commit: 33b0d446f0d55311b674932b135b7ce0fe4e7b8b
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu May 26 12:43:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:20:07 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33b0d446
Add policy for systemd-resolved
Initial policy for systemd-resolved, tested with systemd 230 on debian
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index a0b5f0b..a987681 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -17,6 +17,7 @@
/usr/lib/systemd/systemd-localed --
gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined --
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-resolved --
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions --
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
# Systemd unit files
@@ -33,6 +34,7 @@
/var/run/\.nologin[^/]* --
gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/var/run/nologin --
gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/systemd/resolve(/.*)?
gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
/var/run/systemd/seats(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/var/run/systemd/sessions(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/var/run/systemd/users(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0bed23c..e42f3ca 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -80,6 +80,13 @@ type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+type systemd_resolved_t;
+type systemd_resolved_exec_t;
+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
+
type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -244,6 +251,39 @@ optional_policy(`
#########################################
#
+# Resolved local policy
+#
+
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
+
+allow systemd_resolved_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t,
systemd_resolved_var_run_t)
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t,
systemd_resolved_var_run_t)
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+
+kernel_read_crypto_sysctls(systemd_resolved_t)
+kernel_read_kernel_sysctls(systemd_resolved_t)
+kernel_read_system_state(systemd_resolved_t)
+
+corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+auth_use_nsswitch(systemd_resolved_t)
+
+seutil_read_file_contexts(systemd_resolved_t)
+
+systemd_log_parse_environment(systemd_resolved_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_resolved_t)
+')
+
+#########################################
+#
# Sessions local policy
#
