commit: fed60e165b4309f27a9014718bb74973f5b9905d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Mar 13 23:22:59 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fed60e16
various: systemd user fixes and additional support
This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
config/file_contexts.subs_dist | 1 +
policy/modules/roles/auditadm.te | 4 +
policy/modules/roles/dbadm.te | 4 +
policy/modules/roles/guest.te | 4 +
policy/modules/roles/logadm.te | 4 +
policy/modules/roles/secadm.te | 4 +
policy/modules/roles/webadm.te | 4 +
policy/modules/services/dbus.if | 6 +
policy/modules/system/init.if | 37 +++
policy/modules/system/init.te | 4 +
policy/modules/system/logging.te | 6 +
policy/modules/system/mount.if | 54 ++++
policy/modules/system/systemd.fc | 12 +
policy/modules/system/systemd.if | 550 ++++++++++++++++++++++++++++++++++--
policy/modules/system/systemd.te | 33 ++-
policy/modules/system/userdomain.if | 50 +++-
16 files changed, 750 insertions(+), 27 deletions(-)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index b7e008f1..d33240c5 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -16,6 +16,7 @@
/sbin /usr/sbin
/etc/init.d /etc/rc.d/init.d
/etc/systemd/system /usr/lib/systemd/system
+/etc/systemd/user /usr/lib/systemd/user
/lib/systemd /usr/lib/systemd
/run/lock /var/lock
/usr/lib32 /usr/lib
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index f2ef8fea..641cdb44 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -39,6 +39,10 @@ optional_policy(`
dmesg_exec(auditadm_t)
')
+optional_policy(`
+ dbus_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
optional_policy(`
screen_role_template(auditadm, auditadm_r, auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index b60c464f..426aec20 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -53,6 +53,10 @@ tunable_policy(`dbadm_read_user_files',`
userdom_read_user_tmp_files(dbadm_t)
')
+optional_policy(`
+ dbus_role_template(dbadm, dbadm_r, dbadm_t)
+')
+
optional_policy(`
mysql_admin(dbadm_t, dbadm_r)
')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 19cdbe1d..59b413cc 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -20,4 +20,8 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
+optional_policy(`
+ dbus_role_template(guest, guest_r, guest_t)
+')
+
#gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index b524c0b5..1d091045 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -17,3 +17,7 @@ userdom_base_user_template(logadm)
allow logadm_t self:capability { dac_override dac_read_search kill sys_nice
sys_ptrace };
logging_admin(logadm_t, logadm_r)
+
+optional_policy(`
+ dbus_role_template(logadm, logadm_r, logadm_t)
+')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 57a09953..4b07f0bb 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -47,6 +47,10 @@ optional_policy(`
auditadm_role_change(secadm_r)
')
+optional_policy(`
+ dbus_role_template(secadm, secadm_r, secadm_t)
+')
+
optional_policy(`
dmesg_exec(secadm_t)
')
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 2a6cae77..962b5281 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -55,3 +55,7 @@ tunable_policy(`webadm_read_user_files',`
userdom_read_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
')
+
+optional_policy(`
+ dbus_role_template(webadm, webadm_r, webadm_t)
+')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 540147c7..f1b74511 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -63,6 +63,7 @@ template(`dbus_role_template',`
attribute session_bus_type;
type system_dbusd_t, dbusd_exec_t;
type session_dbusd_tmp_t, session_dbusd_home_t;
+ type session_dbusd_runtime_t;
')
##############################
@@ -86,10 +87,13 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 $1_dbusd_t:fd use;
+ dontaudit $1_dbusd_t self:process getcap;
+
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir {
manage_dir_perms relabel_dir_perms };
allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file {
manage_file_perms relabel_file_perms };
+ allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -116,6 +120,8 @@ template(`dbus_role_template',`
optional_policy(`
systemd_read_logind_runtime_files($1_dbusd_t)
+ systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
+ systemd_user_unix_stream_activated_socket($1_dbusd_t,
session_dbusd_runtime_t)
')
')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index eca82d64..0bff4b80 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3357,6 +3357,24 @@ interface(`init_list_unit_dirs',`
init_search_units($1)
')
+########################################
+## <summary>
+## Read systemd unit files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_generic_units_files',`
+ gen_require(`
+ type systemd_unit_t;
+ ')
+
+ allow $1 systemd_unit_t:file read_file_perms;
+')
+
########################################
## <summary>
## Read systemd unit links
@@ -3567,6 +3585,25 @@ interface(`init_manage_all_unit_files',`
manage_lnk_files_pattern($1, systemdunit, systemdunit)
')
+#########################################
+## <summary>
+## Associate the specified domain to be a domain whose
+## keyring init should be allowed to link.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain whose keyring init should be allowed to link.
