commit: 75852c7f3ca62154b160b706219d74142e0272c8 Author: bauen1 <j2468h <AT> gmail <DOT> com> AuthorDate: Sat Feb 1 21:06:04 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75852c7f
init: add interfaces for managing /run/systemd Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/init.if | 55 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 260cdf7b..03538310 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1380,6 +1380,61 @@ interface(`init_list_pids',` files_search_pids($1) ') +###################################### +## <summary> +## Create symbolic links in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_manage_pid_symlinks', ` + gen_require(` + type init_runtime_t; + ') + + allow $1 init_runtime_t:lnk_file create_lnk_file_perms; +') + +###################################### +## <summary> +## Create and write files in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_create_write_pid_files', ` + gen_require(` + type init_runtime_t; + ') + + allow $1 init_runtime_t:file { create_file_perms write }; +') + +###################################### +## <summary> +## Create, read, write, and delete +## directories in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_manage_pid_dirs', ` + gen_require(` + type init_runtime_t; + ') + + manage_dirs_pattern($1, init_runtime_t, init_runtime_t) +') + ######################################## ## <summary> ## Create files in an init PID directory.