oreonproject/Oreon-Lime-R2
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/system/systemd.te

1528 lines
48 KiB
Text
Raw Blame History

policy_module(systemd, 1.0.0)
#######################################
#
# Declarations
#
## <desc>
## <p>
## Allow systemd-socket-proxyd to bind any port instead of one labelled
## with systemd_socket_proxyd_port_t.
## </p>
## </desc>
gen_tunable(systemd_socket_proxyd_bind_any, false)
## <desc>
## <p>
## Allow systemd-socket-proxyd to connect to any port instead of
## labelled ones.
## </p>
## </desc>
gen_tunable(systemd_socket_proxyd_connect_any, false)
attribute systemd_unit_file_type;
attribute systemd_domain;
attribute systemctl_domain;
attribute systemd_mount_directory;
attribute systemd_private_tmp_type;
attribute systemd_read_efivarfs_type;
fs_read_efivarfs_files(systemd_read_efivarfs_type)
read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
systemd_domain_template(systemd_logger)
systemd_domain_template(systemd_logind)
# /run/systemd/sessions
type systemd_logind_sessions_t;
files_pid_file(systemd_logind_sessions_t)
type systemd_logind_var_lib_t;
files_type(systemd_logind_var_lib_t)
systemd_mount_dir(systemd_logind_var_lib_t)
# /run/systemd/{seats, users}
type systemd_logind_var_run_t;
files_pid_file(systemd_logind_var_run_t)
type systemd_logind_inhibit_var_run_t;
files_pid_file(systemd_logind_inhibit_var_run_t)
type systemd_home_t;
userdom_user_home_content(systemd_home_t)
type random_seed_t;
files_security_file(random_seed_t)
files_mountpoint(random_seed_t)
systemd_domain_template(systemd_coredump)
type systemd_coredump_tmpfs_t;
files_tmpfs_file(systemd_coredump_tmpfs_t)
type systemd_coredump_var_lib_t;
files_type(systemd_coredump_var_lib_t)
systemd_domain_template(systemd_hwdb)
type systemd_hwdb_unit_file_t;
systemd_unit_file(systemd_hwdb_unit_file_t)
systemd_domain_template(systemd_networkd)
init_nnp_daemon_domain(systemd_networkd_t)
type systemd_networkd_unit_file_t;
systemd_unit_file(systemd_networkd_unit_file_t)
type systemd_networkd_var_run_t;
files_pid_file(systemd_networkd_var_run_t)
files_mountpoint(systemd_networkd_var_run_t)
systemd_domain_template(systemd_initctl)
systemd_domain_template(systemd_bootchart)
type systemd_bootchart_unit_file_t;
systemd_unit_file(systemd_bootchart_unit_file_t)
type systemd_bootchart_var_run_t;
files_pid_file(systemd_bootchart_var_run_t)
type systemd_bootchart_tmpfs_t;
files_tmpfs_file(systemd_bootchart_tmpfs_t)
systemd_domain_template(systemd_journal_upload)
type systemd_journal_upload_var_lib_t;
files_type(systemd_journal_upload_var_lib_t);
systemd_domain_template(systemd_resolved)
init_nnp_daemon_domain(systemd_resolved_t)
type systemd_resolved_var_run_t;
files_pid_file(systemd_resolved_var_run_t)
files_mountpoint(systemd_resolved_var_run_t)
type systemd_resolved_unit_file_t;
systemd_unit_file(systemd_resolved_unit_file_t)
systemd_domain_template(systemd_modules_load)
type systemd_modules_load_unit_file_t;
systemd_unit_file(systemd_modules_load_unit_file_t)
# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
# systemd components
systemd_domain_template(systemd_passwd_agent)
type systemd_passwd_var_run_t alias systemd_device_t;
files_pid_file(systemd_passwd_var_run_t)
# domain for systemd-tmpfiles component
systemd_domain_template(systemd_tmpfiles)
systemd_domain_template(systemd_notify)
# type for systemd unit files
type systemd_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
type systemd_runtime_unit_file_t;
systemd_unit_file(systemd_runtime_unit_file_t)
type power_unit_file_t;
systemd_unit_file(power_unit_file_t)
type systemd_vconsole_unit_file_t;
systemd_unit_file(systemd_vconsole_unit_file_t)
# executable for systemctl
type systemd_systemctl_exec_t;
corecmd_executable_file(systemd_systemctl_exec_t)
systemd_domain_template(systemd_localed)
systemd_domain_template(systemd_hostnamed)
type hostname_etc_t;
files_config_file(hostname_etc_t)
type systemd_hwdb_etc_t;
files_config_file(systemd_hwdb_etc_t)
systemd_domain_template(systemd_rfkill)
type systemd_rfkill_unit_file_t;
systemd_unit_file(systemd_rfkill_unit_file_t)
type systemd_rfkill_var_lib_t;
files_type(systemd_rfkill_var_lib_t)
type systemd_socket_proxyd_t;
type systemd_socket_proxyd_exec_t;
init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
type systemd_socket_proxyd_port_t;
corenet_port(systemd_socket_proxyd_port_t)
type systemd_socket_proxyd_unit_file_t;
systemd_unit_file(systemd_socket_proxyd_unit_file_t)
systemd_domain_template(systemd_timedated)
init_nnp_daemon_domain(systemd_timedated_t)
typeattribute systemd_timedated_t systemd_domain;
typealias systemd_timedated_t alias gnomeclock_t;
type systemd_timedated_unit_file_t;
systemd_unit_file(systemd_timedated_unit_file_t)
type systemd_timedated_var_run_t;
files_pid_file(systemd_timedated_var_run_t)
type systemd_timedated_var_lib_t;
files_type(systemd_timedated_var_lib_t)
systemd_domain_template(systemd_sysctl)
#domain for gpt-auto-generator
systemd_domain_template(systemd_gpt_generator)
