From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1560517-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B949B15814C
	for <garchives@archives.gentoo.org>; Fri,  6 Oct 2023 16:44:37 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0EAFE2BC02C;
	Fri,  6 Oct 2023 16:44:37 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id EBCCF2BC02C
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:36 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 37F90335D21
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:36 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id EE8039EC
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1696606252.8f51e189a7c8f8680f84fc11841257c19ab9fa51.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/locallogin.te policy/modules/system/systemd.if
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 8f51e189a7c8f8680f84fc11841257c19ab9fa51
X-VCS-Branch: master
Date: Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: fb857ce6-ff15-42e4-9a10-a52de44dc55a
X-Archives-Hash: adb8c34845da2f0e1e252fd128cecec9

commit:     8f51e189a7c8f8680f84fc11841257c19ab9fa51
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Sep 27 13:20:52 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189

small systemd patches (#708)

* Some small systemd patches

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Fixed error where systemd.if had a reference to user_devpts_t

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* removed the init_var_run_t:service stuff as there's already interfaces and a type for it

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* corecmd_shell_entry_type doesn't seem to be needed

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/locallogin.te |  3 ++-
 policy/modules/system/systemd.if    | 12 +++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index f40f15c1c..4dc9981bc 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t)
 auth_read_pam_motd_dynamic(local_login_t)
 auth_read_shadow_history(local_login_t)
 
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c662..64455eed5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
 ##	The user domain for the role.
 ##	</summary>
 ## </param>
-## <param name="pty_type">
-##	<summary>
-##	The type for the user pty
-##	</summary>
-## </param>
 #
 template(`systemd_role_template',`
 	gen_require(`
@@ -34,6 +29,7 @@ template(`systemd_role_template',`
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_user_unit_t;
 		type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
+		type systemd_machined_t;
 	')
 
 	#################################
@@ -153,6 +149,12 @@ template(`systemd_role_template',`
 	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;
+
 	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	allow $3 systemd_user_unit_t:service { reload start status stop };