From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 086881382C5 for ; Sun, 7 Feb 2021 03:20:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2020E08C3; Sun, 7 Feb 2021 03:20:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B6093E08C8 for ; Sun, 7 Feb 2021 03:20:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4BCA8343862 for ; Sun, 7 Feb 2021 03:20:47 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D356F4C9 for ; Sun, 7 Feb 2021 03:20:44 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612646109.e3ac68ac44916a79cd8c09711c4e689533834275.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.if policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: e3ac68ac44916a79cd8c09711c4e689533834275 X-VCS-Branch: master Date: Sun, 7 Feb 2021 03:20:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 0f7da423-b432-4251-806f-7b8b7a665e5f X-Archives-Hash: 426896af09a476a254f6a5ee2acd5ee8 commit: e3ac68ac44916a79cd8c09711c4e689533834275 Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 18:50:45 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac systemd: Move lines. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/system/systemd.if | 1 + policy/modules/system/systemd.te | 17 +++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 642d58e2..d7d0eb3d 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -78,6 +78,7 @@ template(`systemd_role_template',` dbus_system_bus_client($1_systemd_t) selinux_use_status_page($1_systemd_t) + seutil_read_file_contexts($1_systemd_t) seutil_search_default_contexts($1_systemd_t) ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 39c37ac1..9ef509dc 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -151,13 +151,13 @@ type systemd_machined_t; type systemd_machined_exec_t; init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) +type systemd_machined_devpts_t; +term_login_pty(systemd_machined_devpts_t) + type systemd_machined_runtime_t alias systemd_machined_var_run_t; files_runtime_file(systemd_machined_runtime_t) init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") -type systemd_machined_devpts_t; -term_login_pty(systemd_machined_devpts_t) - type systemd_modules_load_t; type systemd_modules_load_exec_t; init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) @@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms; allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) -# for /run/systemd/userdb/io.systemd.Machine -allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; - manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; @@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t) init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit") +# for /run/systemd/userdb/io.systemd.Machine +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; + allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms; allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms; allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms; @@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace }; allow systemd_machined_t self:process setfscreate; allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; +term_create_pty(systemd_machined_t, systemd_machined_devpts_t) +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; + manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms; @@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t) seutil_search_default_contexts(systemd_machined_t) -term_create_pty(systemd_machined_t, systemd_machined_devpts_t) -allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; term_getattr_pty_fs(systemd_machined_t) optional_policy(`