systemd_domain_template(systemd_network_generator)
type systemd_gpt_generator_unit_file_t;
systemd_unit_file(systemd_gpt_generator_unit_file_t)
#domain for systemd-machined
systemd_domain_template(systemd_machined)
type systemd_machined_unit_file_t;
systemd_unit_file(systemd_machined_unit_file_t)
# /run/systemd/machines
type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
# /var/lib/machines
type systemd_machined_var_lib_t;
files_type(systemd_machined_var_lib_t)
systemd_domain_template(systemd_importd)
init_nnp_daemon_domain(systemd_importd_t)
type systemd_importd_var_run_t;
files_pid_file(systemd_importd_var_run_t)
type systemd_importd_tmp_t;
files_tmp_file(systemd_importd_tmp_t)
type systemd_machined_devpts_t;
term_login_pty(systemd_machined_devpts_t)
systemd_domain_template(systemd_userdbd)
type systemd_userdbd_unit_file_t;
systemd_unit_file(systemd_userdbd_unit_file_t)
type systemd_userdbd_runtime_t;
files_pid_file(systemd_userdbd_runtime_t)
systemd_domain_template(systemd_sleep)
#######################################
#
# Systemd_logind local policy
#
# is for /run/user/$USER ($USER ownership is $USER:$USER)
allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
allow systemd_logind_t self:capability2 block_suspend;
# systemd-logind reads state from /sys/power, which changes output based on
# whether hibernations is available, which tries to take the lockdown state
# into account. So the permission is somewhat unnecessary (systemd-logind
# doesn't actually try to change anything), but it's better to allow it so that
# systemd-logind sees the right system state.
allow systemd_logind_t self:lockdown integrity;
allow systemd_logind_t self:process getcap;
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
mls_file_read_all_levels(systemd_logind_t)
mls_file_write_all_levels(systemd_logind_t)
mls_dbus_send_all_levels(systemd_logind_t)
files_delete_tmpfs_files(systemd_logind_t)
fs_delete_tmpfs_dirs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_list_dos(systemd_logind_t)
fs_read_dos_files(systemd_logind_t)
fs_manage_fusefs_dirs(systemd_logind_t)
fs_manage_fusefs_files(systemd_logind_t)
manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file)
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
systemd_start_power_services(systemd_logind_t)
corenet_tcp_bind_dhcpd_port(systemd_logind_t)
corenet_tcp_bind_pki_ca_port(systemd_logind_t)
corenet_tcp_bind_flash_port(systemd_logind_t)
dev_getattr_all_chr_files(systemd_logind_t)
dev_getattr_all_blk_files(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_setattr_all_chr_files(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_mouse_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
dev_write_kmsg(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
domain_read_all_domains_state(systemd_logind_t)
domain_signal_all_domains(systemd_logind_t)
domain_signull_all_domains(systemd_logind_t)
domain_kill_all_domains(systemd_logind_t)
domain_destroy_all_semaphores(systemd_logind_t)
# /etc/udev/udev.conf should probably have a private type if only for confined administration
# /etc/nsswitch.conf
# /sys/fs/cgroup/systemd/user
fs_manage_cgroup_dirs(systemd_logind_t)
# write getattr open setattr
fs_manage_cgroup_files(systemd_logind_t)
fs_manage_efivarfs_files(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_read_tmpfs_symlinks(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_delete_tmpfs_files(systemd_logind_t)
userdom_mounton_tmp_dirs(systemd_logind_t)
storage_setattr_removable_dev(systemd_logind_t)
storage_setattr_scsi_generic_dev(systemd_logind_t)
storage_setattr_fixed_disk_dev(systemd_logind_t)
storage_raw_read_fixed_disk(systemd_logind_t)
storage_raw_read_removable_device(systemd_logind_t)
term_use_unallocated_ttys(systemd_logind_t)
init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
init_status(systemd_logind_t)
init_start(systemd_logind_t)
init_stop(systemd_logind_t)
init_signal(systemd_logind_t)
init_reboot(systemd_logind_t)
init_halt(systemd_logind_t)
init_undefined(systemd_logind_t)
init_signal_script(systemd_logind_t)
init_getattr_script_status_files(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_config_transient_files(systemd_logind_t)
init_manage_pid_files(systemd_logind_t)
init_watch_utmp(systemd_logind_t)
getty_systemctl(systemd_logind_t)
systemd_config_generic_services(systemd_logind_t)
systemd_read_efivarfs(systemd_logind_t)
systemd_userdbd_stream_connect(systemd_logind_t)
# /run/user/.*
# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
auth_manage_var_auth(systemd_logind_t)
authlogin_read_state(systemd_logind_t)
init_dbus_chat(systemd_logind_t)
init_dbus_chat_script(systemd_logind_t)
init_read_script_state(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_rw_stream_sockets(systemd_logind_t)
logging_send_syslog_msg(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_manage_rules_files(systemd_logind_t)
userdom_destroy_unpriv_user_msgq(systemd_logind_t)
userdom_destroy_unpriv_user_shared_mem(systemd_logind_t)
