1529 lines
48 KiB
Text
1529 lines
48 KiB
Text
|
policy_module(systemd, 1.0.0)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow systemd-socket-proxyd to bind any port instead of one labelled
|
||
|
## with systemd_socket_proxyd_port_t.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(systemd_socket_proxyd_bind_any, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow systemd-socket-proxyd to connect to any port instead of
|
||
|
## labelled ones.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(systemd_socket_proxyd_connect_any, false)
|
||
|
|
||
|
attribute systemd_unit_file_type;
|
||
|
attribute systemd_domain;
|
||
|
attribute systemctl_domain;
|
||
|
attribute systemd_mount_directory;
|
||
|
attribute systemd_private_tmp_type;
|
||
|
|
||
|
attribute systemd_read_efivarfs_type;
|
||
|
fs_read_efivarfs_files(systemd_read_efivarfs_type)
|
||
|
read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
|
||
|
|
||
|
systemd_domain_template(systemd_logger)
|
||
|
systemd_domain_template(systemd_logind)
|
||
|
|
||
|
# /run/systemd/sessions
|
||
|
type systemd_logind_sessions_t;
|
||
|
files_pid_file(systemd_logind_sessions_t)
|
||
|
|
||
|
type systemd_logind_var_lib_t;
|
||
|
files_type(systemd_logind_var_lib_t)
|
||
|
systemd_mount_dir(systemd_logind_var_lib_t)
|
||
|
|
||
|
# /run/systemd/{seats, users}
|
||
|
type systemd_logind_var_run_t;
|
||
|
files_pid_file(systemd_logind_var_run_t)
|
||
|
|
||
|
type systemd_logind_inhibit_var_run_t;
|
||
|
files_pid_file(systemd_logind_inhibit_var_run_t)
|
||
|
|
||
|
type systemd_home_t;
|
||
|
userdom_user_home_content(systemd_home_t)
|
||
|
|
||
|
type random_seed_t;
|
||
|
files_security_file(random_seed_t)
|
||
|
files_mountpoint(random_seed_t)
|
||
|
|
||
|
systemd_domain_template(systemd_coredump)
|
||
|
|
||
|
type systemd_coredump_tmpfs_t;
|
||
|
files_tmpfs_file(systemd_coredump_tmpfs_t)
|
||
|
|
||
|
type systemd_coredump_var_lib_t;
|
||
|
files_type(systemd_coredump_var_lib_t)
|
||
|
|
||
|
systemd_domain_template(systemd_hwdb)
|
||
|
|
||
|
type systemd_hwdb_unit_file_t;
|
||
|
systemd_unit_file(systemd_hwdb_unit_file_t)
|
||
|
|
||
|
systemd_domain_template(systemd_networkd)
|
||
|
init_nnp_daemon_domain(systemd_networkd_t)
|
||
|
|
||
|
type systemd_networkd_unit_file_t;
|
||
|
systemd_unit_file(systemd_networkd_unit_file_t)
|
||
|
|
||
|
type systemd_networkd_var_run_t;
|
||
|
files_pid_file(systemd_networkd_var_run_t)
|
||
|
files_mountpoint(systemd_networkd_var_run_t)
|
||
|
|
||
|
systemd_domain_template(systemd_initctl)
|
||
|
|
||
|
systemd_domain_template(systemd_bootchart)
|
||
|
|
||
|
type systemd_bootchart_unit_file_t;
|
||
|
systemd_unit_file(systemd_bootchart_unit_file_t)
|
||
|
|
||
|
type systemd_bootchart_var_run_t;
|
||
|
files_pid_file(systemd_bootchart_var_run_t)
|
||
|
|
||
|
type systemd_bootchart_tmpfs_t;
|
||
|
files_tmpfs_file(systemd_bootchart_tmpfs_t)
|
||
|
|
||
|
systemd_domain_template(systemd_journal_upload)
|
||
|
|
||
|
type systemd_journal_upload_var_lib_t;
|
||
|
files_type(systemd_journal_upload_var_lib_t);
|
||
|
|
||
|
systemd_domain_template(systemd_resolved)
|
||
|
init_nnp_daemon_domain(systemd_resolved_t)
|
||
|
|
||
|
type systemd_resolved_var_run_t;
|
||
|
files_pid_file(systemd_resolved_var_run_t)
|
||
|
files_mountpoint(systemd_resolved_var_run_t)
|
||
|
|
||
|
type systemd_resolved_unit_file_t;
|
||
|
systemd_unit_file(systemd_resolved_unit_file_t)
|
||
|
|
||
|
systemd_domain_template(systemd_modules_load)
|
||
|
|
||
|
type systemd_modules_load_unit_file_t;
|
||
|
systemd_unit_file(systemd_modules_load_unit_file_t)
|
||
|
|
||
|
# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
|
||
|
# systemd components
|
||
|
|
||
|
systemd_domain_template(systemd_passwd_agent)
|
||
|
|
||
|
type systemd_passwd_var_run_t alias systemd_device_t;
|
||
|
files_pid_file(systemd_passwd_var_run_t)
|
||
|
|
||
|
# domain for systemd-tmpfiles component
|
||
|
systemd_domain_template(systemd_tmpfiles)
|
||
|
systemd_domain_template(systemd_notify)
|
||
|
|
||
|
# type for systemd unit files
|
||
|
type systemd_unit_file_t;
|
||
|
systemd_unit_file(systemd_unit_file_t)
|
||
|
|
||
|
type systemd_runtime_unit_file_t;
|
||
|
systemd_unit_file(systemd_runtime_unit_file_t)
|
||
|
|
||
|
type power_unit_file_t;
|
||
|
systemd_unit_file(power_unit_file_t)
|
||
|
|
||
|
type systemd_vconsole_unit_file_t;
|
||
|
systemd_unit_file(systemd_vconsole_unit_file_t)
|
||
|
|
||
|
# executable for systemctl
|
||
|
type systemd_systemctl_exec_t;
|
||
|
corecmd_executable_file(systemd_systemctl_exec_t)
|
||
|
|
||
|
systemd_domain_template(systemd_localed)
|
||
|
systemd_domain_template(systemd_hostnamed)
|
||
|
|
||
|
type hostname_etc_t;
|
||
|
files_config_file(hostname_etc_t)
|
||
|
|
||
|
type systemd_hwdb_etc_t;
|
||
|
files_config_file(systemd_hwdb_etc_t)
|
||
|
|
||
|
systemd_domain_template(systemd_rfkill)
|
||
|
|
||
|
type systemd_rfkill_unit_file_t;
|
||
|
systemd_unit_file(systemd_rfkill_unit_file_t)
|
||
|
|
||
|
type systemd_rfkill_var_lib_t;
|
||
|
files_type(systemd_rfkill_var_lib_t)
|
||
|
|
||
|
type systemd_socket_proxyd_t;
|
||
|
type systemd_socket_proxyd_exec_t;
|
||
|
init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
|
||
|
|
||
|
type systemd_socket_proxyd_port_t;
|
||
|
corenet_port(systemd_socket_proxyd_port_t)
|
||
|
|
||
|
type systemd_socket_proxyd_unit_file_t;
|
||
|
systemd_unit_file(systemd_socket_proxyd_unit_file_t)
|
||
|
|
||
|
systemd_domain_template(systemd_timedated)
|
||
|
init_nnp_daemon_domain(systemd_timedated_t)
|
||
|
typeattribute systemd_timedated_t systemd_domain;
|
||
|
typealias systemd_timedated_t alias gnomeclock_t;
|
||
|
|
||
|
type systemd_timedated_unit_file_t;
|
||
|
systemd_unit_file(systemd_timedated_unit_file_t)
|
||
|
|
||
|
type systemd_timedated_var_run_t;
|
||
|
files_pid_file(systemd_timedated_var_run_t)
|
||
|
|
||
|
type systemd_timedated_var_lib_t;
|
||
|
files_type(systemd_timedated_var_lib_t)
|
||
|
|
||
|
systemd_domain_template(systemd_sysctl)
|
||
|
|
||
|
#domain for gpt-auto-generator
|
||
|
systemd_domain_template(systemd_gpt_generator)
|
||
|
|
||
|
systemd_domain_template(systemd_network_generator)
|
||
|
|
||
|
type systemd_gpt_generator_unit_file_t;
|
||
|
systemd_unit_file(systemd_gpt_generator_unit_file_t)
|
||
|
|
||
|
#domain for systemd-machined
|
||
|
systemd_domain_template(systemd_machined)
|
||
|
|
||
|
type systemd_machined_unit_file_t;
|
||
|
systemd_unit_file(systemd_machined_unit_file_t)
|
||
|
|
||
|
# /run/systemd/machines
|
||
|
type systemd_machined_var_run_t;
|
||
|
files_pid_file(systemd_machined_var_run_t)