+## </summary>
+## </param>
+#
+interface(`init_linkable_keyring',`
+ gen_require(`
+ attribute init_linkable_keyring_type;
+ ')
+
+ typeattribute $1 init_linkable_keyring_type;
+')
+
########################################
## <summary>
## Allow unconfined access to send instructions to init
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1a7c2c96..4c322455 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -35,6 +35,7 @@ attribute init_path_unit_loc_type;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute init_linkable_keyring_type;
attribute systemdunit;
attribute initrc_transition_domain;
@@ -149,6 +150,9 @@ can_exec(init_t, init_exec_t)
allow init_t initrc_t:unix_stream_socket connectto;
+# Mostly for systemd. Allow init to link to various keyrings
+allow init_t init_linkable_keyring_type:key link;
+
# For /var/run/shutdown.pid.
allow init_t init_runtime_t:file manage_file_perms;
files_runtime_filetrans(init_t, init_runtime_t, file)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b14a1940..e6e44374 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -548,6 +548,12 @@ ifdef(`init_systemd',`
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
+
+ # journald traverses /run/user/UID (which is mode 0700) to read
symlinks in /run/user/UID/systemd/units/
+ allow syslogd_t self:capability dac_read_search;
+ userdom_search_user_runtime_root(syslogd_t)
+ userdom_search_user_runtime(syslogd_t)
+ systemd_read_user_runtime_lnk_files(syslogd_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4a8377f9..c75922d9 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -222,6 +222,42 @@ interface(`mount_watch_runtime_dirs',`
allow $1 mount_runtime_t:dir watch;
')
+########################################
+## <summary>
+## Watch mount runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:file watch;
+')
+
+########################################
+## <summary>
+## Watch reads on mount runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_watch_reads_runtime_files',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:file watch_reads;
+')
+
########################################
## <summary>
## Getattr on mount_runtime_t files
@@ -240,6 +276,24 @@ interface(`mount_getattr_runtime_files',`
allow $1 mount_runtime_t:file getattr;
')
+########################################
+## <summary>
+## Read mount runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_read_runtime_files',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ read_files_pattern($1, mount_runtime_t, mount_runtime_t)
+')
+
########################################
## <summary>
## Read and write mount runtime files.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 8dcae1a9..7de7e677 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -42,6 +42,11 @@
/usr/lib/systemd/systemd-user-sessions --
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
# Systemd unit files
+HOME_DIR/\.config/systemd(/.*)?
gen_context(system_u:object_r:systemd_conf_home_t,s0)
+HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data_home_t,s0)
+
+/usr/lib/systemd/user(/.*)?
gen_context(system_u:object_r:systemd_user_unit_t,s0)
+
/usr/lib/systemd/system/[^/]*halt.* --
gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*hibernate.* --
gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*power.* --
gen_context(system_u:object_r:power_unit_t,s0)
@@ -68,6 +73,13 @@
/run/\.nologin[^/]* --
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/nologin --
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/user/%{USERID}/systemd -d
gen_context(system_u:object_r:systemd_user_runtime_t,s0)
+/run/user/%{USERID}/systemd/generator(/.*)?
gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/generator\.early(/.*)?
gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/generator\.late(/.*)?
gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/transient(/.*)?
gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+/run/user/%{USERID}/systemd/user(/.*)?
gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
+
/run/systemd/ask-password(/.*)?
gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/ask-password-block(/.*)?
gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/resolve(/.*)?
gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 6a66a2d7..38a026fd 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -28,8 +28,11 @@
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
- type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+ attribute systemd_user_activated_sock_file_type,
systemd_user_unix_stream_activated_socket_type;
type systemd_run_exec_t, systemd_analyze_exec_t;
+ type systemd_conf_home_t, systemd_data_home_t;
+ type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+ type systemd_user_unit_t, systemd_user_runtime_unit_t;
')
#################################
@@ -47,39 +50,534 @@ template(`systemd_role_template',`
# Local policy
#
- allow $3 systemd_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $3 systemd_user_runtime_t:file { manage_file_perms
relabel_file_perms };
- allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
-
- allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
-
# This domain is per-role because of the below transitions.
# See the systemd --user section of systemd.te for the
# remainder of the rules.
- allow $1_systemd_t $3:process { setsched rlimitinh };
+ allow $1_systemd_t self:process { getsched signal };
+ allow $1_systemd_t self:netlink_kobject_uevent_socket
create_socket_perms;
+ allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
- allow $1_systemd_t self:process signal;
+
+ # systemctl --user rules
+ allow $1_systemd_t
systemd_user_unix_stream_activated_socket_type:unix_stream_socket {
create_socket_perms listen };
+ allow $1_systemd_t systemd_user_activated_sock_file_type:dir
manage_dir_perms;
+ allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file
manage_sock_file_perms;
+
+ allow $1_systemd_t systemd_user_runtime_t:blk_file
manage_blk_file_perms;
+ allow $1_systemd_t systemd_user_runtime_t:chr_file
manage_chr_file_perms;
+ allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
+ allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
+ allow $1_systemd_t systemd_user_runtime_t:fifo_file
manage_fifo_file_perms;
+ allow $1_systemd_t systemd_user_runtime_t:lnk_file
manage_lnk_file_perms;
+ allow $1_systemd_t systemd_user_runtime_t:sock_file
manage_sock_file_perms;
+
+ allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
+ allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
+ allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file
manage_lnk_file_perms;
+
+ allow $1_systemd_t $3:dir search_dir_perms;
+ allow $1_systemd_t $3:file read_file_perms;
+ allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
+
+ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t,
systemd_user_runtime_unit_t, dir, "generator.early")
+ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t,
systemd_user_runtime_unit_t, dir, "generator.late")
+ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t,
systemd_user_runtime_unit_t, dir, "transient")
+ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t,
systemd_user_runtime_unit_t, dir, "user")
+
+ dev_read_urand($1_systemd_t)
files_search_home($1_systemd_t)
+ fs_manage_cgroup_files($1_systemd_t)
+ fs_watch_cgroup_files($1_systemd_t)
+
+ kernel_dontaudit_getattr_proc($1_systemd_t)
+
+ selinux_use_status_page($1_systemd_t)
+
+ init_linkable_keyring($1_systemd_t)
+ init_list_unit_dirs($1_systemd_t)
+ init_read_generic_units_files($1_systemd_t)
+
+ miscfiles_watch_localization($1_systemd_t)
+
+ mount_read_runtime_files($1_systemd_t)
+ mount_watch_runtime_files($1_systemd_t)
