diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-01-12 14:45:35 -0500 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:38 -0500 |
| commit | fb32c0b7fa826f6d436994df85cc9af4469e1936 (patch) | |
| tree | 01b968a35f1e17993c5fde40fcf4d8701a890200 | |
| parent | init, systemd: allow systemd-pcrphase to write TPM measurements (diff) | |
| download | hardened-refpolicy-fb32c0b7fa826f6d436994df85cc9af4469e1936.tar.gz hardened-refpolicy-fb32c0b7fa826f6d436994df85cc9af4469e1936.tar.bz2 hardened-refpolicy-fb32c0b7fa826f6d436994df85cc9af4469e1936.zip | |
systemd: add policy for systemd-machine-id-setup
systemd-machine-id-setup's role is to commit the host's machine id
to /etc/machine-id. The behavior of this process has changed slightly,
whereby a tmpfs is temporarily created on top of /etc/machine-id during
boot which is then read by systemd-machine-id-setup and written directly
to the underlying file.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/system/systemd.fc | 1 | ||||
| -rw-r--r-- | policy/modules/system/systemd.te | 28 |
2 files changed, 29 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index db3bd88f..4ea34fe2 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -8,6 +8,7 @@ /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) /usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hw_exec_t,s0) +/usr/bin/systemd-machine-id-setup -- gen_context(system_u:object_r:systemd_machine_id_setup_exec_t,s0) /usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0) /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) /usr/bin/systemd-sysusers -- gen_context(system_u:object_r:systemd_sysusers_exec_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index d24aa3a8..4bce8fbb 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -197,6 +197,10 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t; files_runtime_file(systemd_machined_runtime_t) init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") +type systemd_machine_id_setup_t; +type systemd_machine_id_setup_exec_t; +init_system_domain(systemd_machine_id_setup_t, systemd_machine_id_setup_exec_t) + type systemd_modules_load_t; type systemd_modules_load_exec_t; init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) @@ -1137,6 +1141,30 @@ optional_policy(` ') ') +######################################### +# +# machine-id-setup local policy +# + +allow systemd_machine_id_setup_t self:capability { setgid sys_admin sys_chroot }; + +files_list_var(systemd_machine_id_setup_t) +files_mounton_root(systemd_machine_id_setup_t) +files_rw_etc_runtime_files(systemd_machine_id_setup_t) + +fs_getattr_cgroup(systemd_machine_id_setup_t) +fs_search_cgroup_dirs(systemd_machine_id_setup_t) +fs_getattr_tmpfs(systemd_machine_id_setup_t) +fs_read_nsfs_files(systemd_machine_id_setup_t) +fs_unmount_tmpfs(systemd_machine_id_setup_t) + +kernel_dontaudit_getattr_proc(systemd_machine_id_setup_t) +kernel_read_kernel_sysctls(systemd_machine_id_setup_t) +kernel_read_system_state(systemd_machine_id_setup_t) + +init_read_runtime_files(systemd_machine_id_setup_t) +init_read_state(systemd_machine_id_setup_t) + ######################################## # # modules-load local policy |