|
||
|
|
||
|
# /var/lib/machines
|
||
|
type systemd_machined_var_lib_t;
|
||
|
files_type(systemd_machined_var_lib_t)
|
||
|
|
||
|
systemd_domain_template(systemd_importd)
|
||
|
init_nnp_daemon_domain(systemd_importd_t)
|
||
|
|
||
|
type systemd_importd_var_run_t;
|
||
|
files_pid_file(systemd_importd_var_run_t)
|
||
|
|
||
|
type systemd_importd_tmp_t;
|
||
|
files_tmp_file(systemd_importd_tmp_t)
|
||
|
|
||
|
type systemd_machined_devpts_t;
|
||
|
term_login_pty(systemd_machined_devpts_t)
|
||
|
|
||
|
systemd_domain_template(systemd_userdbd)
|
||
|
|
||
|
type systemd_userdbd_unit_file_t;
|
||
|
systemd_unit_file(systemd_userdbd_unit_file_t)
|
||
|
|
||
|
type systemd_userdbd_runtime_t;
|
||
|
files_pid_file(systemd_userdbd_runtime_t)
|
||
|
|
||
|
systemd_domain_template(systemd_sleep)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Systemd_logind local policy
|
||
|
#
|
||
|
|
||
|
# is for /run/user/$USER ($USER ownership is $USER:$USER)
|
||
|
allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
|
||
|
allow systemd_logind_t self:capability2 block_suspend;
|
||
|
|
||
|
# systemd-logind reads state from /sys/power, which changes output based on
|
||
|
# whether hibernations is available, which tries to take the lockdown state
|
||
|
# into account. So the permission is somewhat unnecessary (systemd-logind
|
||
|
# doesn't actually try to change anything), but it's better to allow it so that
|
||
|
# systemd-logind sees the right system state.
|
||
|
allow systemd_logind_t self:lockdown integrity;
|
||
|
allow systemd_logind_t self:process getcap;
|
||
|
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||
|
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
mls_file_read_all_levels(systemd_logind_t)
|
||
|
mls_file_write_all_levels(systemd_logind_t)
|
||
|
mls_dbus_send_all_levels(systemd_logind_t)
|
||
|
|
||
|
files_delete_tmpfs_files(systemd_logind_t)
|
||
|
fs_delete_tmpfs_dirs(systemd_logind_t)
|
||
|
|
||
|
fs_mount_tmpfs(systemd_logind_t)
|
||
|
fs_unmount_tmpfs(systemd_logind_t)
|
||
|
fs_list_tmpfs(systemd_logind_t)
|
||
|
|
||
|
fs_list_dos(systemd_logind_t)
|
||
|
fs_read_dos_files(systemd_logind_t)
|
||
|
|
||
|
fs_manage_fusefs_dirs(systemd_logind_t)
|
||
|
fs_manage_fusefs_files(systemd_logind_t)
|
||
|
|
||
|
manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||
|
manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
|
||
|
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
|
||
|
|
||
|
manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||
|
manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
|
||
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
|
||
|
init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
|
||
|
init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
|
||
|
files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file)
|
||
|
|
||
|
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||
|
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||
|
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||
|
manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||
|
|
||
|
systemd_start_power_services(systemd_logind_t)
|
||
|
|
||
|
corenet_tcp_bind_dhcpd_port(systemd_logind_t)
|
||
|
corenet_tcp_bind_pki_ca_port(systemd_logind_t)
|
||
|
corenet_tcp_bind_flash_port(systemd_logind_t)
|
||
|
|
||
|
dev_getattr_all_chr_files(systemd_logind_t)
|
||
|
dev_getattr_all_blk_files(systemd_logind_t)
|
||
|
dev_rw_sysfs(systemd_logind_t)
|
||
|
dev_rw_input_dev(systemd_logind_t)
|
||
|
dev_rw_dri(systemd_logind_t)
|
||
|
dev_setattr_all_chr_files(systemd_logind_t)
|
||
|
dev_setattr_dri_dev(systemd_logind_t)
|
||
|
dev_setattr_generic_usb_dev(systemd_logind_t)
|
||
|
dev_setattr_input_dev(systemd_logind_t)
|
||
|
dev_setattr_kvm_dev(systemd_logind_t)
|
||
|
dev_setattr_mouse_dev(systemd_logind_t)
|
||
|
dev_setattr_sound_dev(systemd_logind_t)
|
||
|
dev_setattr_video_dev(systemd_logind_t)
|
||
|
dev_write_kmsg(systemd_logind_t)
|
||
|
|
||
|
domain_obj_id_change_exemption(systemd_logind_t)
|
||
|
domain_read_all_domains_state(systemd_logind_t)
|
||
|
domain_signal_all_domains(systemd_logind_t)
|
||
|
domain_signull_all_domains(systemd_logind_t)
|
||
|
domain_kill_all_domains(systemd_logind_t)
|
||
|
domain_destroy_all_semaphores(systemd_logind_t)
|
||
|
|
||
|
# /etc/udev/udev.conf should probably have a private type if only for confined administration
|
||
|
# /etc/nsswitch.conf
|
||
|
|
||
|
# /sys/fs/cgroup/systemd/user
|
||
|
fs_manage_cgroup_dirs(systemd_logind_t)
|
||
|
# write getattr open setattr
|
||
|
fs_manage_cgroup_files(systemd_logind_t)
|
||
|
fs_manage_efivarfs_files(systemd_logind_t)
|
||
|
fs_getattr_tmpfs(systemd_logind_t)
|
||
|
fs_read_tmpfs_symlinks(systemd_logind_t)
|
||
|
fs_mount_tmpfs(systemd_logind_t)
|
||
|
fs_delete_tmpfs_files(systemd_logind_t)
|
||
|
userdom_mounton_tmp_dirs(systemd_logind_t)
|
||
|
|
||
|
storage_setattr_removable_dev(systemd_logind_t)
|
||
|
storage_setattr_scsi_generic_dev(systemd_logind_t)
|
||
|
storage_setattr_fixed_disk_dev(systemd_logind_t)
|
||
|
storage_raw_read_fixed_disk(systemd_logind_t)
|
||
|
storage_raw_read_removable_device(systemd_logind_t)
|
||
|
|
||
|
term_use_unallocated_ttys(systemd_logind_t)
|
||
|
|
||
|
init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
|
||
|
|
||
|
init_status(systemd_logind_t)
|
||
|
init_start(systemd_logind_t)
|
||
|
init_stop(systemd_logind_t)
|
||
|
init_signal(systemd_logind_t)
|
||
|
init_reboot(systemd_logind_t)
|
||
|
init_halt(systemd_logind_t)
|
||
|
init_undefined(systemd_logind_t)
|
||
|
init_signal_script(systemd_logind_t)
|
||
|
init_getattr_script_status_files(systemd_logind_t)
|
||
|
init_read_utmp(systemd_logind_t)
|
||
|
init_config_transient_files(systemd_logind_t)
|
||
|
init_manage_pid_files(systemd_logind_t)
|
||
|
init_watch_utmp(systemd_logind_t)
|
||
|
|
||
|
getty_systemctl(systemd_logind_t)
|
||
|
|
||
|
systemd_config_generic_services(systemd_logind_t)
|
||
|
systemd_read_efivarfs(systemd_logind_t)
|
||
|
systemd_userdbd_stream_connect(systemd_logind_t)
|
||
|
|
||
|
# /run/user/.*
|
||
|
# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
|
||
|
auth_manage_var_auth(systemd_logind_t)
|
||
|
|
||
|
authlogin_read_state(systemd_logind_t)
|
||
|
|
||
|
init_dbus_chat(systemd_logind_t)
|
||
|
init_dbus_chat_script(systemd_logind_t)
|
||
|
init_read_script_state(systemd_logind_t)
|
||
|
init_read_utmp(systemd_logind_t)
|
||
|
init_rw_stream_sockets(systemd_logind_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_logind_t)
|
||
|
|
||
|
udev_read_db(systemd_logind_t)
|
||