userdom_read_all_users_state(systemd_logind_t)
userdom_use_user_terminals(systemd_logind_t)
userdom_manage_tmp_role(system_r, systemd_logind_t)
userdom_manage_tmpfs_role(system_r, systemd_logind_t)
userdom_manage_user_tmp_blk_files(systemd_logind_t)
userdom_manage_user_tmp_chr_files(systemd_logind_t)
xserver_dbus_chat(systemd_logind_t)
optional_policy(`
apache_read_tmp_files(systemd_logind_t)
')
optional_policy(`
cron_dbus_chat_crond(systemd_logind_t)
cron_read_state_crond(systemd_logind_t)
')
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
dbus_delete_session_tmp_sock_files(systemd_logind_t)
dbus_manage_session_tmp_dirs(systemd_logind_t)
')
optional_policy(`
devicekit_dbus_chat_power(systemd_logind_t)
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat(systemd_logind_t)
')
optional_policy(`
fstools_read_swap_files(systemd_logind_t)
')
optional_policy(`
fwupd_dbus_chat(systemd_logind_t)
')
optional_policy(`
# we label /run/user/$USER/dconf as config_home_t
gnome_manage_home_config_dirs(systemd_logind_t)
gnome_manage_home_config(systemd_logind_t)
gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
gnome_manage_gstreamer_home_dirs(systemd_logind_t)
')
optional_policy(`
nis_use_ypbind(systemd_logind_t)
')
optional_policy(`
unconfined_destroy_msgq(systemd_logind_t)
unconfined_destroy_shm(systemd_logind_t)
')
optional_policy(`
rpm_dbus_chat(systemd_logind_t)
')
optional_policy(`
sosreport_dbus_chat(systemd_logind_t)
')
optional_policy(`
# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
xserver_search_xdm_tmp_dirs(systemd_logind_t)
')
########################################
#
# systemd_machined local policy
#
allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
allow systemd_machined_t systemd_unit_file_t:service { status start stop };
allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
allow systemd_machined_t self:cap_userns { sys_chroot };
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
fs_read_nsfs_files(systemd_machined_t)
kernel_dgram_send(systemd_machined_t)
# This is a bug, but need for now.
kernel_read_unlabeled_state(systemd_machined_t)
domain_signal_all_domains(systemd_machined_t)
domain_signull_all_domains(systemd_machined_t)
init_dbus_chat(systemd_machined_t)
init_status(systemd_machined_t)
init_start(systemd_machined_t)
init_stop(systemd_machined_t)
init_manage_config_transient_files(systemd_machined_t)
init_named_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, file, "machines.lock")
logging_dgram_send(systemd_machined_t)
systemd_read_efivarfs(systemd_machined_t)
systemd_manage_userdbd_runtime_sock_files(systemd_machined_t)
userdom_dbus_send_all_users(systemd_machined_t)
term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
allow systemd_machined_t systemd_machined_devpts_t:chr_file { rw_chr_file_perms };
getty_start_services(systemd_machined_t)
optional_policy(`
dbus_connect_system_bus(systemd_machined_t)
dbus_system_bus_client(systemd_machined_t)
dbus_watch_pid_dir_path(systemd_machined_t)
')
optional_policy(`
container_read_share_files(systemd_machined_t)
container_spc_read_state(systemd_machined_t)
')
optional_policy(`
mock_read_lib_files(systemd_machined_t)
')
optional_policy(`
virt_dbus_chat(systemd_machined_t)
virt_sandbox_read_state(systemd_machined_t)
virt_signal_sandbox(systemd_machined_t)
virt_stream_connect_sandbox(systemd_machined_t)
virt_rw_svirt_dev(systemd_machined_t)
virt_getattr_sandbox_filesystem(systemd_machined_t)
virt_read_sandbox_files(systemd_machined_t)
')
#######################################
#
# systemd-networkd local policy
#
allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
allow systemd_networkd_t self:process { getcap setcap };
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
allow systemd_networkd_t self:packet_socket create_socket_perms;
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { relabelfrom relabelto create_socket_perms };
allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
kernel_dgram_send(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_read_sysctl(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)
kernel_read_xen_state(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
corenet_rw_tun_tap_dev(systemd_networkd_t)
corenet_tcp_bind_all_nodes(systemd_networkd_t)
corenet_udp_bind_all_nodes(systemd_networkd_t)
corenet_tcp_bind_dhcpc_port(systemd_networkd_t)
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
fs_read_xenfs_files(systemd_networkd_t)
fs_read_nsfs_files(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
logging_send_syslog_msg(systemd_networkd_t)
sysnet_manage_config(systemd_networkd_t)
sysnet_manage_config_dirs(systemd_networkd_t)
systemd_dbus_chat_hostnamed(systemd_networkd_t)
systemd_read_efivarfs(systemd_networkd_t)
init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif")
optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_pid_dir_path(systemd_networkd_t)
dbus_read_pid_files(systemd_networkd_t)
dbus_read_pid_sock_files(systemd_networkd_t)
systemd_dbus_chat_logind(systemd_networkd_t)
