commit: 6e80ac7a0685e7dedaae81a7d3bb206fe4b9f997 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Fri Jun 8 00:17:15 2018 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri Jun 8 09:22:56 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e80ac7a
systemd: Move lines. policy/modules/system/systemd.fc | 4 ++-- policy/modules/system/systemd.if | 41 ++++++++++++++++++---------------------- policy/modules/system/systemd.te | 6 +++--- 3 files changed, 23 insertions(+), 28 deletions(-) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index df1a4b2e..277c7fc4 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -1,3 +1,5 @@ +/etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0) + /usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) @@ -39,8 +41,6 @@ /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) /usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0) -/etc/udev/hwdb.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0) - /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 75bbeead..34685088 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -19,6 +19,24 @@ interface(`systemd_log_parse_environment',` typeattribute $1 systemd_log_parse_env_type; ') +####################################### +## <summary> +## Allow domain to read udev hwdb file +## </summary> +## <param name="domain"> +## <summary> +## domain allowed access +## </summary> +## </param> +# +interface(`systemd_read_hwdb',` + gen_require(` + type systemd_hwdb_t; + ') + + read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) +') + ###################################### ## <summary> ## Read systemd_login PID files. @@ -770,26 +788,3 @@ interface(`systemd_getattr_updated_runtime',` getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) ') - - -####################################### -## <summary> -## Allow domain to read udev hwdb file -## </summary> -## <param name="domain"> -## <summary> -## domain allowed access -## </summary> -## </param> -# -interface(`systemd_read_hwdb',` - gen_require(` - type systemd_hwdb_t; - ') - - read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) -') - - - - diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index c324d3bf..1cf5fb95 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -335,14 +335,14 @@ optional_policy(` # allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto }; - files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file) -files_search_pids(systemd_hw_t) -init_read_state(systemd_hw_t) +files_search_pids(systemd_hw_t) selinux_get_fs_mount(systemd_hw_t) +init_read_state(systemd_hw_t) + seutil_read_config(systemd_hw_t) seutil_read_file_contexts(systemd_hw_t)