|
udev_manage_rules_files(systemd_logind_t)
|
||
|
|
||
|
userdom_destroy_unpriv_user_msgq(systemd_logind_t)
|
||
|
userdom_destroy_unpriv_user_shared_mem(systemd_logind_t)
|
||
|
userdom_read_all_users_state(systemd_logind_t)
|
||
|
userdom_use_user_terminals(systemd_logind_t)
|
||
|
userdom_manage_tmp_role(system_r, systemd_logind_t)
|
||
|
userdom_manage_tmpfs_role(system_r, systemd_logind_t)
|
||
|
userdom_manage_user_tmp_blk_files(systemd_logind_t)
|
||
|
userdom_manage_user_tmp_chr_files(systemd_logind_t)
|
||
|
|
||
|
xserver_dbus_chat(systemd_logind_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
apache_read_tmp_files(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
cron_dbus_chat_crond(systemd_logind_t)
|
||
|
cron_read_state_crond(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_connect_system_bus(systemd_logind_t)
|
||
|
dbus_system_bus_client(systemd_logind_t)
|
||
|
dbus_delete_session_tmp_sock_files(systemd_logind_t)
|
||
|
dbus_manage_session_tmp_dirs(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
devicekit_dbus_chat_power(systemd_logind_t)
|
||
|
devicekit_dbus_chat_disk(systemd_logind_t)
|
||
|
devicekit_dbus_chat(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
fstools_read_swap_files(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
fwupd_dbus_chat(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# we label /run/user/$USER/dconf as config_home_t
|
||
|
gnome_manage_home_config_dirs(systemd_logind_t)
|
||
|
gnome_manage_home_config(systemd_logind_t)
|
||
|
gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
|
||
|
gnome_manage_gstreamer_home_dirs(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
nis_use_ypbind(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_destroy_msgq(systemd_logind_t)
|
||
|
unconfined_destroy_shm(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rpm_dbus_chat(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sosreport_dbus_chat(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
|
||
|
xserver_search_xdm_tmp_dirs(systemd_logind_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_machined local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
|
||
|
allow systemd_machined_t systemd_unit_file_t:service { status start stop };
|
||
|
allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow systemd_machined_t self:cap_userns { sys_chroot };
|
||
|
|
||
|
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||
|
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||
|
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||
|
init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
|
||
|
|
||
|
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||
|
manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||
|
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||
|
init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
|
||
|
|
||
|
fs_read_nsfs_files(systemd_machined_t)
|
||
|
|
||
|
kernel_dgram_send(systemd_machined_t)
|
||
|
# This is a bug, but need for now.
|
||
|
kernel_read_unlabeled_state(systemd_machined_t)
|
||
|
|
||
|
domain_signal_all_domains(systemd_machined_t)
|
||
|
domain_signull_all_domains(systemd_machined_t)
|
||
|
|
||
|
init_dbus_chat(systemd_machined_t)
|
||
|
init_status(systemd_machined_t)
|
||
|
init_start(systemd_machined_t)
|
||
|
init_stop(systemd_machined_t)
|
||
|
init_manage_config_transient_files(systemd_machined_t)
|
||
|
init_named_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, file, "machines.lock")
|
||
|
|
||
|
logging_dgram_send(systemd_machined_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_machined_t)
|
||
|
systemd_manage_userdbd_runtime_sock_files(systemd_machined_t)
|
||
|
|
||
|
userdom_dbus_send_all_users(systemd_machined_t)
|
||
|
|
||
|
term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
|
||
|
allow systemd_machined_t systemd_machined_devpts_t:chr_file { rw_chr_file_perms };
|
||
|
getty_start_services(systemd_machined_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_connect_system_bus(systemd_machined_t)
|
||
|
dbus_system_bus_client(systemd_machined_t)
|
||
|
dbus_watch_pid_dir_path(systemd_machined_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
container_read_share_files(systemd_machined_t)
|
||
|
container_spc_read_state(systemd_machined_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mock_read_lib_files(systemd_machined_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
virt_dbus_chat(systemd_machined_t)
|
||
|
virt_sandbox_read_state(systemd_machined_t)
|
||
|
virt_signal_sandbox(systemd_machined_t)
|
||
|
virt_stream_connect_sandbox(systemd_machined_t)
|
||
|
virt_rw_svirt_dev(systemd_machined_t)
|
||
|
virt_getattr_sandbox_filesystem(systemd_machined_t)
|
||
|
virt_read_sandbox_files(systemd_machined_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd-networkd local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
|
||
|
allow systemd_networkd_t self:process { getcap setcap };
|
||
|
|
||
|
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
||
|
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:packet_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:udp_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:rawip_socket create_socket_perms;
|
||
|
allow systemd_networkd_t self:tun_socket { relabelfrom relabelto create_socket_perms };
|
||
|
|
||
|
allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
|
||
|
|
||
|
manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
|
||
|
kernel_dgram_send(systemd_networkd_t)
|
||
|
kernel_request_load_module(systemd_networkd_t)
|
||
|
kernel_read_sysctl(systemd_networkd_t)
|
||
|
kernel_rw_net_sysctls(systemd_networkd_t)
|
||
|
kernel_read_xen_state(systemd_networkd_t)
|
||
|
kernel_read_network_state(systemd_networkd_t)
|
||
|
|
||
|
corenet_rw_tun_tap_dev(systemd_networkd_t)
|
||
|
corenet_tcp_bind_all_nodes(systemd_networkd_t)
|
||
|
corenet_udp_bind_all_nodes(systemd_networkd_t)
|
||
|
corenet_tcp_bind_dhcpc_port(systemd_networkd_t)
|
||
|
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
|
||
|
corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
|
||
|
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
|
||
|
|
||
|
fs_read_xenfs_files(systemd_networkd_t)
|
||
|
fs_read_nsfs_files(systemd_networkd_t)
|
||
|
|
||
|
dev_read_sysfs(systemd_networkd_t)
|
||
|
dev_write_kmsg(systemd_networkd_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_networkd_t)
|
||
|
|
||
|
sysnet_manage_config(systemd_networkd_t)
|
||
|
sysnet_manage_config_dirs(systemd_networkd_t)
|
||
|
|
||
|
systemd_dbus_chat_hostnamed(systemd_networkd_t)
