commit: 7a1d866be3985d9cb2c6e30bfd301411e4db9223 Author: Dominick Grift <dac.override <AT> gmail <DOT> com> AuthorDate: Thu Mar 31 07:40:42 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri May 13 05:07:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a1d866b
systemd: Add support for --log-target https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target= see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22 v2: Add comment about dontaudit rule Signed-off-by: Dominick Grift <dac.override <AT> gmail.com> policy/modules/system/systemd.if | 19 +++++++++++++++++ policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++------------- 2 files changed, 49 insertions(+), 14 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 3cd6670..705cbaa 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2,6 +2,25 @@ ###################################### ## <summary> +## Make the specified type usable as an +## log parse environment type. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a log parse environment type. +## </summary> +## </param> +# +interface(`systemd_log_parse_environment',` + gen_require(` + attribute systemd_log_parse_env_type; + ') + + typeattribute $1 systemd_log_parse_env_type; +') + +###################################### +## <summary> ## Read systemd_login PID files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 60a75fa..6d40952 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3) ## </desc> gen_tunable(systemd_tmpfiles_manage_all, false) +attribute systemd_log_parse_env_type; + type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) @@ -113,16 +115,33 @@ init_unit_file(power_unit_t) ###################################### # +# systemd log parse enviroment +# + +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function) +dontaudit systemd_log_parse_env_type self:capability net_admin; + +kernel_read_system_state(systemd_log_parse_env_type) + +dev_write_kmsg(systemd_log_parse_env_type) + +term_use_console(systemd_log_parse_env_type) + +init_read_state(systemd_log_parse_env_type) + +logging_send_syslog_msg(systemd_log_parse_env_type) + +###################################### +# # Cgroups local policy # kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) +kernel_dgram_send(systemd_cgroups_t) init_stream_connect(systemd_cgroups_t) -logging_send_syslog_msg(systemd_cgroups_t) - -kernel_dgram_send(systemd_cgroups_t) +systemd_log_parse_environment(systemd_cgroups_t) ####################################### # @@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t) files_read_etc_files(systemd_locale_t) -logging_send_syslog_msg(systemd_locale_t) - seutil_read_file_contexts(systemd_locale_t) +systemd_log_parse_environment(systemd_locale_t) + optional_policy(` dbus_connect_system_bus(systemd_locale_t) dbus_system_bus_client(systemd_locale_t) @@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) -logging_send_syslog_msg(systemd_hostnamed_t) - seutil_read_file_contexts(systemd_hostnamed_t) +systemd_log_parse_environment(systemd_hostnamed_t) + optional_policy(` dbus_system_bus_client(systemd_hostnamed_t) dbus_connect_system_bus(systemd_hostnamed_t) @@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) init_service_status(systemd_logind_t) init_service_start(systemd_logind_t) -# This is for reading /proc/1/cgroup -init_read_state(systemd_logind_t) locallogin_read_state(systemd_logind_t) -logging_send_syslog_msg(systemd_logind_t) - +systemd_log_parse_environment(systemd_logind_t) systemd_start_power_units(systemd_logind_t) udev_read_db(systemd_logind_t) @@ -234,7 +250,7 @@ optional_policy(` allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) -logging_send_syslog_msg(systemd_sessions_t) +systemd_log_parse_environment(systemd_sessions_t) ######################################### # @@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) -logging_send_syslog_msg(systemd_tmpfiles_t) - seutil_read_file_contexts(systemd_tmpfiles_t) +systemd_log_parse_environment(systemd_tmpfiles_t) + tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this.
