commit: 34b81b634f7a8bdc59fe7ffa6d6453a9c07d001f Author: Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev> AuthorDate: Thu Nov 28 02:56:31 2024 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Dec 15 00:19:19 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34b81b63
systemd_homed_runtime_work_dir_t: new type for systemd-homed workdir As systemd-homed's workdir is an internal one, and external domains may be (reasonably) expected to connect to systemd_homed_runtime_t in the future, let's create a new domain for systemd-homed's internal work to differentiate between the two. Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 68fcedbe3..ce48c7d09 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -112,6 +112,7 @@ HOME_ROOT/(.+)\.home -- gen_context(system_u:object_r:systemd_homed_storage_t,s0 /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) +/run/systemd/user-home-mount -d gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) /run/systemd/notify -s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index dca7f098d..b8a52c7c8 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -129,6 +129,10 @@ role system_r types systemd_homework_t; type systemd_homed_runtime_t; files_runtime_file(systemd_homed_runtime_t) +type systemd_homed_runtime_work_dir_t; +files_runtime_file(systemd_homed_runtime_work_dir_t) +files_mountpoint(systemd_homed_runtime_work_dir_t) + type systemd_homed_storage_t; files_type(systemd_homed_storage_t) @@ -736,7 +740,7 @@ init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir) files_read_etc_runtime(systemd_homework_t) # mount on /run/systemd/user-home-mount -allow systemd_homework_t systemd_homed_runtime_t:dir mounton; +allow systemd_homework_t systemd_homed_runtime_work_dir_t:dir mounton; allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms; files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
