From 6da16a33990aff459cfa6b98595eaeb52e666422 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 08 2010 15:53:09 +0000 Subject: Parts of systemd are now doing readahead and tmpreaper functionality systemd relabeles tmpfs_t to cgroup_t Other systemd fixes --- diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc index 7077413..70edcd6 100644 --- a/policy/modules/admin/readahead.fc +++ b/policy/modules/admin/readahead.fc @@ -1,3 +1,5 @@ /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) +/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc index 81077db..8208e86 100644 --- a/policy/modules/admin/tmpreaper.fc +++ b/policy/modules/admin/tmpreaper.fc @@ -1,2 +1,3 @@ /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index 50cd538..c59c3cd 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) type tmpreaper_t; type tmpreaper_exec_t; +init_system_domain(tmpreaper_t, tmpreaper_exec_t) application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 51d47a0..c0e1d3a 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -652,6 +652,25 @@ interface(`fs_search_cgroup_dirs',` ######################################## ## +## Relabelto cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelto_cgroup_dirs',` + gen_require(` + type cgroup_t; + + ') + + relabelto_dirs_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## ## list cgroup directories. ## ## @@ -4143,6 +4162,24 @@ interface(`fs_dontaudit_read_tmpfs_blk_dev',` ######################################## ## +## Relabelfrom directory on tmpfs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_dir',` + gen_require(` + type tmpfs_t; + ') + + relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## ## Relabel character nodes on tmpfs filesystems. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index e90e509..740a352 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -160,6 +160,7 @@ domain_read_all_domains_state(init_t) files_read_etc_files(init_t) files_read_all_pids(init_t) +files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) @@ -233,6 +234,8 @@ tunable_policy(`init_systemd',` kernel_list_unlabeled(init_t) kernel_read_network_state(init_t) + kernel_rw_kernel_sysctls(init_t) + kernel_read_all_sysctls(init_t) kernel_unmount_debugfs(init_t) dev_write_kmsg(init_t) @@ -246,14 +249,17 @@ tunable_policy(`init_systemd',` files_mounton_all_mountpoints(init_t) files_manage_all_pids_dirs(init_t) + files_manage_urandom_seed(initrc_t) fs_manage_cgroup_dirs(init_t) fs_manage_hugetlbfs_dirs(init_t) fs_manage_tmpfs_dirs(init_t) + fs_relabelfrom_tmpfs_dir(init_t) fs_mount_all_fs(init_t) fs_list_auto_mountpoints(init_t) fs_read_cgroup_files(init_t) fs_write_cgroup_files(init_t) + fs_relabelto_cgroup_dirs(init_t) fs_search_cgroup_dirs(daemon) selinux_compute_create_context(init_t)