+ mount_watch_reads_runtime_files($1_systemd_t)
+
+ seutil_search_default_contexts($1_systemd_t)
+ seutil_read_file_contexts($1_systemd_t)
+
+ systemd_manage_conf_home_content($1_systemd_t)
+ systemd_manage_data_home_content($1_systemd_t)
+
+ systemd_search_user_runtime_unit_dirs($1_systemd_t)
+
+ systemd_search_user_runtime_unit_dirs($1_systemd_t)
+ systemd_read_user_unit_files($1_systemd_t)
+
+ dbus_system_bus_client($1_systemd_t)
+ dbus_spec_session_bus_client($1, $1_systemd_t)
+
+ # userdomain rules
+ allow $3 $1_systemd_t:process signal;
+ allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
# Allow using file descriptors for user environment generators
allow $3 $1_systemd_t:fd use;
allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
-
- # systemctl --user
stream_connect_pattern($3, systemd_user_runtime_t,
systemd_user_runtime_t, $1_systemd_t)
+ allow $3 $1_systemd_t:system { disable enable reload start stop status
};
+
+ allow $3 systemd_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
+ allow $3 systemd_user_runtime_t:file { manage_file_perms
relabel_file_perms };
+ allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
+ allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
+ allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+
+ allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
+
+ allow $3 systemd_user_unit_t:service { reload start status stop };
+ allow $3 systemd_conf_home_t:service { reload start status stop };
+
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
- dbus_system_bus_client($1_systemd_t)
+ init_dbus_chat($3)
- selinux_use_status_page($1_systemd_t)
+ systemd_list_journal_dirs($3)
+ systemd_read_journal_files($3)
- seutil_read_file_contexts($1_systemd_t)
- seutil_search_default_contexts($1_systemd_t)
+ systemd_manage_conf_home_content($3)
+ systemd_relabel_conf_home_content($3)
+
+ systemd_manage_data_home_content($3)
+ systemd_relabel_data_home_content($3)
+
+ systemd_read_user_unit_files($3)
+ systemd_list_user_runtime_unit_dirs($3)
+ systemd_read_user_runtime_units($3)
+
+ systemd_reload_user_runtime_units($3)
+ systemd_start_user_runtime_units($3)
+ systemd_status_user_runtime_units($3)
+ systemd_stop_user_runtime_units($3)
+
+ optional_policy(`
+ xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir,
"systemd")
+ xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir,
"systemd")
+ xdg_read_config_files($1_systemd_t)
+ xdg_read_data_files($1_systemd_t)
+ ')
+')
+
+######################################
+## <summary>
+## Allow the specified domain to be started as a daemon by the
+## specified systemd user instance.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the user domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Entry point file type for the domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to allow the systemd user domain to run.
+## </summary>
+## </param>
+#
+template(`systemd_user_daemon_domain',`
+ gen_require(`
+ type $1_systemd_t;
+ ')
+
+ domtrans_pattern($1_systemd_t, $2, $3)
+
+ allow $1_systemd_t $3:process signal_perms;
+ allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+## Associate the specified file type to be a type whose sock files
+## can be managed by systemd user instances for socket activation.
+## </summary>
+## <param name="file_type">
+## <summary>
+## File type to be associated.
+## </summary>
+## </param>
+#
+interface(`systemd_user_activated_sock_file',`
+ gen_require(`
+ attribute systemd_user_activated_sock_file_type;
+ ')
+
+ typeattribute $1 systemd_user_activated_sock_file_type;
+')
+
+######################################
+## <summary>
+## Associate the specified domain to be a domain whose unix stream
+## sockets and sock files can be managed by systemd user instances
+## for socket activation.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be associated.
+## </summary>
+## </param>
+## <param name="sock_file_type">
+## <summary>
+## File type of the domain's sock files to be associated.