')
optional_policy(`
sosreport_dbus_chat(systemd_networkd_t)
')
optional_policy(`
udev_read_db(systemd_networkd_t)
')
optional_policy(`
unconfined_dbus_acquire_svc(systemd_networkd_t)
unconfined_dbus_send(systemd_networkd_t)
')
#######################################
#
# Local policy
#
allow systemd_passwd_agent_t self:capability { chown sys_tty_config sys_resource dac_read_search dac_override };
allow systemd_passwd_agent_t self:process { setsockcreate };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
allow systemd_passwd_agent_t systemd_passwd_agent_exec_t:file execute_no_trans;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
domain_read_all_domains_state(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
dev_read_generic_files(systemd_passwd_agent_t)
dev_write_generic_sockets(systemd_passwd_agent_t)
dev_write_kmsg(systemd_passwd_agent_t)
dev_list_sysfs(systemd_passwd_agent_t)
dev_read_sysfs(systemd_passwd_agent_t)
dev_write_sysfs_dirs(systemd_passwd_agent_t)
term_read_console(systemd_passwd_agent_t)
term_use_unallocated_ttys(systemd_passwd_agent_t)
term_watch_unallocated_ttys(systemd_passwd_agent_t)
term_watch_reads_unallocated_ttys(systemd_passwd_agent_t)
init_create_pid_dirs(systemd_passwd_agent_t)
init_rw_pipes(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
systemd_read_efivarfs(systemd_passwd_agent_t)
userdom_use_user_ptys(systemd_passwd_agent_t)
userdom_use_user_ttys(systemd_passwd_agent_t)
optional_policy(`
lvm_signull(systemd_passwd_agent_t)
')
optional_policy(`
plymouthd_stream_connect(systemd_passwd_agent_t)
')
#######################################
#
# Local policy
#
allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
allow systemd_tmpfiles_t self:process { setrlimit setfscreate };
allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
kernel_read_network_state(systemd_tmpfiles_t)
kernel_request_load_module(systemd_tmpfiles_t)
kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
kernel_relabelfrom_usermodehelper(systemd_tmpfiles_t)
dev_write_kmsg(systemd_tmpfiles_t)
dev_rw_sysfs(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_relabel_cpu_online(systemd_tmpfiles_t)
dev_read_cpu_online(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
domain_obj_id_change_exemption(systemd_tmpfiles_t)
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
fs_list_all(systemd_tmpfiles_t)
files_dontaudit_getattr_all_files(systemd_tmpfiles_t)
files_dontaudit_getattr_proc_type_files(systemd_tmpfiles_t)
files_dontaudit_getattr_sysctl_type_files(systemd_tmpfiles_t)
files_dontaudit_getattr_filesystem_type_files(systemd_tmpfiles_t)
files_manage_non_auth_files(systemd_tmpfiles_t)
files_relabel_non_auth_files(systemd_tmpfiles_t)
files_list_lost_found(systemd_tmpfiles_t)
files_map_system_db_files(systemd_tmpfiles_t)
mls_file_read_all_levels(systemd_tmpfiles_t)
mls_file_write_all_levels(systemd_tmpfiles_t)
mls_file_upgrade(systemd_tmpfiles_t)
selinux_get_enforce_mode(systemd_tmpfiles_t)
selinux_setcheckreqprot(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
auth_relabel_faillog(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
init_dgram_send(systemd_tmpfiles_t)
init_rw_stream_sockets(systemd_tmpfiles_t)
logging_create_devlog_dev(systemd_tmpfiles_t)
logging_send_syslog_msg(systemd_tmpfiles_t)
logging_setattr_all_log_dirs(systemd_tmpfiles_t)
logging_relabel_all_log_dirs(systemd_tmpfiles_t)
miscfiles_filetrans_named_content(systemd_tmpfiles_t)
miscfiles_manage_man_pages(systemd_tmpfiles_t)
miscfiles_relabel_man_pages(systemd_tmpfiles_t)
miscfiles_delete_man_pages(systemd_tmpfiles_t)
ifdef(`distro_redhat',`
userdom_list_user_home_content(systemd_tmpfiles_t)
userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
userdom_delete_admin_home_files(systemd_tmpfiles_t)
')
optional_policy(`
apache_delete_sys_content_rw(systemd_tmpfiles_t)
apache_list_cache(systemd_tmpfiles_t)
apache_delete_cache_dirs(systemd_tmpfiles_t)
apache_delete_cache_files(systemd_tmpfiles_t)
apache_setattr_cache_dirs(systemd_tmpfiles_t)
')
optional_policy(`
auth_rw_login_records(systemd_tmpfiles_t)
')
optional_policy(`
# we have /run/user/$USER/dconf
gnome_delete_home_config(systemd_tmpfiles_t)
gnome_delete_home_config_dirs(systemd_tmpfiles_t)
gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
')
optional_policy(`
lpd_manage_spool(systemd_tmpfiles_t)
lpd_relabel_spool(systemd_tmpfiles_t)
')
optional_policy(`
rpm_read_db(systemd_tmpfiles_t)
rpm_delete_db(systemd_tmpfiles_t)
')
optional_policy(`
sandbox_list(systemd_tmpfiles_t)
sandbox_delete_dirs(systemd_tmpfiles_t)
sandbox_delete_files(systemd_tmpfiles_t)
sandbox_delete_lnk_files(systemd_tmpfiles_t)
sandbox_delete_pipes(systemd_tmpfiles_t)
sandbox_delete_sock_files(systemd_tmpfiles_t)
sandbox_setattr_dirs(systemd_tmpfiles_t)
')
########################################
#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
allow systemd_notify_t self:process { fork setfscreate setsockcreate };
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
