commit: 8f51e189a7c8f8680f84fc11841257c19ab9fa51
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Sep 27 13:20:52 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:52 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189
small systemd patches (#708)
* Some small systemd patches
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a
type for it
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/locallogin.te | 3 ++-
policy/modules/system/systemd.if | 12 +++++++-----
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index f40f15c1c..4dc9981bc 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t)
auth_read_pam_motd_dynamic(local_login_t)
auth_read_shadow_history(local_login_t)
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c662..64455eed5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
## The user domain for the role.
## </summary>
## </param>
-## <param name="pty_type">
-## <summary>
-## The type for the user pty
-## </summary>
-## </param>
#
template(`systemd_role_template',`
gen_require(`
@@ -34,6 +29,7 @@ template(`systemd_role_template',`
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t;
type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
+ type systemd_machined_t;
')
#################################
@@ -153,6 +149,12 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
