspawn_t) + logging_manage_runtime_sockets(systemd_nspawn_t) + logging_relabelto_devlog_sock_files(systemd_nspawn_t) logging_search_logs(systemd_nspawn_t) + seutil_exec_setfiles(systemd_nspawn_t) seutil_search_default_contexts(systemd_nspawn_t) ') @@ -1105,7 +1210,7 @@ allow systemd_passwd_agent_t self:capabi allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; -allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch; +allow systemd_passwd_agent_t systemd_passwd_runtime_t:{ dir file } watch; manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) @@ -1115,6 +1220,7 @@ init_runtime_filetrans(systemd_passwd_ag can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) kernel_read_system_state(systemd_passwd_agent_t) +kernel_search_fs_sysctls(systemd_passwd_agent_t) kernel_stream_connect(systemd_passwd_agent_t) dev_create_generic_dirs(systemd_passwd_agent_t) @@ -1141,6 +1247,7 @@ init_create_runtime_dirs(systemd_passwd_ init_read_runtime_pipes(systemd_passwd_agent_t) init_read_state(systemd_passwd_agent_t) init_read_utmp(systemd_passwd_agent_t) +init_use_script_ptys(systemd_passwd_agent_t) init_stream_connect(systemd_passwd_agent_t) logging_send_syslog_msg(systemd_passwd_agent_t) @@ -1420,6 +1527,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) fs_list_tmpfs(systemd_tmpfiles_t) fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) +fs_search_auto_mountpoints(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_use_status_page(systemd_tmpfiles_t) @@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor ') optional_policy(` + colord_read_lib_files(systemd_tmpfiles_t) + colord_relabel_lib(systemd_tmpfiles_t) +') + +optional_policy(` dbus_manage_lib_files(systemd_tmpfiles_t) dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t) @@ -1611,13 +1724,15 @@ seutil_libselinux_linked(systemd_user_se # systemd-user-runtime-dir local policy # -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override }; +allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod }; allow systemd_user_runtime_dir_t self:process setfscreate; domain_obj_id_change_exemption(systemd_user_runtime_dir_t) allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms; allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms; +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink; +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink; files_read_etc_files(systemd_user_runtime_dir_t) @@ -1650,8 +1765,13 @@ userdom_delete_all_user_runtime_chr_file userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t) userdom_manage_user_tmp_files(systemd_user_runtime_dir_t) +userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t) + userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t) userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t) +userdom_list_user_tmp(systemd_user_runtime_dir_t) userdom_search_user_runtime_root(systemd_user_runtime_dir_t) userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) @@ -1661,3 +1781,15 @@ userdom_relabelto_user_runtime_dirs(syst optional_policy(` dbus_system_bus_client(systemd_user_runtime_dir_t) ') + +optional_policy(` + dirmngr_unlink_tmp_sock(systemd_user_runtime_dir_t) +') + +optional_policy(` + gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t) +') + +optional_policy(` + userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t) +') Index: refpolicy-2.20210908/policy/modules/admin/dpkg.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/admin/dpkg.if +++ refpolicy-2.20210908/policy/modules/admin/dpkg.if @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; ') + +######################################## +## <summary> +## send dbus messages to dpkg_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_dbus_chat',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:dbus send_msg; +') + +######################################## +## <summary> +## read dpkg_t process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_state',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:dir search; + allow $1 dpkg_t:file read_file_perms; +') Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20210908/policy/modules/roles/sysadm.te @@ -99,6 +99,10 @@ ifdef(`init_systemd',` # LookupDynamicUserByUID on org.freedesktop.systemd1. init_dbus_chat(sysadm_t) + systemd_run_nspawn(sysadm_t, sysadm_r) + systemd_run_passwd_agent(sysadm_t, sysadm_r) + + # Allow sysadm to get the status of and set properties of other users, # sessions, and seats on the system. systemd_dbus_chat_logind(sysadm_t) Index: refpolicy-2.20210908/policy/modules/services/networkmanager.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/networkmanager.te +++ refpolicy-2.20210908/policy/modules/services/networkmanager.te @@ -332,6 +332,9 @@ optional_policy(` optional_policy(` systemd_read_logind_runtime_files(NetworkManager_t) systemd_read_logind_sessions_files(NetworkManager_t) + systemd_watch_logind_runtime_dirs(NetworkManager_t) + systemd_watch_logind_sessions_dirs(NetworkManager_t) + systemd_watch_machines_dirs(NetworkManager_t) systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t) ') Index: refpolicy-2.20210908/policy/modules/services/policykit.