dev_write_kmsg(systemd_notify_t)
domain_use_interactive_fds(systemd_notify_t)
fs_getattr_cgroup_files(systemd_notify_t)
init_rw_stream_sockets(systemd_notify_t)
optional_policy(`
rhcs_read_log_cluster(systemd_notify_t)
')
optional_policy(`
readahead_manage_pid_files(systemd_notify_t)
')
########################################
#
# systemd_logger local policy
#
allow systemd_logger_t self:capability { sys_admin chown kill };
allow systemd_logger_t self:process { fork setfscreate setsockcreate };
allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
kernel_use_fds(systemd_logger_t)
dev_write_kmsg(systemd_logger_t)
domain_use_interactive_fds(systemd_logger_t)
# only needs write
term_use_generic_ptys(systemd_logger_t)
# /run/systemd/notify
init_write_pid_socket(systemd_logger_t)
logging_send_syslog_msg(systemd_logger_t)
########################################
#
# systemd_sysctl domains local policy
#
allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
fs_list_cgroup_dirs(systemctl_domain)
fs_read_cgroup_files(systemctl_domain)
# needed by systemctl
init_dgram_send(systemctl_domain)
init_stream_connect(systemctl_domain)
init_read_state(systemctl_domain)
init_list_pid_dirs(systemctl_domain)
init_use_fds(systemctl_domain)
#######################################
#
# Localed policy
#
allow systemd_localed_t self:process setfscreate;
allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_localed_t self:unix_dgram_socket create_socket_perms;
dev_write_kmsg(systemd_localed_t)
init_dbus_chat(systemd_localed_t)
init_reload_services(systemd_localed_t)
logging_stream_connect_syslog(systemd_localed_t)
logging_send_syslog_msg(systemd_localed_t)
allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
miscfiles_manage_localization(systemd_localed_t)
miscfiles_etc_filetrans_localization(systemd_localed_t)
systemd_read_efivarfs(systemd_localed_t)
userdom_dbus_send_all_users(systemd_localed_t)
xserver_manage_config(systemd_localed_t)
optional_policy(`
dbus_connect_system_bus(systemd_localed_t)
dbus_system_bus_client(systemd_localed_t)
')
#######################################
#
# Hostnamed policy
#
allow systemd_hostnamed_t self:capability sys_admin;
dontaudit systemd_hostnamed_t self:capability sys_ptrace;
allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file )
kernel_dgram_send(systemd_hostnamed_t)
kernel_read_xen_state(systemd_hostnamed_t)
kernel_read_sysctl(systemd_hostnamed_t)
dev_write_kmsg(systemd_hostnamed_t)
dev_read_sysfs(systemd_hostnamed_t)
fs_read_xenfs_files(systemd_hostnamed_t)
init_delete_pid_dir_entry(systemd_hostnamed_t)
init_status(systemd_hostnamed_t)
init_stream_connect(systemd_hostnamed_t)
logging_send_syslog_msg(systemd_hostnamed_t)
systemd_read_efivarfs(systemd_hostnamed_t)
userdom_read_all_users_state(systemd_hostnamed_t)
userdom_dbus_send_all_users(systemd_hostnamed_t)
optional_policy(`
dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
dbus_watch_pid_dir_path(systemd_hostnamed_t)
optional_policy(`
init_dbus_chat_script(systemd_hostnamed_t)
')
')
optional_policy(`
udev_read_pid_files(systemd_hostnamed_t)
')
#########################################
#
# Socket-proxyd local policy
#
allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
allow systemd_socket_proxyd_t self:tcp_socket accept;
kernel_read_system_state(systemd_socket_proxyd_t)
auth_use_nsswitch(systemd_socket_proxyd_t)
fs_getattr_cgroup(systemd_socket_proxyd_t)
fs_getattr_xattr_fs(systemd_socket_proxyd_t)
sysnet_dns_name_resolve(systemd_socket_proxyd_t)
tunable_policy(`systemd_socket_proxyd_bind_any',`
corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
',`
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
')
tunable_policy(`systemd_socket_proxyd_connect_any',`
corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
',`
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
')
#######################################
#
# rfkill policy
#
allow systemd_rfkill_t self:capability { net_admin sys_admin};
allow systemd_rfkill_t self:capability2 bpf;
allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir, "rfkill")
kernel_dgram_send(systemd_rfkill_t)
kernel_dontaudit_request_load_module(systemd_rfkill_t)
# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
kernel_dontaudit_request_load_module(systemd_rfkill_t)
dev_read_sysfs(systemd_rfkill_t)
dev_rw_wireless(systemd_rfkill_t)
dev_write_kmsg(systemd_rfkill_t)
init_search_var_lib_dirs(systemd_rfkill_t)
logging_dgram_send(systemd_rfkill_t)
systemd_read_efivarfs(systemd_rfkill_t)
optional_policy(`
udev_read_db(systemd_rfkill_t)
')
#######################################
#
# Timedated policy
#
allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
allow systemd_timedated_t self:process { getattr getsched setfscreate };
allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms;
manage_dirs_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
manage_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
manage_sock_files_pattern(systemd_timedated_t, systemd_timedated_var_run_t, systemd_timedated_var_run_t)
