commit: cea191481ead6fd006f9dc695f491a7651b24f56
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 6 17:06:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:26 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cea19148
Add private type for systemd logind inhibit files and pipes
policy/modules/system/systemd.fc | 2 +-
policy/modules/system/systemd.if | 20 ++++++++++++++++++++
policy/modules/system/systemd.te | 9 ++++++++-
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 392b00b9..73da3de4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -49,7 +49,7 @@
/run/systemd/sessions(/.*)?
gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/run/systemd/users(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/inhibit(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/inhibit(/.*)?
gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
/run/systemd/nspawn(/.*)?
gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)?
gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/systemd/netif(/.*)?
gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8f914837..d875098a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
allow systemd_logind_t $1:process signal;
')
+######################################
+## <summary>
+## Write inherited logind inhibit pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_inhibit_pipes',`
+ gen_require(`
+ type systemd_logind_inhibit_var_run_t;
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
+')
+
########################################
## <summary>
## Send and receive messages from
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5051b87c..9a65b8f6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -101,6 +101,9 @@ type systemd_logind_var_run_t;
files_pid_file(systemd_logind_var_run_t)
init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+type systemd_logind_inhibit_var_run_t;
+files_pid_file(systemd_logind_inhibit_var_run_t)
+
type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
@@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t,
systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t,
systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t,
systemd_logind_var_run_t)
allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
-init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
+
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t,
systemd_logind_inhibit_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t,
systemd_logind_inhibit_var_run_t)
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t,
systemd_logind_inhibit_var_run_t)
+init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir,
"inhibit")
allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
