[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/

Jason Zaman Thu, 11 Nov 2021 13:27:51 -0800

commit:     aeb656ea428466c9609468be4ac76243e84f73f1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:53:34 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aeb656ea


policykit, systemd: allow policykit to watch systemd logins and sessions

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/policykit.te |  2 ++
 policy/modules/system/systemd.if     | 38 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/policy/modules/services/policykit.te 
b/policy/modules/services/policykit.te
index 721534a0..a76f8697 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -137,9 +137,11 @@ optional_policy(`
 
        # for /run/systemd/seats/seat*
        systemd_read_logind_sessions_files(policykit_t)
+       systemd_watch_logind_sessions_dirs(policykit_t)
 
        # for /run/systemd/users/*
        systemd_read_logind_runtime_files(policykit_t)
+       systemd_watch_logind_runtime_dirs(policykit_t)
 ')
 
 ########################################

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a493f7dc..38adf050 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -763,6 +763,25 @@ interface(`systemd_write_logind_pid_pipes',`
        systemd_write_logind_runtime_pipes($1)
 ')
 
+######################################
+## <summary>
+##   Watch systemd-logind runtime dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dirs',`
+       gen_require(`
+               type systemd_logind_runtime_t;
+       ')
+
+       files_search_runtime($1)
+       allow $1 systemd_logind_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##   Read systemd-logind runtime files.
@@ -841,6 +860,25 @@ interface(`systemd_use_logind_fds',`
        allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dirs',`
+       gen_require(`
+               type systemd_sessions_runtime_t;
+       ')
+
+       init_search_run($1)
+       allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##      Read logind sessions files.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/

Reply via email to