init_pid_filetrans(systemd_timedated_t, systemd_timedated_var_run_t, { dir file sock_file })
manage_dirs_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
manage_files_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
read_lnk_files_pattern(systemd_timedated_t, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
init_var_lib_filetrans(systemd_timedated_t, systemd_timedated_var_lib_t, dir, "timesync")
allow systemd_timedated_t systemd_networkd_var_run_t:dir watch_dir_perms;
list_dirs_pattern(systemd_timedated_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
read_files_pattern(systemd_timedated_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
corecmd_exec_bin(systemd_timedated_t)
corecmd_exec_shell(systemd_timedated_t)
corecmd_dontaudit_access_check_bin(systemd_timedated_t)
corenet_tcp_connect_time_port(systemd_timedated_t)
dev_rw_realtime_clock(systemd_timedated_t)
dev_write_kmsg(systemd_timedated_t)
dev_read_sysfs(systemd_timedated_t)
files_watch_var_run_path(systemd_timedated_t)
fs_getattr_xattr_fs(systemd_timedated_t)
init_dbus_chat(systemd_timedated_t)
init_status(systemd_timedated_t)
init_watch_pid_dir(systemd_timedated_t)
kernel_read_network_state(systemd_timedated_t)
logging_send_syslog_msg(systemd_timedated_t)
miscfiles_manage_localization(systemd_timedated_t)
miscfiles_etc_filetrans_localization(systemd_timedated_t)
systemd_read_efivarfs(systemd_timedated_t)
userdom_read_all_users_state(systemd_timedated_t)
optional_policy(`
chronyd_systemctl(systemd_timedated_t)
')
optional_policy(`
clock_manage_adjtime(systemd_timedated_t)
clock_filetrans_named_content(systemd_timedated_t)
clock_domtrans(systemd_timedated_t)
')
optional_policy(`
consolekit_dbus_chat(systemd_timedated_t)
')
optional_policy(`
consoletype_exec(systemd_timedated_t)
')
optional_policy(`
dbus_system_bus_client(systemd_timedated_t)
dbus_connect_system_bus(systemd_timedated_t)
dbus_read_pid_sock_files(systemd_timedated_t)
dbus_watch_pid_dir_path(systemd_timedated_t)
dbus_watch_pid_sock_files(systemd_timedated_t)
')
optional_policy(`
gnome_manage_usr_config(systemd_timedated_t)
gnome_manage_home_config(systemd_timedated_t)
gnome_manage_home_config_dirs(systemd_timedated_t)
')
optional_policy(`
ntp_domtrans_ntpdate(systemd_timedated_t)
ntp_initrc_domtrans(systemd_timedated_t)
init_dontaudit_getattr_all_script_files(systemd_timedated_t)
init_dontaudit_getattr_exec(systemd_timedated_t)
ntp_systemctl(systemd_timedated_t)
')
optional_policy(`
policykit_domtrans_auth(systemd_timedated_t)
policykit_read_lib(systemd_timedated_t)
policykit_read_reload(systemd_timedated_t)
')
optional_policy(`
xserver_manage_config(systemd_timedated_t)
xserver_read_state_xdm(systemd_timedated_t)
')
########################################
#
# systemd_sysctl domains local policy
#
allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio sys_resource };
allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
kernel_dgram_send(systemd_sysctl_t)
kernel_request_load_module(systemd_sysctl_t)
kernel_rw_all_sysctls(systemd_sysctl_t)
kernel_read_security_state(systemd_sysctl_t)
kernel_write_security_state(systemd_sysctl_t)
files_read_system_conf_files(systemd_sysctl_t)
dev_write_kmsg(systemd_sysctl_t)
domain_use_interactive_fds(systemd_sysctl_t)
init_stream_connect(systemd_sysctl_t)
logging_send_syslog_msg(systemd_sysctl_t)
systemd_read_efivarfs(systemd_sysctl_t)
#######################################
#
# systemd_coredump domains
#
# dac_read_search - to access /proc/<pid>/fd of the dumped process
# sys_ptrace - to read /proc/<pid>/exe of the dumped process
# setgid setuid - to set own credentials to match the dumped process credentials
# setpcap - to drop capabilities
allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace };
allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace };
# To set its capability set
allow systemd_coredump_t self:process setcap;
allow systemd_coredump_t self:unix_stream_socket connectto;
allow systemd_coredump_t self:user_namespace create;
manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
manage_dirs_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump")
kernel_rw_usermodehelper_state(systemd_coredump_t)
dev_write_kmsg(systemd_coredump_t)
# To read info about the crashed process from /proc
domain_read_all_domains_state(systemd_coredump_t)
# To be able to mmap the dumped process' executable file for reading
# (can be basically any file type)
files_read_non_security_files(systemd_coredump_t)
files_map_non_security_files(systemd_coredump_t)
files_mounton_rootfs(systemd_coredump_t)
fs_getattr_nsfs_files(systemd_coredump_t)
optional_policy(`
logging_send_syslog_msg(systemd_coredump_t)
')
#######################################
#
# systemd_hwdb domain
#
manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto};
files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
systemd_read_efivarfs(systemd_hwdb_t)
#######################################
#
# systemd_gpt_generator domain
#
allow systemd_gpt_generator_t self:capability sys_rawio;
