commit: ef14bcd0189098ada222dd638183eb44073de691
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct 12 21:42:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef14bcd0
init: Clean up line placement in init_systemd blocks.
No rule changes.
policy/modules/system/init.te | 196 ++++++++++++++++++++++--------------------
1 file changed, 102 insertions(+), 94 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 90291d34..75da7a62 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -216,11 +216,23 @@ ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap getsched setsched };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms
connectto };
+ allow init_t self:netlink_audit_socket { nlmsg_relay
create_socket_perms };
+ allow init_t self:netlink_selinux_socket create_socket_perms;
+ allow init_t self:system { status reboot halt reload };
+ # Until systemd is fixed
+ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+ allow init_t self:capability2 audit_read;
+
# for /run/systemd/inaccessible/{chr,blk}
allow init_t init_var_run_t:blk_file { create getattr };
allow init_t init_var_run_t:chr_file { create getattr };
-
allow init_t systemprocess:process { dyntransition siginh };
allow init_t systemprocess:unix_stream_socket
create_stream_socket_perms;
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
@@ -257,18 +269,47 @@ ifdef(`init_systemd',`
kernel_dyntrans_to(init_t)
kernel_read_network_state(init_t)
- kernel_read_kernel_sysctls(init_t)
- kernel_read_vm_sysctls(init_t)
kernel_dgram_send(init_t)
kernel_stream_connect(init_t)
kernel_getattr_proc(init_t)
kernel_read_fs_sysctls(init_t)
+ kernel_list_unlabeled(init_t)
+ kernel_load_module(init_t)
+ kernel_rw_kernel_sysctl(init_t)
+ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
+ kernel_setsched(init_t)
+ kernel_rw_unix_sysctls(init_t)
+
+ # run systemd misc initializations
+ # in the initrc_t domain, as would be
+ # done in traditional sysvinit/upstart.
+ corecmd_bin_domtrans(init_t, initrc_t)
+ corecmd_shell_domtrans(init_t, initrc_t)
- dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
dev_relabel_all_sysfs(init_t)
dev_relabel_generic_symlinks(init_t)
dev_read_urand(init_t)
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_manage_null_service(initrc_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+ dev_read_usbfs(initrc_t)
+ # systemd writes to /dev/watchdog on shutdown
+ dev_write_watchdog(init_t)
domain_read_all_domains_state(init_t)
@@ -283,21 +324,47 @@ ifdef(`init_systemd',`
files_relabelto_etc_runtime_files(init_t)
files_read_all_locks(init_t)
files_search_kernel_modules(init_t)
+ files_create_all_pid_pipes(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_create_lock_dirs(init_t)
+ files_delete_all_pids(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_exec_generic_pid_files(init_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_manage_urandom_seed(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_read_boot_files(initrc_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_search_all(init_t)
+ files_unmount_all_file_type_fs(init_t)
# for privatetmp functions
files_mounton_tmp(init_t)
# for ProtectSystem
files_mounton_etc_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
- fs_rw_cgroup_files(init_t)
fs_list_auto_mountpoints(init_t)
fs_mount_autofs(init_t)
fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
- fs_read_cgroup_files(init_t)
fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
+ fs_create_cgroup_links(init_t)
+ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_all_fs(init_t)
+ fs_relabelfrom_tmpfs_symlinks(init_t)
+ fs_unmount_all_fs(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
@@ -308,20 +375,32 @@ ifdef(`init_systemd',`
# for network namespaces
fs_read_nsfs_files(init_t)
- # need write to /var/run/systemd/notify
- init_write_pid_socket(daemon)
+ init_read_script_state(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
+ selinux_unmount_fs(init_t)
+ selinux_validate_context(init_t)
selinux_compute_create_context(init_t)
selinux_compute_access_vector(init_t)
+ storage_getattr_removable_dev(init_t)
+
+ term_relabel_pty_dirs(init_t)
+
+ auth_manage_var_auth(init_t)
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
logging_manage_pid_sockets(init_t)
logging_send_audit_msgs(init_t)
logging_relabelto_devlog_sock_files(init_t)
logging_relabel_generic_log_dirs(init_t)
+ # lvm2-activation-generator checks file labels
+ seutil_read_file_contexts(init_t)
+
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
systemd_list_tmpfiles_conf(init_t)
@@ -329,6 +408,7 @@ ifdef(`init_systemd',`
systemd_relabelto_tmpfiles_conf_files(init_t)
systemd_relabelto_journal_dirs(init_t)
systemd_relabelto_journal_files(init_t)
