commit: d372650e27df2987b357dea9a06b20972910452a Author: bauen1 <j2468h <AT> gmail <DOT> com> AuthorDate: Sat Feb 8 15:16:14 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d372650e
init: split init_create_pid_files interface Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/init.if | 24 +++++++++++++++++++++--- policy/modules/system/systemd.te | 3 ++- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 03538310..b1b6ca2d 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1400,7 +1400,7 @@ interface(`init_manage_pid_symlinks', ` ###################################### ## <summary> -## Create and write files in the /run/systemd directory. +## Create files in the /run/systemd directory. ## </summary> ## <param name="domain"> ## <summary> @@ -1408,12 +1408,30 @@ interface(`init_manage_pid_symlinks', ` ## </summary> ## </param> # -interface(`init_create_write_pid_files', ` +interface(`init_create_pid_files', ` gen_require(` type init_runtime_t; ') - allow $1 init_runtime_t:file { create_file_perms write }; + allow $1 init_runtime_t:file create_file_perms; +') + +###################################### +## <summary> +## Write files in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_write_pid_files', ` + gen_require(` + type init_runtime_t; + ') + + allow $1 init_runtime_t:file write_file_perms; ') ###################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f0412af3..3edbc98e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -283,10 +283,11 @@ files_search_pids(systemd_fstab_generator_t) fstools_exec(systemd_fstab_generator_t) -init_create_write_pid_files(systemd_fstab_generator_t) +init_create_pid_files(systemd_fstab_generator_t) init_manage_pid_dirs(systemd_fstab_generator_t) init_manage_pid_symlinks(systemd_fstab_generator_t) init_search_pids(systemd_fstab_generator_t) +init_write_pid_files(systemd_fstab_generator_t) kernel_read_kernel_sysctls(systemd_fstab_generator_t)