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/policykit.te +++ refpolicy-2.20210908/policy/modules/services/policykit.te @@ -134,12 +134,15 @@ optional_policy(` optional_policy(` # for /run/systemd/machines systemd_read_machines(policykit_t) + systemd_watch_machines_dirs(policykit_t) # for /run/systemd/seats/seat* systemd_read_logind_sessions_files(policykit_t) + systemd_watch_logind_sessions_dirs(policykit_t) # for /run/systemd/users/* systemd_read_logind_runtime_files(policykit_t) + systemd_watch_logind_runtime_dirs(policykit_t) ') ######################################## Index: refpolicy-2.20210908/policy/modules/services/devicekit.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/devicekit.te +++ refpolicy-2.20210908/policy/modules/services/devicekit.te @@ -195,6 +195,12 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_sessions_files(devicekit_disk_t) + systemd_use_logind_fds(devicekit_disk_t) + systemd_write_inherited_logind_inhibit_pipes(devicekit_disk_t) +') + +optional_policy(` udev_domtrans_udevadm(devicekit_disk_t) udev_read_runtime_files(devicekit_disk_t) ') Index: refpolicy-2.20210908/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/ssh.te +++ refpolicy-2.20210908/policy/modules/services/ssh.te @@ -270,6 +270,7 @@ ifdef(`init_systemd',` auth_use_pam_systemd(sshd_t) init_dbus_chat(sshd_t) init_rw_stream_sockets(sshd_t) + systemd_dgram_nspawn(sshd_t) systemd_write_inherited_logind_sessions_pipes(sshd_t) ') Index: refpolicy-2.20210908/policy/modules/apps/gpg.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/apps/gpg.if +++ refpolicy-2.20210908/policy/modules/apps/gpg.if @@ -274,6 +274,24 @@ interface(`gpg_agent_tmp_filetrans',` ######################################## ## <summary> +## unlink gpg_agent_tmp_t sock_file +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_agent_tmp_unlink_sock',` + gen_require(` + type gpg_agent_tmp_t; + ') + + allow $1 gpg_agent_tmp_t:sock_file unlink; +') + +######################################## +## <summary> ## filetrans in gpg_runtime_t dirs ## </summary> ## <param name="domain"> Index: refpolicy-2.20210908/policy/modules/services/dirmngr.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/dirmngr.if +++ refpolicy-2.20210908/policy/modules/services/dirmngr.if @@ -34,6 +34,24 @@ interface(`dirmngr_role',` allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ') +############################################################ +## <summary> +## unlink dirmngr_tmp_t sock_file +## </summary> +## <param name="domain"> +## <summary> +## domain allowed access +## </summary> +## </param> +# +interface(`dirmngr_unlink_tmp_sock',` + gen_require(` + type dirmngr_tmp_t; + ') + + allow $1 dirmngr_tmp_t:sock_file unlink; +') + ######################################## ## <summary> ## Execute dirmngr in the dirmngr domain. @@ -95,6 +113,24 @@ interface(`dirmngr_stream_connect',` ') ######################################## +## <summary> +## Search dirmngr_tmp_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirmngr_tmp_dir_search',` + gen_require(` + type dirmngr_tmp_t; + ') + + allow $1 dirmngr_tmp_t:dir search_dir_perms; +') + +######################################## ## <summary> ## All of the rules required to ## administrate an dirmngr environment. Index: refpolicy-2.20210908/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20210908.orig/policy/modules/system/logging.te +++ refpolicy-2.20210908/policy/modules/system/logging.te @@ -555,6 +555,7 @@ ifdef(`init_systemd',` logging_send_syslog_msg(syslogd_t) systemd_manage_journal_files(syslogd_t) + systemd_search_user_runtime(syslogd_t) udev_read_runtime_files(syslogd_t) Index: refpolicy-2.20210908/policy/modules/services/colord.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/services/colord.if +++ refpolicy-2.20210908/policy/modules/services/colord.if @@ -58,3 +58,22 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') + +###################################### +## <summary> +## relabel colord lib files and dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_relabel_lib',` + gen_require(` + type colord_var_lib_t; + ') + + allow $1 colord_var_lib_t:dir { list_dir_perms relabelfrom relabelto }; + allow $1 colord_var_lib_t:file { relabelfrom relabelto }; +') Index: refpolicy-2.20210908/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20210908.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20210908/policy/modules/system/userdomain.if @@ -4539,6 +4539,25 @@ interface(`userdom_dontaudit_write_user_ ######################################## ## <summary> +## Delete user_tmp_t device nodes (probably should not have been +## created in the first place) +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow deleting +## </summary> +## </param> +# +interface(`userdom_unlink_user_tmp_devices',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:{ chr_file blk_file } unlink; +') + +######################################## +## <summary> ## Do not audit attempts to use user ttys. ## </summary> ## <param name="domain">