systemd: Add initial policy for systemd --user.

This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <jason@perfinion.com>
author: Chris PeBenito <Christopher.PeBenito@microsoft.com> 2019-04-19 11:50:59 -0400
committer: Jason Zaman <jason@perfinion.com> 2019-04-28 18:00:55 +0800
commit: 21cc848fadf0aab51a7af63066e5130187c96cb4 (patch)
tree: aca38e9384bf0346580893c4439489bd3baae85b
parent: devices: Change netcontrol devices to pmqos. (diff)
download: hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.tar.gz
hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.tar.bz2
hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.zip
23 files changed, 309 insertions, 1 deletions
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index 6d2e4070a..ee278c546 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:atd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
index 7805778a2..498b429f5 100644
--- a/config/appconfig-mcs/root_default_contexts
+++ b/config/appconfig-mcs/root_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_systemd_t:s0 staff_r:staff_systemd_t:s0 user_r:user_systemd_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index daefcf77d..8f506fa57 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t:s0		staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
index 106e093d8..96c5e13aa 100644
--- a/config/appconfig-mcs/unconfined_u_default_contexts
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index 56d6071c2..24af20b93 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t:s0		user_r:user_systemd_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
index 6d2e4070a..ee278c546 100644
--- a/config/appconfig-mls/default_contexts
+++ b/config/appconfig-mls/default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:atd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
index 7805778a2..498b429f5 100644
--- a/config/appconfig-mls/root_default_contexts
+++ b/config/appconfig-mls/root_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_systemd_t:s0 staff_r:staff_systemd_t:s0 user_r:user_systemd_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index daefcf77d..8f506fa57 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t:s0		staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
index 106e093d8..96c5e13aa 100644
--- a/config/appconfig-mls/unconfined_u_default_contexts
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index 56d6071c2..24af20b93 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t:s0		user_r:user_systemd_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
index fcc65d670..5afa8d2a6 100644
--- a/config/appconfig-standard/default_contexts
+++ b/config/appconfig-standard/default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:init_t		user_r:user_systemd_t staff_r:staff_systemd_t sysadm_r:sysadm_systemd_t unconfined_r:unconfined_t
 system_r:atd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
index f5225686c..60080fb2a 100644
--- a/config/appconfig-standard/root_default_contexts
+++ b/config/appconfig-standard/root_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:init_t		unconfined_r:unconfined_t sysadm_r:sysadm_systemd_t staff_r:staff_systemd_t user_r:user_systemd_t
 system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
 
 staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index 382fe3380..e44544f08 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t			staff_r:staff_systemd_t sysadm_r:sysadm_systemd_t
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
index e340b2199..2931e851c 100644
--- a/config/appconfig-standard/unconfined_u_default_contexts
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -1,4 +1,5 @@
 system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:init_t			unconfined_r:unconfined_t
 system_r:initrc_t		unconfined_r:unconfined_t
 system_r:local_login_t		unconfined_r:unconfined_t
 system_r:remote_login_t		unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index 63b7eecd1..8b553c4bd 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,3 +1,4 @@
+system_r:init_t			user_r:user_systemd_t
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d79ae7eec..2a928ca7e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -652,6 +652,44 @@ interface(`init_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute init (/sbin/init) with a domain transition
+##	to the provided domain.
+## </summary>
+## <desc>
+##	Execute init (/sbin/init) with a domain transition
+##	to the provided domain.  This is used by systemd
+##	to execute the systemd user session.
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	New domain.
+##	</summary>
+## </param>
+#
+interface(`init_pgm_spec_user_daemon_domain',`
+	gen_require(`
+		type init_t, init_exec_t;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, init_exec_t)
+
+	spec_domtrans_pattern(init_t, init_exec_t, $1)
+
+	allow init_t $1:process { setsched rlimitinh noatsecure };
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+	')
+')
+
+########################################
+## <summary>
 ##	Execute the init program in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -672,6 +710,26 @@ interface(`init_exec',`
 
 ########################################
 ## <summary>
+##	Allow the init program to be an entrypoint
+##	for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_pgm_entrypoint',`
+	gen_require(`
+		type init_exec_t;
+	')
+
+	allow $1 init_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
 ##	Execute the rc application in the caller domain.
 ## </summary>
 ## <desc>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd697a57d..b3385fed0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -240,7 +240,8 @@ ifdef(`init_systemd',`
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
 	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
 
-	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+	# setexec and setkeycreate for systemd --user
+	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
 	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
@@ -315,6 +316,9 @@ ifdef(`init_systemd',`
 	dev_write_watchdog(init_t)
 
 	domain_read_all_domains_state(init_t)
+	# for starting systemd --user in the right domain:
+	domain_subj_id_change_exemption(init_t)
+	domain_role_change_exemption(init_t)
 
 	files_read_all_pids(init_t)
 	files_list_usr(init_t)
@@ -392,6 +396,8 @@ ifdef(`init_systemd',`
 	selinux_validate_context(init_t)
 	selinux_compute_create_context(init_t)
 	selinux_compute_access_vector(init_t)
+	# for starting systemd --user in the right domain:
+	selinux_compute_user_contexts(init_t)
 
 	storage_getattr_removable_dev(init_t)
 
