commit: 9f360ceda6290fc51e9f537d59574810e5a876b6
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Aug 17 17:53:26 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f360ced
systemd: Add interface for systemctl exec.
Adds necessary baseline permissions for the command.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.if | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 62545021..f48cc541 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',`
read_files_pattern($1, systemd_resolved_runtime_t,
systemd_resolved_runtime_t)
')
+########################################
+## <summary>
+## Execute the systemctl program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_exec_systemctl',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ dontaudit $1 self:capability { net_admin sys_resource };
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ # the command is a regular bin
+ corecmd_exec_bin($1)
+
+ domtrans_pattern($1, systemd_passwd_agent_exec_t,
systemd_passwd_agent_t)
+ allow $1 systemd_passwd_agent_t:process signal;
+
+ init_read_state($1)
+ init_stream_connect($1)
+ init_telinit($1)
+ init_dbus_chat($1)
+')
+
#######################################
## <summary>
## Allow domain to getattr on .updated file (generated by systemd-update-done
