commit: f3249bbaff9ae98c9b741ad362fd4ed8e9b7deba
Author: bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun 4 15:45:35 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3249bba
authlogin: connect to userdb
Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/authlogin.te | 4 ++++
policy/modules/system/init.if | 19 +++++++++++++++++++
policy/modules/system/systemd.if | 21 +++++++++++++++++++++
3 files changed, 44 insertions(+)
diff --git a/policy/modules/system/authlogin.te
b/policy/modules/system/authlogin.te
index d6931831..7692abb6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -426,6 +426,10 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
+ifdef(`init_systemd', `
+ systemd_stream_connect_userdb(nsswitch_domain)
+')
+
tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ff8f7db7..540cd0c7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -923,6 +923,25 @@ interface(`init_stream_connect',`
allow $1 init_t:unix_stream_socket getattr;
')
+########################################
+## <summary>
+## Connect to init with a unix socket.
+## Without any additional permissions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_unix_stream_socket_connectto',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket connectto;
+')
+
########################################
## <summary>
## Inherit and use file descriptors from init.
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 895437e7..c8f33d51 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -462,6 +462,27 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
manage_sock_files_pattern($1, systemd_userdb_runtime_t,
systemd_userdb_runtime_t)
')
+########################################
+## <summary>
+## Connect to /run/systemd/userdb/io.systemd.DynamicUser .
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_stream_connect_userdb', `
+ gen_require(`
+ type systemd_userdb_runtime_t;
+ ')
+
+ init_search_runtime($1)
+ allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+ allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+ init_unix_stream_socket_connectto($1)
+')
+
########################################
## <summary>
## Allow reading /run/systemd/machines