commit: 75852c7f3ca62154b160b706219d74142e0272c8
Author: bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb 1 21:06:04 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75852c7f
init: add interfaces for managing /run/systemd
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/init.if | 55 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 260cdf7b..03538310 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1380,6 +1380,61 @@ interface(`init_list_pids',`
files_search_pids($1)
')
+######################################
+## <summary>
+## Create symbolic links in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_pid_symlinks', `
+ gen_require(`
+ type init_runtime_t;
+ ')
+
+ allow $1 init_runtime_t:lnk_file create_lnk_file_perms;
+')
+
+######################################
+## <summary>
+## Create and write files in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_create_write_pid_files', `
+ gen_require(`
+ type init_runtime_t;
+ ')
+
+ allow $1 init_runtime_t:file { create_file_perms write };
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## directories in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_pid_dirs', `
+ gen_require(`
+ type init_runtime_t;
+ ')
+
+ manage_dirs_pattern($1, init_runtime_t, init_runtime_t)
+')
+
########################################
## <summary>
## Create files in an init PID directory.
