[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Jason Zaman Sun, 10 Jan 2021 17:27:17 -0800

commit:     ef96877e219bdf1be92dee4f4f7b1897073218f8
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun  4 08:30:19 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef96877e


systemd: private type for /run/systemd/userdb

Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te    |  3 +++
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 56 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 4 files changed, 63 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9f9b78b0..e2cca47e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -469,6 +469,9 @@ ifdef(`init_systemd',`
        systemd_list_tmpfiles_conf(init_t)
        systemd_relabelto_tmpfiles_conf_dirs(init_t)
        systemd_relabelto_tmpfiles_conf_files(init_t)
+       systemd_manage_userdb_runtime_sock_files(init_t)
+       systemd_manage_userdb_runtime_dirs(init_t)
+       systemd_filetrans_userdb_runtime_dirs(init_t)
        systemd_relabelto_journal_dirs(init_t)
        systemd_relabelto_journal_files(init_t)
 

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 34637068..a998f42b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -70,6 +70,7 @@
 /run/systemd/seats(/.*)?       
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?    
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/users(/.*)?       
gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
+/run/systemd/userdb(/.*)?      
gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
 /run/systemd/inhibit(/.*)?     
gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
 /run/systemd/nspawn(/.*)?      
gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?    
gen_context(system_u:object_r:systemd_machined_runtime_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 262c26d1..895437e7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -426,6 +426,42 @@ interface(`systemd_signull_logind',`
        allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##  Manage systemd userdb runtime directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_dirs', `
+       gen_require(`
+               type systemd_userdb_runtime_t;
+       ')
+
+       manage_dirs_pattern($1, systemd_userdb_runtime_t, 
systemd_userdb_runtime_t)
+')
+
+########################################
+## <summary>
+##  Manage socket files under /run/systemd/userdb .
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_sock_files', `
+       gen_require(`
+               type systemd_userdb_runtime_t;
+       ')
+
+       manage_sock_files_pattern($1, systemd_userdb_runtime_t, 
systemd_userdb_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow reading /run/systemd/machines
@@ -528,6 +564,26 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
        init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, 
"ask-password")
 ')
 
+########################################
+## <summary>
+##  Transition to systemd_userdb_runtime_t when
+##  creating the userdb directory inside an init runtime
+##  directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_filetrans_userdb_runtime_dirs', `
+       gen_require(`
+               type systemd_userdb_runtime_t;
+       ')
+
+       init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+')
+
 ######################################
 ## <summary>
 ##  Allow to domain to create systemd-passwd symlink

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b6e508eb..dfc259df 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -249,6 +249,9 @@ init_system_domain(systemd_user_runtime_dir_t, 
systemd_user_runtime_dir_exec_t)
 type systemd_user_tmpfs_t;
 userdom_user_tmpfs_file(systemd_user_tmpfs_t)
 
+type systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdb_runtime_t)
+
 #
 # Unit file types
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to