|
||
|
systemd_read_efivarfs(systemd_networkd_t)
|
||
|
|
||
|
init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif")
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(systemd_networkd_t)
|
||
|
dbus_connect_system_bus(systemd_networkd_t)
|
||
|
dbus_watch_pid_dir_path(systemd_networkd_t)
|
||
|
dbus_read_pid_files(systemd_networkd_t)
|
||
|
dbus_read_pid_sock_files(systemd_networkd_t)
|
||
|
systemd_dbus_chat_logind(systemd_networkd_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sosreport_dbus_chat(systemd_networkd_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
udev_read_db(systemd_networkd_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_dbus_acquire_svc(systemd_networkd_t)
|
||
|
unconfined_dbus_send(systemd_networkd_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_passwd_agent_t self:capability { chown sys_tty_config sys_resource dac_read_search dac_override };
|
||
|
allow systemd_passwd_agent_t self:process { setsockcreate };
|
||
|
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
allow systemd_passwd_agent_t systemd_passwd_agent_exec_t:file execute_no_trans;
|
||
|
|
||
|
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||
|
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||
|
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||
|
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||
|
init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
|
||
|
|
||
|
domain_read_all_domains_state(systemd_passwd_agent_t)
|
||
|
|
||
|
kernel_stream_connect(systemd_passwd_agent_t)
|
||
|
|
||
|
dev_create_generic_dirs(systemd_passwd_agent_t)
|
||
|
dev_read_generic_files(systemd_passwd_agent_t)
|
||
|
dev_write_generic_sockets(systemd_passwd_agent_t)
|
||
|
dev_write_kmsg(systemd_passwd_agent_t)
|
||
|
dev_list_sysfs(systemd_passwd_agent_t)
|
||
|
dev_read_sysfs(systemd_passwd_agent_t)
|
||
|
dev_write_sysfs_dirs(systemd_passwd_agent_t)
|
||
|
|
||
|
term_read_console(systemd_passwd_agent_t)
|
||
|
term_use_unallocated_ttys(systemd_passwd_agent_t)
|
||
|
term_watch_unallocated_ttys(systemd_passwd_agent_t)
|
||
|
term_watch_reads_unallocated_ttys(systemd_passwd_agent_t)
|
||
|
|
||
|
init_create_pid_dirs(systemd_passwd_agent_t)
|
||
|
init_rw_pipes(systemd_passwd_agent_t)
|
||
|
init_read_utmp(systemd_passwd_agent_t)
|
||
|
init_stream_connect(systemd_passwd_agent_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_passwd_agent_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_passwd_agent_t)
|
||
|
|
||
|
userdom_use_user_ptys(systemd_passwd_agent_t)
|
||
|
userdom_use_user_ttys(systemd_passwd_agent_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
lvm_signull(systemd_passwd_agent_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
plymouthd_stream_connect(systemd_passwd_agent_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
|
||
|
allow systemd_tmpfiles_t self:process { setrlimit setfscreate };
|
||
|
|
||
|
allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
kernel_read_network_state(systemd_tmpfiles_t)
|
||
|
kernel_request_load_module(systemd_tmpfiles_t)
|
||
|
kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
|
||
|
kernel_relabelfrom_usermodehelper(systemd_tmpfiles_t)
|
||
|
|
||
|
|
||
|
dev_write_kmsg(systemd_tmpfiles_t)
|
||
|
dev_rw_sysfs(systemd_tmpfiles_t)
|
||
|
dev_relabel_all_sysfs(systemd_tmpfiles_t)
|
||
|
dev_relabel_cpu_online(systemd_tmpfiles_t)
|
||
|
dev_read_cpu_online(systemd_tmpfiles_t)
|
||
|
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
|
||
|
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
|
||
|
|
||
|
domain_obj_id_change_exemption(systemd_tmpfiles_t)
|
||
|
|
||
|
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
|
||
|
fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
|
||
|
fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
|
||
|
fs_list_all(systemd_tmpfiles_t)
|
||
|
|
||
|
files_dontaudit_getattr_all_files(systemd_tmpfiles_t)
|
||
|
files_dontaudit_getattr_proc_type_files(systemd_tmpfiles_t)
|
||
|
files_dontaudit_getattr_sysctl_type_files(systemd_tmpfiles_t)
|
||
|
files_dontaudit_getattr_filesystem_type_files(systemd_tmpfiles_t)
|
||
|
|
||
|
files_manage_non_auth_files(systemd_tmpfiles_t)
|
||
|
files_relabel_non_auth_files(systemd_tmpfiles_t)
|
||
|
files_list_lost_found(systemd_tmpfiles_t)
|
||
|
files_map_system_db_files(systemd_tmpfiles_t)
|
||
|
|
||
|
mls_file_read_all_levels(systemd_tmpfiles_t)
|
||
|
mls_file_write_all_levels(systemd_tmpfiles_t)
|
||
|
mls_file_upgrade(systemd_tmpfiles_t)
|
||
|
|
||
|
selinux_get_enforce_mode(systemd_tmpfiles_t)
|
||
|
selinux_setcheckreqprot(systemd_tmpfiles_t)
|
||
|
|
||
|
auth_manage_faillog(systemd_tmpfiles_t)
|
||
|
auth_relabel_faillog(systemd_tmpfiles_t)
|
||
|
auth_manage_var_auth(systemd_tmpfiles_t)
|
||
|
auth_manage_login_records(systemd_tmpfiles_t)
|
||
|
auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
|
||
|
auth_relabel_login_records(systemd_tmpfiles_t)
|
||
|
auth_setattr_login_records(systemd_tmpfiles_t)
|
||
|
|
||
|
init_dgram_send(systemd_tmpfiles_t)
|
||
|
init_rw_stream_sockets(systemd_tmpfiles_t)
|
||
|
|
||
|
logging_create_devlog_dev(systemd_tmpfiles_t)
|
||
|
logging_send_syslog_msg(systemd_tmpfiles_t)
|
||
|
logging_setattr_all_log_dirs(systemd_tmpfiles_t)
|
||
|
logging_relabel_all_log_dirs(systemd_tmpfiles_t)
|
||
|
|
||
|
miscfiles_filetrans_named_content(systemd_tmpfiles_t)
|
||
|
miscfiles_manage_man_pages(systemd_tmpfiles_t)
|
||
|
miscfiles_relabel_man_pages(systemd_tmpfiles_t)
|
||
|
miscfiles_delete_man_pages(systemd_tmpfiles_t)
|
||
|
|
||
|
ifdef(`distro_redhat',`
|
||
|
userdom_list_user_home_content(systemd_tmpfiles_t)
|
||
|
userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
|
||
|
userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
|
||
|
userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
|
||
|
userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
|
||
|
userdom_delete_admin_home_files(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
apache_delete_sys_content_rw(systemd_tmpfiles_t)
|
||
|
apache_list_cache(systemd_tmpfiles_t)
|
||
|
apache_delete_cache_dirs(systemd_tmpfiles_t)
|
||
|
apache_delete_cache_files(systemd_tmpfiles_t)
|
||
|
apache_setattr_cache_dirs(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
|
||
|
optional_policy(`
|
||
|
auth_rw_login_records(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# we have /run/user/$USER/dconf
|
||
|
gnome_delete_home_config(systemd_tmpfiles_t)
|
||
|
gnome_delete_home_config_dirs(systemd_tmpfiles_t)
|
||
|
gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
