commit: 89bbf2c9c184032df64ca304036fe8eb11d1f433 Author: bauen1 <j2468h <AT> gmail <DOT> com> AuthorDate: Thu Dec 19 21:26:41 2019 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89bbf2c9
systemd: add policy for systemd-fstab-generator Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 4a873052..518ca925 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -16,6 +16,7 @@ /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) # Systemd generators +/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index ca2b49e3..4d906e5c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -61,6 +61,10 @@ init_unit_file(systemd_binfmt_unit_t) type systemd_conf_t; files_config_file(systemd_conf_t) +type systemd_fstab_generator_t; +type systemd_fstab_generator_exec_t; +init_system_domain(systemd_fstab_generator_t, systemd_fstab_generator_exec_t) + type systemd_gpt_generator_t; type systemd_gpt_generator_exec_t; init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t) @@ -267,6 +271,27 @@ files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) +####################################### +# +# fstab generator local policy +# + +corecmd_search_bin(systemd_fstab_generator_t) + +files_read_etc_files(systemd_fstab_generator_t) +files_search_pids(systemd_fstab_generator_t) + +fstools_exec(systemd_fstab_generator_t) + +init_create_write_pid_files(systemd_fstab_generator_t) +init_manage_pid_dirs(systemd_fstab_generator_t) +init_manage_pid_symlinks(systemd_fstab_generator_t) +init_search_pids(systemd_fstab_generator_t) + +kernel_read_kernel_sysctls(systemd_fstab_generator_t) + +systemd_log_parse_environment(systemd_fstab_generator_t) + ####################################### # # GPT auto generator local policy