@@ -437,6 +443,9 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
+		systemd_search_all_user_keys(init_t)
+		systemd_create_all_user_keys(init_t)
+		systemd_write_all_user_keys(init_t)
 	')
 
 	optional_policy(`
@@ -446,6 +455,13 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		modutils_domtrans(init_t)
 	')
+
+	optional_policy(`
+		# for systemd --user:
+		unconfined_search_keys(init_t)
+		unconfined_create_keys(init_t)
+		unconfined_write_keys(init_t)
+	')
 ',`
 	tunable_policy(`init_upstart',`
 		corecmd_shell_domtrans(init_t, initrc_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 935bd8608..2df2f6303 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -186,6 +186,24 @@ interface(`mount_rw_loopback_files',`
 
 ########################################
 ## <summary>
+##	List mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_list_runtime',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##     Getattr on mount_var_run_t files
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 6353ca69a..2f782d9d7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1,5 +1,62 @@
 ## <summary>Systemd components (not PID 1)</summary>
 
+#########################################
+## <summary>
+##	Template for systemd --user per-role domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for generated types
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The user role.
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain for the role.
+##	</summary>
+## </param>
+#
+template(`systemd_role_template',`
+	gen_require(`
+		attribute systemd_user_session_type, systemd_log_parse_env_type;
+		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+	')
+
+	#################################
+	#
+	# Declarations
+	#
+	type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
+	init_pgm_spec_user_daemon_domain($1_systemd_t)
+	domain_user_exemption_target($1_systemd_t)
+	ubac_constrained($1_systemd_t)
+	role $2 types $1_systemd_t;
+
+	#################################
+	#
+	# Local policy
+	#
+
+	allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	# This domain is per-role because of the below transitions.
+	# See the sytemd --user section of systemd.te for the
+	# remainder of the rules.
+	allow $1_systemd_t $3:process { setsched rlimitinh };
+	corecmd_shell_domtrans($1_systemd_t, $3)
+	corecmd_bin_domtrans($1_systemd_t, $3)
+')
+
 ######################################
 ## <summary>
 ##   Make the specified type usable as an
@@ -905,3 +962,57 @@ interface(`systemd_getattr_updated_runtime',`
 
 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
 ')
+
+########################################
+## <summary>
+##	Search keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_search_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key search;
+')
+
+########################################
+## <summary>
+##	Create keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_create_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key create;
+')
+
+########################################
+## <summary>
+##	Write keys for the all systemd --user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_all_user_keys',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow $1 systemd_user_session_type:key write;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9241b1ac8..a5ebfdb34 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -22,6 +22,7 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
 
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
+attribute systemd_user_session_type;
 
 type systemd_activate_t;
 type systemd_activate_exec_t;
@@ -202,6 +203,12 @@ init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
 type systemd_update_run_t;
 files_type(systemd_update_run_t)
 
+type systemd_user_runtime_notify_t;
+userdom_user_runtime_content(systemd_user_runtime_notify_t)
+
+type systemd_user_runtime_t;
+userdom_user_runtime_content(systemd_user_runtime_t)
+
 #
 # Unit file types
 #
@@ -1132,3 +1139,44 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 seutil_read_file_contexts(systemd_update_done_t)
 
 systemd_log_parse_environment(systemd_update_done_t)
+
+#########################################
+#
+# User session (systemd --user) local policy
+#
+
+allow systemd_user_session_type self:capability { dac_read_search sys_resource };
+dontaudit systemd_user_session_type self:capability dac_override;
+allow systemd_user_session_type self:process setfscreate;
+allow systemd_user_session_type self:udp_socket create_socket_perms;
+allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
+allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr setopt };
+
+allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
+userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
+
+allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
+type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";
+
+dev_write_sysfs_dirs(systemd_user_session_type)
+dev_read_sysfs(systemd_user_session_type)
+
+files_read_etc_files(systemd_user_session_type)
+files_list_usr(systemd_user_session_type)
+
+fs_getattr_cgroup(systemd_user_session_type)
+fs_rw_cgroup_files(systemd_user_session_type)
+fs_manage_cgroup_dirs(systemd_user_session_type)
+
+init_signal(systemd_user_session_type)
+
+kernel_read_kernel_sysctls(systemd_user_session_type)
+
+mount_list_runtime(systemd_user_session_type)
+
+storage_getattr_fixed_disk_dev(systemd_user_session_type)
+
+# for systemd to read udev status
+udev_read_pid_files(systemd_user_session_type)
+udev_list_pids(systemd_user_session_type)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index ad34a91c8..0a2f7a860 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -490,6 +490,24 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
+##	Search keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_search_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key search;
+')
+
+########################################
+## <summary>
 ##	Create keys for the unconfined domain.
 ## </summary>
 ## <param name="domain">
@@ -508,6 +526,24 @@ interface(`unconfined_create_keys',`
 
 ########################################
 ## <summary>
+##	Write keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key write;
+')
+
+########################################
+## <summary>
 ##	Send messages to the unconfined domain over dbus.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index fef0aecfb..29ed02176 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -61,6 +61,8 @@ ifdef(`direct_sysadm_daemon',`
 ifdef(`init_systemd',`
 	# for systemd-analyze
 	init_service_status(unconfined_t)
+	# for systemd --user:
+	init_pgm_entrypoint(unconfined_t)
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index da98bde55..363cc14b9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -866,6 +866,10 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		systemd_role_template($1, $1_r, $1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
author	Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-19 11:50:59 -0400
committer	Jason Zaman <jason@perfinion.com>	2019-04-28 18:00:55 +0800
commit	21cc848fadf0aab51a7af63066e5130187c96cb4 (patch)
tree	aca38e9384bf0346580893c4439489bd3baae85b
parent	devices: Change netcontrol devices to pmqos. (diff)
download	hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.tar.gz hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.tar.bz2 hardened-refpolicy-21cc848fadf0aab51a7af63066e5130187c96cb4.zip