+## </summary>
+## </param>
+#
+interface(`systemd_user_unix_stream_activated_socket',`
+ gen_require(`
+ attribute systemd_user_unix_stream_activated_socket_type;
+ ')
+
+ typeattribute $1 systemd_user_unix_stream_activated_socket_type;
+ systemd_user_activated_sock_file($2)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search systemd config home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_conf_home_content',`
+ gen_require(`
+ type systemd_conf_home_t;
+ ')
+
+ search_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage systemd config home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_conf_home_content',`
+ gen_require(`
+ type systemd_conf_home_t;
+ ')
+
+ manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+ manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+ manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to relabel systemd config home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabel_conf_home_content',`
+ gen_require(`
+ type systemd_conf_home_t;
+ ')
+
+ relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+ relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+ relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search systemd data home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_data_home_content',`
+ gen_require(`
+ type systemd_data_home_t;
+ ')
+
+ search_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage systemd data home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_data_home_content',`
+ gen_require(`
+ type systemd_data_home_t;
+ ')
+
+ allow $1 systemd_data_home_t:dir manage_dir_perms;
+ allow $1 systemd_data_home_t:file manage_file_perms;
+ allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
+')
+
+######################################
+## <summary>
+## Allow the specified domain to relabel systemd data home
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabel_data_home_content',`
+ gen_require(`
+ type systemd_data_home_t;
+ ')
+
+ relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
+ relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
+ relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search systemd user runtime
+## content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_user_runtime',`
+ gen_require(`
+ type systemd_user_runtime_t;
+ ')
+
+ search_dirs_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read systemd user runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_user_runtime_files',`
+ gen_require(`
+ type systemd_user_runtime_t;
+ ')
+
+ read_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read systemd user runtime lnk files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_user_runtime_lnk_files',`
+ gen_require(`
+ type systemd_user_runtime_t;
+ ')
+
+ read_lnk_files_pattern($1, systemd_user_runtime_t,
systemd_user_runtime_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read system-wide systemd
+## user unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_user_unit_files',`
+ gen_require(`
+ type systemd_user_unit_t;
+ ')
+
+ allow $1 systemd_user_unit_t:dir list_dir_perms;
+ allow $1 systemd_user_unit_t:file read_file_perms;
+ allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read systemd user runtime unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_user_runtime_units',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ ')
+
+ read_files_pattern($1, systemd_user_runtime_unit_t,
systemd_user_runtime_unit_t)
+ read_lnk_files_pattern($1, systemd_user_runtime_unit_t,
systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search systemd user runtime unit
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_search_user_runtime_unit_dirs',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ ')
+
+ search_dirs_pattern($1, systemd_user_runtime_unit_t,
systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to list the contents of systemd
+## user runtime unit directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_list_user_runtime_unit_dirs',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ ')
+
+ list_dirs_pattern($1, systemd_user_runtime_unit_t,
systemd_user_runtime_unit_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to get the status of systemd user runtime
units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_user_runtime_units',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_user_runtime_unit_t:service status;
+')
+
+######################################
+## <summary>
+## Allow the specified domain to start systemd user runtime units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_start_user_runtime_units',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_user_runtime_unit_t:service start;
+')
+
+######################################
+## <summary>
+## Allow the specified domain to stop systemd user runtime units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_stop_user_runtime_units',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_user_runtime_unit_t:service stop;
+')
+
+######################################
+## <summary>
+## Allow the specified domain to reload systemd user runtime units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_reload_user_runtime_units',`
+ gen_require(`
+ type systemd_user_runtime_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_user_runtime_unit_t:service reload;
