commit: e3ac68ac44916a79cd8c09711c4e689533834275
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 2 18:50:45 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:09 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac
systemd: Move lines.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.if | 1 +
policy/modules/system/systemd.te | 17 +++++++++--------
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 642d58e2..d7d0eb3d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -78,6 +78,7 @@ template(`systemd_role_template',`
dbus_system_bus_client($1_systemd_t)
selinux_use_status_page($1_systemd_t)
+
seutil_read_file_contexts($1_systemd_t)
seutil_search_default_contexts($1_systemd_t)
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 39c37ac1..9ef509dc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -151,13 +151,13 @@ type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
type systemd_machined_runtime_t alias systemd_machined_var_run_t;
files_runtime_file(systemd_machined_runtime_t)
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
-type systemd_machined_devpts_t;
-term_login_pty(systemd_machined_devpts_t)
-
type systemd_modules_load_t;
type systemd_modules_load_exec_t;
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
-# for /run/systemd/userdb/io.systemd.Machine
-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
-
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t,
systemd_logind_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t,
systemd_logind_runtime_t)
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t,
systemd_logind_inhibit_runtime_t, systemd
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t,
systemd_logind_inhibit_runtime_t)
init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t,
dir, "inhibit")
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file
manage_fifo_file_perms;
@@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid
sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms
connect };
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t,
systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file
manage_lnk_file_perms;
@@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t)
seutil_search_default_contexts(systemd_machined_t)
-term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
-allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
term_getattr_pty_fs(systemd_machined_t)
optional_policy(`