+ systemd_manage_all_units(init_t)
term_create_devpts_dirs(init_t)
@@ -853,21 +933,8 @@ ifdef(`enabled_mls',`
')
ifdef(`init_systemd',`
- allow init_t self:system { status reboot halt reload };
-
- allow init_t self:unix_dgram_socket { create_socket_perms sendto };
- allow init_t self:process { setsockcreate setfscreate setrlimit };
- allow init_t self:process { getcap setcap getsched setsched };
- allow init_t self:unix_stream_socket { create_stream_socket_perms
connectto };
- allow init_t self:netlink_audit_socket { nlmsg_relay
create_socket_perms };
- allow init_t self:netlink_selinux_socket create_socket_perms;
- # Until systemd is fixed
- allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt
write };
- allow init_t self:udp_socket create_socket_perms;
- allow init_t self:netlink_route_socket create_netlink_socket_perms;
- allow init_t initrc_t:unix_dgram_socket create_socket_perms;
allow initrc_t init_t:system { start status reboot halt reload };
- allow init_t self:capability2 audit_read;
+
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
@@ -890,106 +957,37 @@ ifdef(`init_systemd',`
allow initrc_t init_script_file_type:service { stop start status reload
};
kernel_dgram_send(initrc_t)
- kernel_list_unlabeled(init_t)
- kernel_load_module(init_t)
- kernel_rw_kernel_sysctl(init_t)
- kernel_rw_net_sysctls(init_t)
- kernel_read_all_sysctls(init_t)
- kernel_read_software_raid_state(init_t)
- kernel_unmount_debugfs(init_t)
- kernel_setsched(init_t)
- kernel_rw_unix_sysctls(init_t)
-
- auth_manage_var_auth(init_t)
- auth_relabel_login_records(init_t)
- auth_relabel_pam_console_data_dirs(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
corecmd_bin_entry_type(initrc_t)
- corecmd_bin_domtrans(init_t, initrc_t)
- corecmd_shell_domtrans(init_t, initrc_t)
dev_create_generic_dirs(initrc_t)
- dev_write_kmsg(init_t)
- dev_write_urand(init_t)
- dev_rw_lvm_control(init_t)
- dev_rw_autofs(init_t)
- dev_manage_generic_symlinks(init_t)
- dev_manage_generic_dirs(init_t)
- dev_manage_generic_files(init_t)
- dev_manage_null_service(initrc_t)
- dev_read_generic_chr_files(init_t)
- dev_relabel_generic_dev_dirs(init_t)
- dev_relabel_all_dev_nodes(init_t)
- dev_relabel_all_dev_files(init_t)
- dev_manage_sysfs_dirs(init_t)
- dev_relabel_sysfs_dirs(init_t)
- dev_read_usbfs(initrc_t)
- # systemd writes to /dev/watchdog on shutdown
- dev_write_watchdog(init_t)
# Allow initrc_t to check /etc/fstab "service." It appears that
# systemd is conflating files and services.
- files_create_all_pid_pipes(init_t)
- files_create_all_pid_sockets(init_t)
- files_create_all_spool_sockets(init_t)
- files_create_lock_dirs(init_t)
- files_create_pid_dirs(initrc_t)
- files_delete_all_pids(init_t)
- files_delete_all_spool_sockets(init_t)
- files_exec_generic_pid_files(init_t)
files_get_etc_unit_status(initrc_t)
- files_list_locks(init_t)
- files_list_spool(init_t)
- files_manage_all_pid_dirs(init_t)
- files_manage_generic_tmp_dirs(init_t)
- files_manage_urandom_seed(init_t)
- files_mounton_all_mountpoints(init_t)
- files_read_boot_files(initrc_t)
- files_relabel_all_lock_dirs(init_t)
- files_relabel_all_pid_dirs(init_t)
- files_relabel_all_pid_files(init_t)
- files_search_all(init_t)
+ files_create_pid_dirs(initrc_t)
files_setattr_pid_dirs(initrc_t)
- files_unmount_all_file_type_fs(init_t)
-
- fs_create_cgroup_links(init_t)
- fs_getattr_all_fs(init_t)
- fs_manage_cgroup_dirs(init_t)
- fs_manage_cgroup_files(init_t)
- fs_manage_tmpfs_dirs(init_t)
- fs_mount_all_fs(init_t)
- fs_remount_all_fs(init_t)
- fs_relabelfrom_tmpfs_symlinks(init_t)
- fs_unmount_all_fs(init_t)
- fs_search_cgroup_dirs(daemon)
# for logsave in strict configuration
fstools_write_log(initrc_t)
+ selinux_set_enforce_mode(initrc_t)
+
init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
- init_read_script_state(init_t)
init_rw_stream_sockets(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
- selinux_set_enforce_mode(initrc_t)
- selinux_unmount_fs(init_t)
- selinux_validate_context(init_t)
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(initrc_t)
- seutil_read_file_contexts(init_t)
- storage_getattr_removable_dev(init_t)
- systemd_manage_all_units(init_t)
systemd_start_power_units(initrc_t)
- term_relabel_pty_dirs(init_t)
-
optional_policy(`
# create /var/lock/lvm/
lvm_create_lock_dirs(initrc_t)
@@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon)
# when using run_init
init_use_script_ptys(daemon)
+ifdef(`init_systemd',`
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt
write };
+
+ fs_search_cgroup_dirs(daemon)
+
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+')
+
tunable_policy(`init_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