')
######################################
@@ -680,6 +1178,24 @@ interface(`systemd_manage_all_units',`
init_manage_all_unit_files($1)
')
+########################################
+## <summary>
+## Allow domain to list the contents of systemd_journal_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_list_journal_dirs',`
+ gen_require(`
+ type systemd_journal_t;
+ ')
+
+ list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
########################################
## <summary>
## Allow domain to read systemd_journal_t files
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2e08efd1..66672243 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -56,6 +56,8 @@ gen_tunable(systemd_tmpfilesd_factory, false)
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;
+attribute systemd_user_activated_sock_file_type;
+attribute systemd_user_unix_stream_activated_socket_type;
attribute_role systemd_sysusers_roles;
@@ -277,6 +279,13 @@ init_system_domain(systemd_update_done_t,
systemd_update_done_exec_t)
type systemd_update_run_t;
files_type(systemd_update_run_t)
+type systemd_conf_home_t;
+init_unit_file(systemd_conf_home_t)
+xdg_config_content(systemd_conf_home_t)
+
+type systemd_data_home_t;
+xdg_data_content(systemd_data_home_t)
+
type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)
@@ -293,6 +302,13 @@ userdom_user_tmpfs_file(systemd_user_tmpfs_t)
type systemd_userdb_runtime_t;
files_runtime_file(systemd_userdb_runtime_t)
+type systemd_user_unit_t;
+init_unit_file(systemd_user_unit_t)
+
+type systemd_user_runtime_unit_t;
+init_unit_file(systemd_user_runtime_unit_t)
+userdom_user_runtime_content(systemd_user_runtime_unit_t)
+
#
# Unit file types
#
@@ -1529,6 +1545,9 @@ allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+
files_read_etc_files(systemd_user_runtime_dir_t)
fs_mount_tmpfs(systemd_user_runtime_dir_t)
@@ -1547,6 +1566,18 @@ systemd_dbus_chat_logind(systemd_user_runtime_dir_t)
seutil_read_file_contexts(systemd_user_runtime_dir_t)
seutil_libselinux_linked(systemd_user_runtime_dir_t)
+userdom_list_all_user_runtime(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_dirs(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_files(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_symlinks(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_blk_files(systemd_user_runtime_dir_t)
+userdom_delete_all_user_runtime_chr_files(systemd_user_runtime_dir_t)
+
+userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
+
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t,
dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
@@ -1554,5 +1585,5 @@
userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
optional_policy(`
- dbus_system_bus_client(systemd_user_runtime_dir_t)
+ dbus_system_bus_client(systemd_user_runtime_dir_t)
')
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index e14bdc01..48e549e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3564,7 +3564,7 @@ interface(`userdom_delete_all_user_runtime_dirs',`
attribute user_runtime_content_type;
')
- allow $1 user_runtime_content_type:dir { delete_dir_perms
del_entry_dir_perms list_dir_perms };
+ delete_dirs_pattern($1, user_runtime_content_type,
user_runtime_content_type)
')
########################################
@@ -3582,8 +3582,7 @@ interface(`userdom_delete_all_user_runtime_files',`
attribute user_runtime_content_type;
')
- allow $1 user_runtime_content_type:dir list_dir_perms;
- allow $1 user_runtime_content_type:file delete_file_perms;
+ delete_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
')
########################################
@@ -3601,8 +3600,7 @@ interface(`userdom_delete_all_user_runtime_symlinks',`
attribute user_runtime_content_type;
')
- allow $1 user_runtime_content_type:dir list_dir_perms;
- allow $1 user_runtime_content_type:lnk_file delete_lnk_file_perms;
+ delete_lnk_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
')
########################################
@@ -3620,8 +3618,7 @@ interface(`userdom_delete_all_user_runtime_named_pipes',`
attribute user_runtime_content_type;
')
- allow $1 user_runtime_content_type:dir list_dir_perms;
- allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+ delete_fifo_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
')
########################################
@@ -3639,8 +3636,43 @@
interface(`userdom_delete_all_user_runtime_named_sockets',`
attribute user_runtime_content_type;
')
- allow $1 user_runtime_content_type:dir list_dir_perms;
- allow $1 user_runtime_content_type:sock_file delete_sock_file_perms;
+ delete_sock_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
+')
+
+########################################
+## <summary>
+## delete user runtime blk files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_blk_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ delete_blk_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
+')
+
+########################################
+## <summary>
+## delete user runtime chr files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_chr_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ delete_chr_files_pattern($1, user_runtime_content_type,
user_runtime_content_type)
')
########################################
