diff options
| author |   Kenton Groombridge <me@concord.sh> | 2023-03-06 13:18:41 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2023-03-31 13:11:32 -0400 |
| commit | 70226d790395660a9e086b8c0eeec28acf2c7e3b (patch) | |
| tree | 9d0c074c323f9512778809d7e3ca08e0c2fcfbd7 | |
| parent | logging: allow systemd-journald to list cgroups (diff) | |
| download | hardened-refpolicy-70226d79.tar.gz hardened-refpolicy-70226d79.tar.bz2 hardened-refpolicy-70226d79.zip | |
fs, udev: allow systemd-udevd various cgroup perms
Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/kernel/filesystem.if | 40 | ||||
| -rw-r--r-- | policy/modules/system/udev.te | 6 |
2 files changed, 44 insertions, 2 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index af2023e6..a1282cf4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',` interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; - ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -845,6 +844,25 @@ interface(`fs_ioctl_cgroup_dirs', ` ######################################## ## <summary> +## Create cgroup directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_create_cgroup_dirs',` + gen_require(` + type cgroup_t; + ') + + create_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Delete cgroup directories. ## </summary> ## <param name="domain"> @@ -943,6 +961,26 @@ interface(`fs_read_cgroup_files',` ######################################## ## <summary> +## Create cgroup files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_create_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + create_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Watch cgroup files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 56cfa2fb..2fae8835 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -261,7 +261,11 @@ ifdef(`distro_redhat',` ifdef(`init_systemd',` files_search_kernel_modules(udev_t) - fs_read_cgroup_files(udev_t) + # systemd-udev creates cgroup files under + # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev + fs_create_cgroup_dirs(udev_t) + fs_create_cgroup_files(udev_t) + fs_rw_cgroup_files(udev_t) init_dgram_send(udev_t) init_get_generic_units_status(udev_t) |