[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

Tue, 13 Dec 2022 12:55:18 -0800 

commit:     fef16712de5ef8682ec086c0679fb60cc3b85389
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:35:24 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:38 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fef16712

init, sysadm: allow sysadm to manage systemd runtime units

On systemd 252, mount units generated from /etc/fstab result in services
labeled init_runtime_t. Allow sysadm to manage these services.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/roles/sysadm.te |  6 +++++
 policy/modules/system/init.if  | 57 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 002987387..eccfd5171 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -82,6 +82,12 @@ ifndef(`enable_mls',`
 ')
 
 ifdef(`init_systemd',`
+       # Allow managing runtime units, for example mount units generated
+       # from /etc/fstab.
+       init_get_runtime_units_status(sysadm_t)
+       init_start_runtime_units(sysadm_t)
+       init_stop_runtime_units(sysadm_t)
+
        # Allow sysadm to resolve the username of dynamic users by calling
        # LookupDynamicUserByUID on org.freedesktop.systemd1.
        init_dbus_chat(sysadm_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1186e6d2c..a091a6bef 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3516,6 +3516,63 @@ interface(`init_reload_generic_units',`
        allow $1 systemd_unit_t:service reload;
 ')
 
+########################################
+## <summary>
+##     Get the status of runtime systemd units.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_get_runtime_units_status',`
+       gen_require(`
+               type init_runtime_t;
+               class service status;
+       ')
+
+       allow $1 init_runtime_t:service status;
+')
+
+########################################
+## <summary>
+##     Start runtime systemd units.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_start_runtime_units',`
+       gen_require(`
+               type init_runtime_t;
+               class service start;
+       ')
+
+       allow $1 init_runtime_t:service start;
+')
+
+########################################
+## <summary>
+##     Stop runtime systemd units.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_stop_runtime_units',`
+       gen_require(`
+               type init_runtime_t;
+               class service stop;
+       ')
+
+       allow $1 init_runtime_t:service stop;
+')
+
 ########################################
 ## <summary>
 ##     Get status of transient systemd units.

Reply via email to