lpd_manage_spool(systemd_tmpfiles_t)
|
||
|
lpd_relabel_spool(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rpm_read_db(systemd_tmpfiles_t)
|
||
|
rpm_delete_db(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sandbox_list(systemd_tmpfiles_t)
|
||
|
sandbox_delete_dirs(systemd_tmpfiles_t)
|
||
|
sandbox_delete_files(systemd_tmpfiles_t)
|
||
|
sandbox_delete_lnk_files(systemd_tmpfiles_t)
|
||
|
sandbox_delete_pipes(systemd_tmpfiles_t)
|
||
|
sandbox_delete_sock_files(systemd_tmpfiles_t)
|
||
|
sandbox_setattr_dirs(systemd_tmpfiles_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_notify local policy
|
||
|
#
|
||
|
allow systemd_notify_t self:capability chown;
|
||
|
allow systemd_notify_t self:process { fork setfscreate setsockcreate };
|
||
|
|
||
|
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
dev_write_kmsg(systemd_notify_t)
|
||
|
|
||
|
domain_use_interactive_fds(systemd_notify_t)
|
||
|
|
||
|
fs_getattr_cgroup_files(systemd_notify_t)
|
||
|
|
||
|
init_rw_stream_sockets(systemd_notify_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
rhcs_read_log_cluster(systemd_notify_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
readahead_manage_pid_files(systemd_notify_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_logger local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_logger_t self:capability { sys_admin chown kill };
|
||
|
allow systemd_logger_t self:process { fork setfscreate setsockcreate };
|
||
|
|
||
|
allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
|
||
|
kernel_use_fds(systemd_logger_t)
|
||
|
|
||
|
dev_write_kmsg(systemd_logger_t)
|
||
|
|
||
|
domain_use_interactive_fds(systemd_logger_t)
|
||
|
|
||
|
# only needs write
|
||
|
term_use_generic_ptys(systemd_logger_t)
|
||
|
|
||
|
# /run/systemd/notify
|
||
|
init_write_pid_socket(systemd_logger_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_logger_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_sysctl domains local policy
|
||
|
#
|
||
|
|
||
|
allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
|
||
|
|
||
|
fs_list_cgroup_dirs(systemctl_domain)
|
||
|
fs_read_cgroup_files(systemctl_domain)
|
||
|
|
||
|
# needed by systemctl
|
||
|
init_dgram_send(systemctl_domain)
|
||
|
init_stream_connect(systemctl_domain)
|
||
|
init_read_state(systemctl_domain)
|
||
|
init_list_pid_dirs(systemctl_domain)
|
||
|
init_use_fds(systemctl_domain)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Localed policy
|
||
|
#
|
||
|
allow systemd_localed_t self:process setfscreate;
|
||
|
allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow systemd_localed_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
dev_write_kmsg(systemd_localed_t)
|
||
|
|
||
|
init_dbus_chat(systemd_localed_t)
|
||
|
init_reload_services(systemd_localed_t)
|
||
|
|
||
|
logging_stream_connect_syslog(systemd_localed_t)
|
||
|
logging_send_syslog_msg(systemd_localed_t)
|
||
|
|
||
|
allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
|
||
|
|
||
|
miscfiles_manage_localization(systemd_localed_t)
|
||
|
miscfiles_etc_filetrans_localization(systemd_localed_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_localed_t)
|
||
|
|
||
|
userdom_dbus_send_all_users(systemd_localed_t)
|
||
|
|
||
|
xserver_manage_config(systemd_localed_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_connect_system_bus(systemd_localed_t)
|
||
|
dbus_system_bus_client(systemd_localed_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Hostnamed policy
|
||
|
#
|
||
|
allow systemd_hostnamed_t self:capability sys_admin;
|
||
|
dontaudit systemd_hostnamed_t self:capability sys_ptrace;
|
||
|
|
||
|
allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||
|
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
|
||
|
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
|
||
|
init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file )
|
||
|
|
||
|
kernel_dgram_send(systemd_hostnamed_t)
|
||
|
kernel_read_xen_state(systemd_hostnamed_t)
|
||
|
kernel_read_sysctl(systemd_hostnamed_t)
|
||
|
|
||
|
dev_write_kmsg(systemd_hostnamed_t)
|
||
|
dev_read_sysfs(systemd_hostnamed_t)
|
||
|
|
||
|
fs_read_xenfs_files(systemd_hostnamed_t)
|
||
|
|
||
|
init_delete_pid_dir_entry(systemd_hostnamed_t)
|
||
|
init_status(systemd_hostnamed_t)
|
||
|
init_stream_connect(systemd_hostnamed_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_hostnamed_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_hostnamed_t)
|
||
|
|
||
|
userdom_read_all_users_state(systemd_hostnamed_t)
|
||
|
userdom_dbus_send_all_users(systemd_hostnamed_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(systemd_hostnamed_t)
|
||
|
dbus_connect_system_bus(systemd_hostnamed_t)
|
||
|
dbus_watch_pid_dir_path(systemd_hostnamed_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
init_dbus_chat_script(systemd_hostnamed_t)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
udev_read_pid_files(systemd_hostnamed_t)
|
||
|
')
|
||
|
|
||
|
#########################################
|
||
|
#
|
||
|
# Socket-proxyd local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
|
||
|
allow systemd_socket_proxyd_t self:tcp_socket accept;
|
||
|
|
||
|
kernel_read_system_state(systemd_socket_proxyd_t)
|
||
|
|
||
|
auth_use_nsswitch(systemd_socket_proxyd_t)
|
||
|
fs_getattr_cgroup(systemd_socket_proxyd_t)
|
||
|
fs_getattr_xattr_fs(systemd_socket_proxyd_t)
|
||
|
sysnet_dns_name_resolve(systemd_socket_proxyd_t)
|
||
|
|
||
|
tunable_policy(`systemd_socket_proxyd_bind_any',`
|
||
|
corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
|
||
|
',`
|
||
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
|
||
|
')
|
||
|
|
||
|
tunable_policy(`systemd_socket_proxyd_connect_any',`
|
||
|
corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
|
||
|
',`
|
||
|
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
|
||
|
')
|
||
|
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# rfkill policy
|
||
|
#
|
||
|
|
||
|
allow systemd_rfkill_t self:capability { net_admin sys_admin};
|
||
|
allow systemd_rfkill_t self:capability2 bpf;
|
||
|
allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||
|
|
||
|
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||
|
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||
|
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir, "rfkill")
|
||
|
|
||
|
kernel_dgram_send(systemd_rfkill_t)
|
||
|
kernel_dontaudit_request_load_module(systemd_rfkill_t)
|
||
|
|
||
|
# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
|
||
|
kernel_dontaudit_request_load_module(systemd_rfkill_t)
|
||
|
|
||
|
