[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Jason Zaman Fri, 08 Jun 2018 03:07:55 -0700

commit:     3263ab0206a19727bff6ea79d5c129e2fdc1bfdb
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jun  7 19:19:41 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3263ab02


policy for systemd-update-done

systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file 
/etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file 
/var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process 
exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered 
failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te | 22 ++++++++++++++++++++++
 4 files changed, 45 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7afc33d0..d38b6e39 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -407,6 +407,7 @@ ifdef(`init_systemd',`
        # lvm2-activation-generator checks file labels
        seutil_read_file_contexts(init_t)
 
+       systemd_getattr_updated_runtime(init_t)
        systemd_manage_passwd_runtime_symlinks(init_t)
        systemd_use_passwd_agent(init_t)
        systemd_list_tmpfiles_conf(init_t)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 0f8c193d..5d4857e4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
 /usr/lib/systemd/systemd-machined      --      
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-networkd      --      
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved      --      
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+/usr/lib/systemd/systemd-update-done   --      
gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions --      
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b053242a..fd501c52 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
        read_files_pattern($1, systemd_resolved_var_run_t, 
systemd_resolved_var_run_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to getattr on .updated file (generated by systemd-update-done
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_updated_runtime',`
+       gen_require(`
+               type systemd_update_run_t;
+       ')
+
+       getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+')
+
+
+
+

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf2c3296..15fe6e1b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, 
systemd_tmpfiles_exec_t)
 type systemd_tmpfiles_conf_t;
 files_config_file(systemd_tmpfiles_conf_t)
 
+type systemd_update_done_t;
+type systemd_update_done_exec_t;
+init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
+
+type systemd_update_run_t;
+files_type(systemd_update_run_t)
+
 #
 # Unit file types
 #
@@ -1006,3 +1013,18 @@ optional_policy(`
        xserver_relabel_console_pipes(systemd_tmpfiles_t)
        xserver_setattr_console_pipes(systemd_tmpfiles_t)
 ')
+
+#########################################
+#
+# Update Done local policy
+#
+
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+
+dev_write_kmsg(systemd_update_done_t)
+
+files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, 
".updated")
+files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, 
".updated")
+
+kernel_read_system_state(systemd_update_done_t)
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to