dontaudit systemd_gpt_generator_t self:capability sys_admin;
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
dev_read_sysfs(systemd_gpt_generator_t)
dev_write_kmsg(systemd_gpt_generator_t)
dev_read_rand(systemd_gpt_generator_t)
files_list_boot(systemd_gpt_generator_t)
files_list_home(systemd_gpt_generator_t)
files_list_tmp(systemd_gpt_generator_t)
files_list_usr(systemd_gpt_generator_t)
files_list_var(systemd_gpt_generator_t)
fstools_exec(systemd_gpt_generator_t)
mls_file_read_to_clearance(systemd_gpt_generator_t)
mls_file_write_to_clearance(systemd_gpt_generator_t)
storage_raw_rw_fixed_disk(systemd_gpt_generator_t)
storage_raw_read_removable_device(systemd_gpt_generator_t)
allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
systemd_read_efivarfs(systemd_gpt_generator_t)
systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
optional_policy(`
udev_read_pid_files(systemd_gpt_generator_t)
')
#######################################
#
# systemd_network_generator domain
#
init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network")
sysnet_manage_config(systemd_network_generator_t)
sysnet_manage_config_dirs(systemd_network_generator_t)
#######################################
#
# systemd_resolved domain
#
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
allow systemd_resolved_t self:process setcap;
allow systemd_resolved_t self:tcp_socket { accept listen };
allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
allow systemd_resolved_t systemd_networkd_var_run_t:dir watch_dir_perms;
kernel_dgram_send(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)
kernel_read_network_state(systemd_resolved_t)
auth_read_passwd(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
corenet_tcp_connect_llmnr_port(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_howl_port(systemd_resolved_t)
dev_write_kmsg(systemd_resolved_t)
dev_read_sysfs(systemd_resolved_t)
files_watch_root_dirs(systemd_resolved_t)
files_watch_tmpfs_dirs(systemd_resolved_t)
files_watch_var_run_dirs(systemd_resolved_t)
init_watch_pid_dir(systemd_resolved_t)
sysnet_manage_config(systemd_resolved_t)
sysnet_filetrans_systemd_resolved(systemd_resolved_t)
systemd_read_efivarfs(systemd_resolved_t)
userdom_dbus_send_all_users(systemd_resolved_t)
optional_policy(`
dbus_system_bus_client(systemd_resolved_t)
dbus_connect_system_bus(systemd_resolved_t)
dbus_read_pid_files(systemd_resolved_t)
dbus_read_pid_sock_files(systemd_resolved_t)
dbus_watch_pid_dir_path(systemd_resolved_t)
dbus_watch_pid_sock_files(systemd_resolved_t)
systemd_dbus_chat_logind(systemd_resolved_t)
')
optional_policy(`
logging_dgram_send(systemd_resolved_t)
')
optional_policy(`
networkmanager_dbus_chat(systemd_resolved_t)
')
########################################
#
# Common rules for systemd domains
#
allow systemd_domain self:process { setfscreate signal_perms };
allow systemd_domain self:unix_dgram_socket { create_socket_perms sendto };
dontaudit systemd_domain self:capability net_admin;
dev_read_urand(systemd_domain)
fs_search_all(systemd_domain)
fs_getattr_all_fs(systemd_domain)
files_read_etc_files(systemd_domain)
files_read_etc_runtime_files(systemd_domain)
files_read_usr_files(systemd_domain)
init_search_pid_dirs(systemd_domain)
init_start_transient_unit(systemd_domain)
init_stop_transient_unit(systemd_domain)
init_status_transient_unit(systemd_domain)
init_reload_transient_unit(systemd_domain)
init_read_state(systemd_domain)
logging_stream_connect_syslog(systemd_domain)
seutil_read_config(systemd_domain)
seutil_read_file_contexts(systemd_domain)
optional_policy(`
lvm_read_state(systemd_domain)
')
optional_policy(`
policykit_dbus_chat(systemd_domain)
')
read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
#######################################
#
# systemd_modules_load domain
#
allow systemd_modules_load_t self:system module_load;
kernel_dgram_send(systemd_modules_load_t)
kernel_load_unsigned_module(systemd_modules_load_t)
kernel_ib_access_unlabeled_pkeys(systemd_modules_load_t)
kernel_request_load_module(systemd_modules_load_t)
corecmd_exec_bin(systemd_modules_load_t)
corecmd_exec_shell(systemd_modules_load_t)
dev_read_sysfs(systemd_modules_load_t)
dev_write_kmsg(systemd_modules_load_t)
init_read_pid_files(systemd_modules_load_t)
logging_dgram_send(systemd_modules_load_t)
files_map_kernel_modules(systemd_modules_load_t)
files_read_kernel_modules(systemd_modules_load_t)
fs_rw_tracefs_files(systemd_modules_load_t)
modutils_exec_kmod(systemd_modules_load_t)
modutils_read_module_config(systemd_modules_load_t)
modutils_read_module_deps_files(systemd_modules_load_t)
systemd_read_efivarfs(systemd_modules_load_t)
#######################################
#
# systemd_modules_load domain
#
allow systemd_bootchart_t self:capability sys_admin;
allow systemd_bootchart_t self:capability2 wake_alarm;
allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
kernel_dgram_send(systemd_bootchart_t)
kernel_rw_kernel_sysctl(systemd_bootchart_t)