dev_read_sysfs(systemd_rfkill_t)
|
||
|
dev_rw_wireless(systemd_rfkill_t)
|
||
|
dev_write_kmsg(systemd_rfkill_t)
|
||
|
|
||
|
|
||
|
init_search_var_lib_dirs(systemd_rfkill_t)
|
||
|
|
||
|
logging_dgram_send(systemd_rfkill_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_rfkill_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
udev_read_db(systemd_rfkill_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Timedated policy
|
||
|
#
|
||
|
|
||
|
allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
|
||
|
allow systemd_timedated_t self:process { getattr getsched setfscreate };
|
||
|
allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms;
|
||
|
|
||
|
manage_dirs_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
|
||
|
manage_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
|
||
|
manage_sock_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
|
||
|
init_pid_filetrans(systemd_timedated_t, systemd_timedated_var_run_t, { dir file sock_file })
|
||
|
|
||
|
manage_dirs_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
|
||
|
manage_files_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
|
||
|
read_lnk_files_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
|
||
|
init_var_lib_filetrans(systemd_timedated_t, systemd_timedated_var_lib_t, dir, "timesync")
|
||
|
allow systemd_timedated_t systemd_networkd_var_run_t:dir watch_dir_perms;
|
||
|
|
||
|
list_dirs_pattern(systemd_timedated_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
read_files_pattern(systemd_timedated_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
|
||
|
corecmd_exec_bin(systemd_timedated_t)
|
||
|
corecmd_exec_shell(systemd_timedated_t)
|
||
|
corecmd_dontaudit_access_check_bin(systemd_timedated_t)
|
||
|
|
||
|
corenet_tcp_connect_time_port(systemd_timedated_t)
|
||
|
|
||
|
dev_rw_realtime_clock(systemd_timedated_t)
|
||
|
dev_write_kmsg(systemd_timedated_t)
|
||
|
dev_read_sysfs(systemd_timedated_t)
|
||
|
|
||
|
files_watch_var_run_path(systemd_timedated_t)
|
||
|
|
||
|
fs_getattr_xattr_fs(systemd_timedated_t)
|
||
|
|
||
|
init_dbus_chat(systemd_timedated_t)
|
||
|
init_status(systemd_timedated_t)
|
||
|
init_watch_pid_dir(systemd_timedated_t)
|
||
|
|
||
|
kernel_read_network_state(systemd_timedated_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_timedated_t)
|
||
|
|
||
|
miscfiles_manage_localization(systemd_timedated_t)
|
||
|
miscfiles_etc_filetrans_localization(systemd_timedated_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_timedated_t)
|
||
|
|
||
|
userdom_read_all_users_state(systemd_timedated_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
chronyd_systemctl(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
clock_manage_adjtime(systemd_timedated_t)
|
||
|
clock_filetrans_named_content(systemd_timedated_t)
|
||
|
clock_domtrans(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
consolekit_dbus_chat(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
consoletype_exec(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(systemd_timedated_t)
|
||
|
dbus_connect_system_bus(systemd_timedated_t)
|
||
|
dbus_read_pid_sock_files(systemd_timedated_t)
|
||
|
dbus_watch_pid_dir_path(systemd_timedated_t)
|
||
|
dbus_watch_pid_sock_files(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
gnome_manage_usr_config(systemd_timedated_t)
|
||
|
gnome_manage_home_config(systemd_timedated_t)
|
||
|
gnome_manage_home_config_dirs(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ntp_domtrans_ntpdate(systemd_timedated_t)
|
||
|
ntp_initrc_domtrans(systemd_timedated_t)
|
||
|
init_dontaudit_getattr_all_script_files(systemd_timedated_t)
|
||
|
init_dontaudit_getattr_exec(systemd_timedated_t)
|
||
|
ntp_systemctl(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
policykit_domtrans_auth(systemd_timedated_t)
|
||
|
policykit_read_lib(systemd_timedated_t)
|
||
|
policykit_read_reload(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
xserver_manage_config(systemd_timedated_t)
|
||
|
xserver_read_state_xdm(systemd_timedated_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_sysctl domains local policy
|
||
|
#
|
||
|
allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio sys_resource };
|
||
|
allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
|
||
|
kernel_dgram_send(systemd_sysctl_t)
|
||
|
kernel_request_load_module(systemd_sysctl_t)
|
||
|
kernel_rw_all_sysctls(systemd_sysctl_t)
|
||
|
kernel_read_security_state(systemd_sysctl_t)
|
||
|
kernel_write_security_state(systemd_sysctl_t)
|
||
|
|
||
|
files_read_system_conf_files(systemd_sysctl_t)
|
||
|
|
||
|
dev_write_kmsg(systemd_sysctl_t)
|
||
|
|
||
|
domain_use_interactive_fds(systemd_sysctl_t)
|
||
|
|
||
|
init_stream_connect(systemd_sysctl_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_sysctl_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_sysctl_t)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_coredump domains
|
||
|
#
|
||
|
|
||
|
# dac_read_search - to access /proc/<pid>/fd of the dumped process
|
||
|
# sys_ptrace - to read /proc/<pid>/exe of the dumped process
|
||
|
# setgid setuid - to set own credentials to match the dumped process credentials
|
||
|
# setpcap - to drop capabilities
|
||
|
allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace };
|
||
|
allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace };
|
||
|
|
||
|
# To set its capability set
|
||
|
allow systemd_coredump_t self:process setcap;
|
||
|
|
||
|
allow systemd_coredump_t self:unix_stream_socket connectto;
|
||
|
allow systemd_coredump_t self:user_namespace create;
|
||
|
|
||
|
manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
|
||
|
fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
|
||
|
|
||
|
manage_dirs_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
||
|
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
||
|
mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
||
|
init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump")
|
||
|
|
||
|
kernel_rw_usermodehelper_state(systemd_coredump_t)
|
||
|
|
||
|
dev_write_kmsg(systemd_coredump_t)
|
||
|
|
||
|
# To read info about the crashed process from /proc
|
||
|
domain_read_all_domains_state(systemd_coredump_t)
|
||
|
|
||
|
# To be able to mmap the dumped process' executable file for reading
|
||
|
# (can be basically any file type)
|
||
|
files_read_non_security_files(systemd_coredump_t)
|
||
|
files_map_non_security_files(systemd_coredump_t)
|
||
|
|
||
|
files_mounton_rootfs(systemd_coredump_t)
|
||
|
|
||
|
fs_getattr_nsfs_files(systemd_coredump_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
