On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote:
> > +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
Done.
> > +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
Done.
> > +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
Done.
> > - domtrans_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> domtrans_pattern() is the standard pattern. This change has no effect.
OK, I'll remove that.
> > -allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t
> > self:unix_stream_socket connectto;
> > +allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap net_admin sys_ptrace };
> net_admin? That doesn't seem necessary for core dumping.
That's one of the systemd programs that wanted netadmin to set socket buffers.
I'll dontaudit it.
> > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
> >
> > seutil_search_default_contexts(systemd_coredump_t)
> >
> > +allow systemd_generator_t self:fifo_file rw_file_perms;
> > +allow systemd_generator_t self:process setfscreate;
> The systemd_generator_t rules need to move to proper places.
Done.
> > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
> >
> > kernel_read_kernel_sysctls(systemd_logind_t)
> >
> > +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.
I'll try removing it.
> > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> >
> > term_search_ptys(systemd_nspawn_t)
> > term_setattr_generic_ptys(systemd_nspawn_t)
> > term_use_ptmx(systemd_nspawn_t)
> >
> > +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?
OK.
> > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> >
> > # systemd-user-runtime-dir local policy
> > #
> >
> > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin
> > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t
> > self:capability { chown dac_override dac_read_search dac_override fowner
> > sys_admin mknod };
> sys_admin and mknod? What is sys_admin used for; also, I don't see any
> rules for creating devices.
That's because of something that I hadn't included in that patch. It has to
unlink device nodes labelled user_tmp_t.
I just sent another patch for this.
