[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Jason Zaman Sun, 10 Jan 2021 17:27:15 -0800

commit:     f3249bbaff9ae98c9b741ad362fd4ed8e9b7deba
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun  4 15:45:35 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3249bba


authlogin: connect to userdb

Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te |  4 ++++
 policy/modules/system/init.if      | 19 +++++++++++++++++++
 policy/modules/system/systemd.if   | 21 +++++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index d6931831..7692abb6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -426,6 +426,10 @@ files_read_etc_files(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
 
+ifdef(`init_systemd', `
+       systemd_stream_connect_userdb(nsswitch_domain)
+')
+
 tunable_policy(`authlogin_nsswitch_use_ldap',`
        miscfiles_read_generic_certs(nsswitch_domain)
        sysnet_use_ldap(nsswitch_domain)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ff8f7db7..540cd0c7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -923,6 +923,25 @@ interface(`init_stream_connect',`
        allow $1 init_t:unix_stream_socket getattr;
 ')
 
+########################################
+## <summary>
+##     Connect to init with a unix socket.
+##  Without any additional permissions.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_unix_stream_socket_connectto',`
+       gen_require(`
+               type init_t;
+       ')
+
+       allow $1 init_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##     Inherit and use file descriptors from init.

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 895437e7..c8f33d51 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -462,6 +462,27 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
        manage_sock_files_pattern($1, systemd_userdb_runtime_t, 
systemd_userdb_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Connect to /run/systemd/userdb/io.systemd.DynamicUser .
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_stream_connect_userdb', `
+       gen_require(`
+               type systemd_userdb_runtime_t;
+       ')
+
+       init_search_runtime($1)
+       allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+       allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+       init_unix_stream_socket_connectto($1)
+')
+
 ########################################
 ## <summary>
 ##     Allow reading /run/systemd/machines

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to