logging_send_syslog_msg(systemd_coredump_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_hwdb domain
|
||
|
#
|
||
|
manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
|
||
|
allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto};
|
||
|
files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_hwdb_t)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_gpt_generator domain
|
||
|
#
|
||
|
|
||
|
allow systemd_gpt_generator_t self:capability sys_rawio;
|
||
|
dontaudit systemd_gpt_generator_t self:capability sys_admin;
|
||
|
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||
|
|
||
|
dev_read_sysfs(systemd_gpt_generator_t)
|
||
|
dev_write_kmsg(systemd_gpt_generator_t)
|
||
|
dev_read_rand(systemd_gpt_generator_t)
|
||
|
|
||
|
files_list_boot(systemd_gpt_generator_t)
|
||
|
files_list_home(systemd_gpt_generator_t)
|
||
|
files_list_tmp(systemd_gpt_generator_t)
|
||
|
files_list_usr(systemd_gpt_generator_t)
|
||
|
files_list_var(systemd_gpt_generator_t)
|
||
|
|
||
|
fstools_exec(systemd_gpt_generator_t)
|
||
|
|
||
|
mls_file_read_to_clearance(systemd_gpt_generator_t)
|
||
|
mls_file_write_to_clearance(systemd_gpt_generator_t)
|
||
|
|
||
|
storage_raw_rw_fixed_disk(systemd_gpt_generator_t)
|
||
|
storage_raw_read_removable_device(systemd_gpt_generator_t)
|
||
|
|
||
|
allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
|
||
|
systemd_read_efivarfs(systemd_gpt_generator_t)
|
||
|
systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
|
||
|
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
|
||
|
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
udev_read_pid_files(systemd_gpt_generator_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_network_generator domain
|
||
|
#
|
||
|
|
||
|
init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network")
|
||
|
|
||
|
sysnet_manage_config(systemd_network_generator_t)
|
||
|
sysnet_manage_config_dirs(systemd_network_generator_t)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_resolved domain
|
||
|
#
|
||
|
|
||
|
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
|
||
|
allow systemd_resolved_t self:process setcap;
|
||
|
allow systemd_resolved_t self:tcp_socket { accept listen };
|
||
|
allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||
|
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||
|
manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||
|
manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
|
||
|
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
|
||
|
|
||
|
list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
|
||
|
allow systemd_resolved_t systemd_networkd_var_run_t:dir watch_dir_perms;
|
||
|
|
||
|
kernel_dgram_send(systemd_resolved_t)
|
||
|
kernel_read_net_sysctls(systemd_resolved_t)
|
||
|
kernel_read_network_state(systemd_resolved_t)
|
||
|
|
||
|
auth_read_passwd(systemd_resolved_t)
|
||
|
|
||
|
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
||
|
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
||
|
corenet_tcp_connect_llmnr_port(systemd_resolved_t)
|
||
|
corenet_udp_bind_dns_port(systemd_resolved_t)
|
||
|
corenet_tcp_bind_dns_port(systemd_resolved_t)
|
||
|
corenet_udp_bind_howl_port(systemd_resolved_t)
|
||
|
|
||
|
dev_write_kmsg(systemd_resolved_t)
|
||
|
dev_read_sysfs(systemd_resolved_t)
|
||
|
|
||
|
files_watch_root_dirs(systemd_resolved_t)
|
||
|
files_watch_tmpfs_dirs(systemd_resolved_t)
|
||
|
files_watch_var_run_dirs(systemd_resolved_t)
|
||
|
|
||
|
init_watch_pid_dir(systemd_resolved_t)
|
||
|
|
||
|
sysnet_manage_config(systemd_resolved_t)
|
||
|
sysnet_filetrans_systemd_resolved(systemd_resolved_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_resolved_t)
|
||
|
|
||
|
userdom_dbus_send_all_users(systemd_resolved_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(systemd_resolved_t)
|
||
|
dbus_connect_system_bus(systemd_resolved_t)
|
||
|
dbus_read_pid_files(systemd_resolved_t)
|
||
|
dbus_read_pid_sock_files(systemd_resolved_t)
|
||
|
dbus_watch_pid_dir_path(systemd_resolved_t)
|
||
|
dbus_watch_pid_sock_files(systemd_resolved_t)
|
||
|
systemd_dbus_chat_logind(systemd_resolved_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
logging_dgram_send(systemd_resolved_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
networkmanager_dbus_chat(systemd_resolved_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Common rules for systemd domains
|
||
|
#
|
||
|
allow systemd_domain self:process { setfscreate signal_perms };
|
||
|
allow systemd_domain self:unix_dgram_socket { create_socket_perms sendto };
|
||
|
dontaudit systemd_domain self:capability net_admin;
|
||
|
|
||
|
dev_read_urand(systemd_domain)
|
||
|
|
||
|
fs_search_all(systemd_domain)
|
||
|
fs_getattr_all_fs(systemd_domain)
|
||
|
|
||
|
files_read_etc_files(systemd_domain)
|
||
|
files_read_etc_runtime_files(systemd_domain)
|
||
|
files_read_usr_files(systemd_domain)
|
||
|
|
||
|
init_search_pid_dirs(systemd_domain)
|
||
|
init_start_transient_unit(systemd_domain)
|
||
|
init_stop_transient_unit(systemd_domain)
|
||
|
init_status_transient_unit(systemd_domain)
|
||
|
init_reload_transient_unit(systemd_domain)
|
||
|
init_read_state(systemd_domain)
|
||
|
|
||
|
logging_stream_connect_syslog(systemd_domain)
|
||
|
|
||
|
seutil_read_config(systemd_domain)
|
||
|
seutil_read_file_contexts(systemd_domain)
|
||
|
|
||
|
optional_policy(`
|
||
|
lvm_read_state(systemd_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
policykit_dbus_chat(systemd_domain)
|
||
|
')
|
||
|
|
||
|
read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||
|
read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_modules_load domain
|
||
|
#
|
||
|
|
||
|
allow systemd_modules_load_t self:system module_load;
|
||
|
|
||
|
kernel_dgram_send(systemd_modules_load_t)
|
||
|
kernel_load_unsigned_module(systemd_modules_load_t)
|
||
|
kernel_ib_access_unlabeled_pkeys(systemd_modules_load_t)
|
||
|
kernel_request_load_module(systemd_modules_load_t)
|
||
|
|
||
|
corecmd_exec_bin(systemd_modules_load_t)
|
||
|
corecmd_exec_shell(systemd_modules_load_t)
|
||
|
|
||
|
dev_read_sysfs(systemd_modules_load_t)
|
||
|
dev_write_kmsg(systemd_modules_load_t)
|
||
|
|
||
|
init_read_pid_files(systemd_modules_load_t)
|
||
|
|
||
|
logging_dgram_send(systemd_modules_load_t)
|
||
|
|
||
|
files_map_kernel_modules(systemd_modules_load_t)
|
||
|
files_read_kernel_modules(systemd_modules_load_t)
|
||
|
|
||
|
fs_rw_tracefs_files(systemd_modules_load_t)
|
||
|
|
||
|
modutils_exec_kmod(systemd_modules_load_t)
|
||
|
modutils_read_module_config(systemd_modules_load_t)
|
||
