diff options
| author |   Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2022-03-09 20:49:54 +0000 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-09-03 11:41:55 -0700 |
| commit | 77fd3a4362ee2b2b379c2de77d2a2c1e34509dcb (patch) | |
| tree | 9facf8972fa93d79ad54d8ab057aa088f8cc1b3f | |
| parent | application: Allow apps to use init fds. (diff) | |
| download | hardened-refpolicy-77fd3a4362ee2b2b379c2de77d2a2c1e34509dcb.tar.gz hardened-refpolicy-77fd3a4362ee2b2b379c2de77d2a2c1e34509dcb.tar.bz2 hardened-refpolicy-77fd3a4362ee2b2b379c2de77d2a2c1e34509dcb.zip | |
systemd: Misc updates.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/system/init.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/systemd.te | 11 |
2 files changed, 9 insertions, 4 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a93eefed..285ee5b4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1058,7 +1058,7 @@ ifdef(`enable_mls',` ') ifdef(`init_systemd',` - allow initrc_t init_t:system { start status reboot halt reload }; + allow initrc_t init_t:system { start stop status reboot halt reload }; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 59888d36..3d853c4c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -518,6 +518,7 @@ kernel_dontaudit_getattr_proc(systemd_generator_t) kernel_dontaudit_search_unlabeled(systemd_generator_t) storage_raw_read_fixed_disk(systemd_generator_t) +storage_raw_read_removable_device(systemd_generator_t) systemd_log_parse_environment(systemd_generator_t) @@ -665,6 +666,7 @@ udev_read_runtime_files(systemd_homework_t) # allow systemd_hostnamed_t self:capability sys_admin; +allow systemd_hostnamed_t self:process setfscreate; fs_getattr_cgroup(systemd_hostnamed_t) fs_getattr_xattr_fs(systemd_hostnamed_t) @@ -676,6 +678,8 @@ dev_read_sysfs(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) +fs_getattr_all_fs(systemd_hostnamed_t) + selinux_use_status_page(systemd_hostnamed_t) seutil_read_file_contexts(systemd_hostnamed_t) @@ -1418,8 +1422,8 @@ systemd_log_parse_environment(systemd_rfkill_t) allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid }; allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; - -allow systemd_resolved_t self:tcp_socket { accept listen }; +allow systemd_resolved_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_resolved_t self:tcp_socket create_stream_socket_perms; allow systemd_resolved_t systemd_networkd_runtime_t:dir watch; @@ -1555,7 +1559,7 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto; files_manage_etc_files(systemd_sysusers_t) fs_getattr_all_fs(systemd_sysusers_t) -fs_search_cgroup_dirs(systemd_sysusers_t) +fs_search_all(systemd_sysusers_t) kernel_read_kernel_sysctls(systemd_sysusers_t) @@ -1824,6 +1828,7 @@ seutil_libselinux_linked(systemd_user_session_type) allow systemd_userdbd_t self:capability dac_read_search; allow systemd_userdbd_t self:process signal; +allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms; stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t) |