[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Sun, 01 Jan 2017 08:37:22 -0800 

commit:     3225e34cc39a06b44cc0871b984791eeaf9bb970
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:45:21 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3225e34c

systemd: add systemd-binfmt policy

This systemd service registers in /proc/sys/fs/binfmt_misc binary formats
for executables.

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 673bb68..d66feda 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -29,6 +29,7 @@
 /usr/lib/systemd/system/[^/]*sleep.*   --      
gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.* --      
gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/systemd-backlight.*    --      
gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
+/usr/lib/systemd/system/systemd-binfmt.*       --      
gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?       
gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?  
gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c50e93a..cf22ba8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -36,6 +36,9 @@ type systemd_binfmt_t;
 type systemd_binfmt_exec_t;
 init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
 
+type systemd_binfmt_unit_t;
+init_unit_file(systemd_binfmt_unit_t)
+
 type systemd_cgroups_t;
 type systemd_cgroups_exec_t;
 domain_type(systemd_cgroups_t)
@@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t)
 
 udev_read_pid_files(systemd_backlight_t)
 
+#######################################
+#
+# Binfmt local policy
+#
+
+systemd_log_parse_environment(systemd_binfmt_t)
+
+# Allow to read /etc/binfmt.d/ files
+files_read_etc_files(systemd_binfmt_t)
+
+fs_register_binary_executable_type(systemd_binfmt_t)
+
 ######################################
 #
 # Cgroups local policy

Reply via email to