|
modutils_read_module_deps_files(systemd_modules_load_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_modules_load_t)
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_modules_load domain
|
||
|
#
|
||
|
|
||
|
allow systemd_bootchart_t self:capability sys_admin;
|
||
|
allow systemd_bootchart_t self:capability2 wake_alarm;
|
||
|
allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
kernel_dgram_send(systemd_bootchart_t)
|
||
|
kernel_rw_kernel_sysctl(systemd_bootchart_t)
|
||
|
dev_list_sysfs(systemd_bootchart_t)
|
||
|
|
||
|
domain_read_all_domains_state(systemd_bootchart_t)
|
||
|
|
||
|
manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t)
|
||
|
logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file)
|
||
|
|
||
|
manage_files_pattern(systemd_bootchart_t, systemd_bootchart_tmpfs_t, systemd_bootchart_tmpfs_t)
|
||
|
fs_tmpfs_filetrans(systemd_bootchart_t, systemd_bootchart_tmpfs_t, file )
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_journal_upload domain
|
||
|
#
|
||
|
|
||
|
manage_files_pattern(systemd_journal_upload_t, systemd_journal_upload_var_lib_t, systemd_journal_upload_var_lib_t)
|
||
|
|
||
|
kernel_dgram_send(systemd_journal_upload_t)
|
||
|
|
||
|
corenet_tcp_connect_journal_remote_port(systemd_journal_upload_t)
|
||
|
init_var_lib_filetrans(systemd_journal_upload_t, systemd_journal_upload_var_lib_t, dir, "journal_upload")
|
||
|
init_read_var_lib_lnk_files(systemd_journal_upload_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
# This actually is for reading journal data
|
||
|
logging_read_syslog_pid(systemd_journal_upload_t)
|
||
|
logging_mmap_journal(systemd_journal_upload_t)
|
||
|
logging_watch_journal_dir(systemd_journal_upload_t)
|
||
|
|
||
|
logging_list_logs(systemd_journal_upload_t)
|
||
|
logging_read_generic_logs(systemd_journal_upload_t)
|
||
|
logging_watch_generic_log_dirs(systemd_journal_upload_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# systemd_modules_load domain
|
||
|
#
|
||
|
allow systemd_initctl_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
kernel_dgram_send(systemd_initctl_t)
|
||
|
|
||
|
init_rw_initctl(systemd_initctl_t)
|
||
|
init_stream_connectto(systemd_initctl_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_importd local policy
|
||
|
#
|
||
|
allow systemd_importd_t self:capability { chown fowner fsetid mknod setpcap sys_admin };
|
||
|
allow systemd_importd_t self:process { setcap setfscreate };
|
||
|
allow systemd_importd_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow systemd_importd_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow systemd_importd_t self:tcp_socket create_socket_perms;
|
||
|
allow systemd_importd_t self:udp_socket create_socket_perms;
|
||
|
allow systemd_importd_t self:unix_dgram_socket sendto;
|
||
|
allow systemd_importd_t systemd_importd_exec_t:file execute_no_trans;
|
||
|
|
||
|
manage_dirs_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
|
||
|
manage_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
|
||
|
manage_sock_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
|
||
|
init_pid_filetrans(systemd_importd_t, systemd_importd_var_run_t, dir)
|
||
|
|
||
|
manage_files_pattern(systemd_importd_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||
|
init_named_pid_filetrans(systemd_importd_t, systemd_machined_var_run_t, file, "machines.lock")
|
||
|
|
||
|
manage_dirs_pattern(systemd_importd_t, systemd_importd_tmp_t, systemd_importd_tmp_t)
|
||
|
manage_files_pattern(systemd_importd_t, systemd_importd_tmp_t, systemd_importd_tmp_t)
|
||
|
files_tmp_filetrans(systemd_importd_t, systemd_importd_tmp_t, { dir file })
|
||
|
|
||
|
kernel_dgram_send(systemd_importd_t)
|
||
|
kernel_read_system_state(systemd_importd_t)
|
||
|
|
||
|
auth_read_passwd(systemd_importd_t)
|
||
|
|
||
|
corecmd_exec_bin(systemd_importd_t)
|
||
|
|
||
|
corenet_tcp_connect_http_port(systemd_importd_t)
|
||
|
|
||
|
fs_getattr_xattr_fs(systemd_importd_t)
|
||
|
|
||
|
init_read_state(systemd_importd_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_importd_t)
|
||
|
|
||
|
miscfiles_read_certs(systemd_importd_t)
|
||
|
|
||
|
sysnet_read_config(systemd_importd_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
systemd_machined_manage_lib_files(systemd_importd_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(systemd_importd_t)
|
||
|
dbus_acquire_svc_system_dbusd(systemd_importd_t)
|
||
|
unconfined_dbus_send(systemd_importd_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
gpg_exec(systemd_importd_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_userdbd local policy
|
||
|
#
|
||
|
allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
|
||
|
|
||
|
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||
|
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||
|
manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||
|
init_named_pid_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir, "userdb")
|
||
|
|
||
|
kernel_dgram_send(systemd_userdbd_t)
|
||
|
|
||
|
auth_read_shadow(systemd_userdbd_t)
|
||
|
auth_use_nsswitch(systemd_userdbd_t)
|
||
|
|
||
|
can_exec(systemd_userdbd_t systemd_userdbd_exec_t)
|
||
|
|
||
|
init_stream_connectto(systemd_userdbd_t)
|
||
|
|
||
|
logging_send_syslog_msg(systemd_userdbd_t)
|
||
|
|
||
|
systemd_read_efivarfs(systemd_userdbd_t)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# systemd_sleep local policy
|
||
|
#
|
||
|
|
||
|
allow systemd_sleep_t self:capability sys_resource;
|
||
|
# systemd-sleep needs to set timer for suspend-then-hibernate
|
||
|
allow systemd_sleep_t self:capability2 wake_alarm;
|
||
|
dontaudit systemd_sleep_t self:capability sys_ptrace;
|
||
|
# systemd-sleep needs the permission to change sleep state
|
||
|
allow systemd_sleep_t self:lockdown integrity;
|
||
|
|
||
|
kernel_dgram_send(systemd_sleep_t)
|
||
|
|
||
|
corecmd_exec_bin(systemd_sleep_t)
|
||
|
corecmd_exec_shell(systemd_sleep_t)
|
||
|
|
||
|
dev_create_sysfs_files(systemd_sleep_t)
|
||
|
dev_rw_sysfs(systemd_sleep_t)
|
||
|
dev_write_kmsg(systemd_sleep_t)
|
||
|
|
||
|
fstools_rw_swap_files(systemd_sleep_t)
|
||
|
|
||
|
# systemd-sleep needs to getattr swap partitions
|
||
|
storage_getattr_fixed_disk_dev(systemd_sleep_t)
|
||
|
storage_getattr_removable_dev(systemd_sleep_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
sysstat_domtrans(systemd_sleep_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
tlp_domtrans(systemd_sleep_t)
|
||
|
tlp_filetrans_named_content(systemd_sleep_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_server_domtrans(systemd_sleep_t)
|
||
|
')
|