dev_list_sysfs(systemd_bootchart_t)
domain_read_all_domains_state(systemd_bootchart_t)
manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t)
logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file)
manage_files_pattern(systemd_bootchart_t, systemd_bootchart_tmpfs_t, systemd_bootchart_tmpfs_t)
fs_tmpfs_filetrans(systemd_bootchart_t, systemd_bootchart_tmpfs_t, file )
#######################################
#
# systemd_journal_upload domain
#
manage_files_pattern(systemd_journal_upload_t, systemd_journal_upload_var_lib_t, systemd_journal_upload_var_lib_t)
kernel_dgram_send(systemd_journal_upload_t)
corenet_tcp_connect_journal_remote_port(systemd_journal_upload_t)
init_var_lib_filetrans(systemd_journal_upload_t, systemd_journal_upload_var_lib_t, dir, "journal_upload")
init_read_var_lib_lnk_files(systemd_journal_upload_t)
optional_policy(`
# This actually is for reading journal data
logging_read_syslog_pid(systemd_journal_upload_t)
logging_mmap_journal(systemd_journal_upload_t)
logging_watch_journal_dir(systemd_journal_upload_t)
logging_list_logs(systemd_journal_upload_t)
logging_read_generic_logs(systemd_journal_upload_t)
logging_watch_generic_log_dirs(systemd_journal_upload_t)
')
#######################################
#
# systemd_modules_load domain
#
allow systemd_initctl_t self:unix_dgram_socket create_socket_perms;
kernel_dgram_send(systemd_initctl_t)
init_rw_initctl(systemd_initctl_t)
init_stream_connectto(systemd_initctl_t)
########################################
#
# systemd_importd local policy
#
allow systemd_importd_t self:capability { chown fowner fsetid mknod setpcap sys_admin };
allow systemd_importd_t self:process { setcap setfscreate };
allow systemd_importd_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_importd_t self:unix_dgram_socket create_socket_perms;
allow systemd_importd_t self:tcp_socket create_socket_perms;
allow systemd_importd_t self:udp_socket create_socket_perms;
allow systemd_importd_t self:unix_dgram_socket sendto;
allow systemd_importd_t systemd_importd_exec_t:file execute_no_trans;
manage_dirs_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
manage_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
manage_sock_files_pattern(systemd_importd_t, systemd_importd_var_run_t, systemd_importd_var_run_t)
init_pid_filetrans(systemd_importd_t, systemd_importd_var_run_t, dir)
manage_files_pattern(systemd_importd_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
init_named_pid_filetrans(systemd_importd_t, systemd_machined_var_run_t, file, "machines.lock")
manage_dirs_pattern(systemd_importd_t, systemd_importd_tmp_t, systemd_importd_tmp_t)
manage_files_pattern(systemd_importd_t, systemd_importd_tmp_t, systemd_importd_tmp_t)
files_tmp_filetrans(systemd_importd_t, systemd_importd_tmp_t, { dir file })
kernel_dgram_send(systemd_importd_t)
kernel_read_system_state(systemd_importd_t)
auth_read_passwd(systemd_importd_t)
corecmd_exec_bin(systemd_importd_t)
corenet_tcp_connect_http_port(systemd_importd_t)
fs_getattr_xattr_fs(systemd_importd_t)
init_read_state(systemd_importd_t)
logging_send_syslog_msg(systemd_importd_t)
miscfiles_read_certs(systemd_importd_t)
sysnet_read_config(systemd_importd_t)
optional_policy(`
systemd_machined_manage_lib_files(systemd_importd_t)
')
optional_policy(`
dbus_system_bus_client(systemd_importd_t)
dbus_acquire_svc_system_dbusd(systemd_importd_t)
unconfined_dbus_send(systemd_importd_t)
')
optional_policy(`
gpg_exec(systemd_importd_t)
')
########################################
#
# systemd_userdbd local policy
#
allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
init_named_pid_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir, "userdb")
kernel_dgram_send(systemd_userdbd_t)
auth_read_shadow(systemd_userdbd_t)
auth_use_nsswitch(systemd_userdbd_t)
can_exec(systemd_userdbd_t systemd_userdbd_exec_t)
init_stream_connectto(systemd_userdbd_t)
logging_send_syslog_msg(systemd_userdbd_t)
systemd_read_efivarfs(systemd_userdbd_t)
########################################
#
# systemd_sleep local policy
#
allow systemd_sleep_t self:capability sys_resource;
# systemd-sleep needs to set timer for suspend-then-hibernate
allow systemd_sleep_t self:capability2 wake_alarm;
dontaudit systemd_sleep_t self:capability sys_ptrace;
# systemd-sleep needs the permission to change sleep state
allow systemd_sleep_t self:lockdown integrity;
kernel_dgram_send(systemd_sleep_t)
corecmd_exec_bin(systemd_sleep_t)
corecmd_exec_shell(systemd_sleep_t)
dev_create_sysfs_files(systemd_sleep_t)
dev_rw_sysfs(systemd_sleep_t)
dev_write_kmsg(systemd_sleep_t)
fstools_rw_swap_files(systemd_sleep_t)
# systemd-sleep needs to getattr swap partitions
storage_getattr_fixed_disk_dev(systemd_sleep_t)
storage_getattr_removable_dev(systemd_sleep_t)
optional_policy(`
sysstat_domtrans(systemd_sleep_t)
')
optional_policy(`
tlp_domtrans(systemd_sleep_t)
tlp_filetrans_named_content(systemd_sleep_t)
')
optional_policy(`
unconfined_server_domtrans(systemd_sleep_t)
')
Reference in a new issue View git blame Copy permalink