[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Jason Zaman Sun, 06 Feb 2022 18:15:08 -0800

commit:     09a4816dac1fb5111b3b67b71bdf7942b2c02c42
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Wed Jan  5 17:02:06 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:09:50 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09a4816d


systemd: Updates for generators and kmod-static-nodes.service.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te  | 1 +
 policy/modules/system/modutils.fc | 1 +
 policy/modules/system/systemd.te  | 5 ++++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 451155d3..6cc5c16c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -549,6 +549,7 @@ ifdef(`init_systemd',`
        init_dgram_send(syslogd_t)
        init_read_runtime_pipes(syslogd_t)
        init_read_runtime_symlinks(syslogd_t)
+       init_read_runtime_files(syslogd_t)
        init_read_state(syslogd_t)
 
        # needed for systemd-initrd case when syslog socket is unlabelled

diff --git a/policy/modules/system/modutils.fc 
b/policy/modules/system/modutils.fc
index cfcfb715..88b30551 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,6 +10,7 @@ ifdef(`distro_gentoo',`
 
 /run/modules-load\.d/.*\.conf  --      
gen_context(system_u:object_r:modules_conf_t,s0)
 ')
+/run/tmpfiles\.d/static-nodes\.conf --  
gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 
 /run/tmpfiles\.d/kmod\.conf    --      
gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7ccfbaf2..68fb96ec 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -510,7 +510,7 @@ systemd_log_parse_environment(systemd_generator_t)
 
 term_use_unallocated_ttys(systemd_generator_t)
 
-udev_search_runtime(systemd_generator_t)
+udev_read_runtime_files(systemd_generator_t)
 
 ifdef(`distro_gentoo',`
        corecmd_shell_entry_type(systemd_generator_t)
@@ -1469,6 +1469,8 @@ files_runtime_filetrans(systemd_sessions_t, 
systemd_sessions_runtime_t, file)
 
 fs_getattr_all_fs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
+fs_search_tmpfs(systemd_sessions_t)
+fs_search_ramfs(systemd_sessions_t)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1627,6 +1629,7 @@ init_read_state(systemd_tmpfiles_t)
 
 init_relabel_utmp(systemd_tmpfiles_t)
 init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+init_read_runtime_files(systemd_tmpfiles_t)
 
 logging_manage_generic_logs(systemd_tmpfiles_t)
 logging_manage_generic_log_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to