[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Fri, 14 Feb 2020 23:33:48 -0800 

commit:     d372650e27df2987b357dea9a06b20972910452a
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  8 15:16:14 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d372650e

init: split init_create_pid_files interface

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if    | 24 +++++++++++++++++++++---
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 03538310..b1b6ca2d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1400,7 +1400,7 @@ interface(`init_manage_pid_symlinks', `
 
 ######################################
 ## <summary>
-##  Create and write files in the /run/systemd directory.
+##  Create files in the /run/systemd directory.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
@@ -1408,12 +1408,30 @@ interface(`init_manage_pid_symlinks', `
 ##  </summary>
 ## </param>
 #
-interface(`init_create_write_pid_files', `
+interface(`init_create_pid_files', `
        gen_require(`
                type init_runtime_t;
        ')
 
-       allow $1 init_runtime_t:file { create_file_perms write };
+       allow $1 init_runtime_t:file create_file_perms;
+')
+
+######################################
+## <summary>
+##  Write files in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_files', `
+       gen_require(`
+               type init_runtime_t;
+       ')
+
+       allow $1 init_runtime_t:file write_file_perms;
 ')
 
 ######################################

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f0412af3..3edbc98e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -283,10 +283,11 @@ files_search_pids(systemd_fstab_generator_t)
 
 fstools_exec(systemd_fstab_generator_t)
 
-init_create_write_pid_files(systemd_fstab_generator_t)
+init_create_pid_files(systemd_fstab_generator_t)
 init_manage_pid_dirs(systemd_fstab_generator_t)
 init_manage_pid_symlinks(systemd_fstab_generator_t)
 init_search_pids(systemd_fstab_generator_t)
+init_write_pid_files(systemd_fstab_generator_t)
 
 kernel_read_kernel_sysctls(systemd_fstab_generator_t)

Reply via email to