From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1028751-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 83127138334
	for <garchives@archives.gentoo.org>; Fri,  8 Jun 2018 10:07:44 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7E043E083D;
	Fri,  8 Jun 2018 10:07:31 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B8520E0837
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:30 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1DA23335CC6
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:29 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 58FA72D7
	for <gentoo-commits@lists.gentoo.org>; Fri,  8 Jun 2018 10:07:26 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1528449661.3263ab0206a19727bff6ea79d5c129e2fdc1bfdb.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/init.te policy/modules/system/systemd.fc policy/modules/system/systemd.if policy/modules/system/systemd.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 3263ab0206a19727bff6ea79d5c129e2fdc1bfdb
X-VCS-Branch: master
Date: Fri,  8 Jun 2018 10:07:26 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 07b041ed-77be-4059-bce5-f0363ec31217
X-Archives-Hash: 13104c9fef2ab41e39693cf8ffce29f1

commit:     3263ab0206a19727bff6ea79d5c129e2fdc1bfdb
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jun  7 19:19:41 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3263ab02

policy for systemd-update-done

systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te | 22 ++++++++++++++++++++++
 4 files changed, 45 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7afc33d0..d38b6e39 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -407,6 +407,7 @@ ifdef(`init_systemd',`
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(init_t)
 
+	systemd_getattr_updated_runtime(init_t)
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 0f8c193d..5d4857e4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+/usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b053242a..fd501c52 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to getattr on .updated file (generated by systemd-update-done
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_updated_runtime',`
+	gen_require(`
+		type systemd_update_run_t;
+	')
+
+	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+')
+
+
+
+

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf2c3296..15fe6e1b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 type systemd_tmpfiles_conf_t;
 files_config_file(systemd_tmpfiles_conf_t)
 
+type systemd_update_done_t;
+type systemd_update_done_exec_t;
+init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
+
+type systemd_update_run_t;
+files_type(systemd_update_run_t)
+
 #
 # Unit file types
 #
@@ -1006,3 +1013,18 @@ optional_policy(`
 	xserver_relabel_console_pipes(systemd_tmpfiles_t)
 	xserver_setattr_console_pipes(systemd_tmpfiles_t)
 ')
+
+#########################################
+#
+# Update Done local policy
+#
+
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+
+dev_write_kmsg(systemd_update_done_t)
+
+files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+
+kernel_read_system_state(systemd_update_done_t)
+