systemd misc

This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.

Signed-off-by: Jason Zaman <jason@perfinion.com>

10 files changed, 69 insertions, 5 deletions

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index ec0c6a110..c4e3b47ab 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
 #
 
 allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# systemctl asks for net_admin
+dontaudit logrotate_t self:capability net_admin;
 allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow logrotate_t self:fd use;
 allow logrotate_t self:key manage_key_perms;
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index ab1d35a26..c6edcb61d 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -383,6 +383,10 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		init_dbus_chat(crond_t)
+	')
+
+	optional_policy(`
 		unconfined_dbus_send(crond_t)
 	')
 ')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 76c9e02c8..0d9485216 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -144,6 +144,8 @@ dev_rw_wireless(NetworkManager_t)
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_all_domains_state(NetworkManager_t)
 
+# /etc/resolv.conf is a symlink written by NM
+files_manage_etc_symlinks(NetworkManager_t)
 files_read_etc_runtime_files(NetworkManager_t)
 files_read_usr_files(NetworkManager_t)
 files_read_usr_src_files(NetworkManager_t)
@@ -352,6 +354,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_pids(NetworkManager_t)
 	systemd_read_logind_sessions_files(NetworkManager_t)
 	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
 ')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 38436f38a..c85ac9aaf 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -13,6 +13,7 @@
 /etc/rc\.d/init\.d/ntpd? 		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 
 /run/ntpd\.pid				--	gen_context(system_u:object_r:ntpd_pid_t,s0)
+/run/systemd/timesync(/.*)?			gen_context(system_u:object_r:ntpd_pid_t,s0)
 
 /usr/bin/ntpd				--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/bin/ntpdate			--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -31,6 +32,7 @@
 /var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/clock			--	gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/private/systemd/timesync(/.*)? --	gen_context(system_u:object_r:ntp_drift_t,s0)
 
 /var/lock/ntpdate                       --      gen_context(system_u:object_r:ntpd_lock_t,s0)
 
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index f282b1fe5..36d786992 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -175,3 +175,7 @@ optional_policy(`
 		networkmanager_dbus_chat(openvpn_t)
 	')
 ')
+
+optional_policy(`
+	systemd_use_passwd_agent(openvpn_t)
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 15b717324..d0a3cd75d 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -347,6 +347,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_send_system_bus(postfix_master_t)
+	dbus_system_bus_client(postfix_master_t)
+	init_dbus_chat(postfix_master_t)
+')
+
+optional_policy(`
 	sendmail_signal(postfix_master_t)
 ')
 
@@ -376,6 +382,10 @@ optional_policy(`
 	init_dbus_chat(postfix_bounce_t)
 ')
 
+optional_policy(`
+	dbus_system_bus_client(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy
@@ -420,6 +430,12 @@ optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	dbus_send_system_bus(postfix_cleanup_t)
+	dbus_system_bus_client(postfix_cleanup_t)
+	init_dbus_chat(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Local local policy
@@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
 mcs_file_read_all(postfix_pickup_t)
 mcs_file_write_all(postfix_pickup_t)
 
+optional_policy(`
+	dbus_system_bus_client(postfix_pickup_t)
+	init_dbus_chat(postfix_pickup_t)
+')
+
 ########################################
 #
 # Pipe local policy
@@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
 corecmd_exec_bin(postfix_qmgr_t)
 
+optional_policy(`
+	dbus_send_system_bus(postfix_qmgr_t)
+	dbus_system_bus_client(postfix_qmgr_t)
+	init_dbus_chat(postfix_qmgr_t)
+')
+
 ########################################
 #
 # Showq local policy
@@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
 mta_map_aliases(postfix_smtpd_t)
 
 optional_policy(`
+	dbus_send_system_bus(postfix_smtp_t)
+	dbus_system_bus_client(postfix_smtp_t)
+	init_dbus_chat(postfix_smtp_t)
+')
+
+optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
 	dovecot_stream_connect(postfix_smtpd_t)
 ')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ad39c0737..98b74671f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -278,6 +278,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`init_systemd',`
+	init_dbus_chat(sshd_t)
 	systemd_dbus_chat_logind(sshd_t)
 	init_rw_stream_sockets(sshd_t)
 ')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 75cf041c6..731a83c4a 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
 files_read_usr_files(tor_t)
 
 fs_search_tmpfs(tor_t)
+# for log symlink on a tmpfs filesystem systemd creates for it
+fs_read_tmpfs_symlinks(tor_t)
 
 auth_use_nsswitch(tor_t)
 
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 277c7fc46..91939d12d 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -48,6 +48,8 @@
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
+/run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0cc8be936..abf328376 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+mcs_killall(systemd_nspawn_t)
 
 type systemd_nspawn_var_run_t;
 files_pid_file(systemd_nspawn_var_run_t)
@@ -236,6 +237,7 @@ fs_register_binary_executable_type(systemd_binfmt_t)
 #
 
 dev_read_sysfs(systemd_gpt_generator_t)
+files_list_usr(systemd_gpt_generator_t)
 files_read_etc_files(systemd_gpt_generator_t)
 fs_getattr_xattr_fs(systemd_gpt_generator_t)
 storage_raw_read_fixed_disk(systemd_gpt_generator_t)
@@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -672,8 +674,8 @@ miscfiles_read_localization(systemd_notify_t)
 # Nspawn local policy
 #
 
-allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
-allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 
@@ -685,9 +687,11 @@ allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
 init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
 
-files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
+files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
 allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
+# for /tmp/.#inaccessible*
+allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
 
 # for /run/systemd/nspawn/incoming in chroot
 allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
@@ -721,6 +725,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
 files_mounton_mnt(systemd_nspawn_t)
 files_mounton_root(systemd_nspawn_t)
 files_mounton_tmp(systemd_nspawn_t)
+files_read_kernel_symbol_table(systemd_nspawn_t)
 files_setattr_pid_dirs(systemd_nspawn_t)
 
 fs_getattr_tmpfs(systemd_nspawn_t)
@@ -752,6 +757,7 @@ sysnet_manage_config(systemd_nspawn_t)
 userdom_manage_user_home_dirs(systemd_nspawn_t)
 
 tunable_policy(`systemd_nspawn_labeled_namespace',`
+	corecmd_exec_bin(systemd_nspawn_t)
 	corecmd_exec_shell(systemd_nspawn_t)
 
 	dev_mounton(systemd_nspawn_t)
@@ -777,6 +783,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	fs_write_cgroup_files(systemd_nspawn_t)
 
 	selinux_getattr_fs(systemd_nspawn_t)
+	selinux_remount_fs(systemd_nspawn_t)
 	selinux_search_fs(systemd_nspawn_t)
 
 	init_domtrans(systemd_nspawn_t)
@@ -846,6 +853,7 @@ miscfiles_read_localization(systemd_passwd_agent_t)
 
 seutil_search_default_contexts(systemd_passwd_agent_t)
 
+userdom_use_user_ttys(systemd_passwd_agent_t)
 userdom_use_user_ptys(systemd_passwd_agent_t)
 
 optional_policy(`
@@ -927,7 +935,7 @@ systemd_log_parse_environment(systemd_sessions_t)
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
+allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
 allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
@@ -943,9 +951,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
+kernel_getattr_proc(systemd_tmpfiles_t)
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
 
+dev_getattr_fs(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -961,6 +971,7 @@ files_manage_var_dirs(systemd_tmpfiles_t)
 files_manage_var_lib_dirs(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
+files_read_etc_runtime_files(systemd_tmpfiles_t)
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)