[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Tue, 13 Dec 2022 12:55:16 -0800 

commit:     cf829adf39247b5153927e02f14b7eecc090283b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Dec 10 21:24:25 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:05:25 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf829adf

systemd: add policy for systemd-pcrphase

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 87c1e0b9c..f4b5fa049 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -38,6 +38,7 @@
 /usr/lib/systemd/systemd-modules-load  --      
gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd      --      
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator     --      
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pcrphase              --      
gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pstore                --      
gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved      --      
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill                --      
gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d02407d53..b796b669e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -219,6 +219,10 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_pcrphase_t;
+type systemd_pcrphase_exec_t;
+init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
+
 type systemd_pstore_t;
 type systemd_pstore_exec_t;
 init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
@@ -1387,6 +1391,28 @@ optional_policy(`
        plymouthd_stream_connect(systemd_passwd_agent_t)
 ')
 
+#########################################
+#
+# systemd-pcrphase local policy
+#
+
+allow systemd_pcrphase_t self:capability dac_override;
+dontaudit systemd_pcrphase_t self:capability net_admin;
+
+dev_rw_tpm(systemd_pcrphase_t)
+dev_write_kmsg(systemd_pcrphase_t)
+
+fs_read_efivarfs_files(systemd_pcrphase_t)
+fs_getattr_cgroup(systemd_pcrphase_t)
+fs_search_cgroup_dirs(systemd_pcrphase_t)
+
+kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
+kernel_read_kernel_sysctls(systemd_pcrphase_t)
+kernel_read_system_state(systemd_pcrphase_t)
+
+init_read_state(systemd_pcrphase_t)
+
+logging_send_syslog_msg(systemd_pcrphase_t)
 
 #########################################
 #

Reply via email to