another version of systemd cgroups hostnamed and logind

From Russell Coker

11 files changed, 267 insertions, 20 deletions

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 28984607..c5af9342 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',`
 
 ########################################
 ## <summary>
+##	manage the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 571abc30..e15c26c3 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.4)
+policy_module(devices, 1.20.5)
 
 ########################################
 #
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 0affdae2..bba3e389 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4271,6 +4271,24 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
 
 ########################################
 ## <summary>
+##      Relabel from tmpfs_t dir
+## </summary>
+## <param name="type">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
 ##     Relabel directory on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 597bf615..3194b0e0 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.4)
+policy_module(filesystem, 1.22.5)
 
 ########################################
 #
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 7af0ab6a..060adbfa 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1331,6 +1331,25 @@ interface(`xserver_kill',`
 
 ########################################
 ## <summary>
+##      Allow reading xserver_t files to get cgroup and sessionid
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_read_state',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:dir search;
+	allow $1 xserver_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write X server Sys V Shared
 ##	memory segments.
 ## </summary>
@@ -1427,6 +1446,25 @@ interface(`xserver_read_tmp_files',`
 
 ########################################
 ## <summary>
+##      talk to xserver_t by dbus
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:dbus send_msg;
+	allow xserver_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
 ##      virtual core keyboard and virtual core pointer devices.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 513915c7..9bfbafcb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.3)
+policy_module(xserver, 3.13.4)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d9da70e9..f5af4ce4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.12)
+policy_module(systemd, 1.3.13)
 
 #########################################
 #
@@ -199,14 +199,22 @@ fs_register_binary_executable_type(systemd_binfmt_t)
 # Cgroups local policy
 #
 
+allow systemd_cgroups_t self:capability net_admin;
+
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
 kernel_dgram_send(systemd_cgroups_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_cgroups_t)
 
 selinux_getattr_fs(systemd_cgroups_t)
 
 # write to /run/systemd/cgroups-agent
 init_dgram_send(systemd_cgroups_t)
 init_stream_connect(systemd_cgroups_t)
+# for /proc/1/environ
+init_read_state(systemd_cgroups_t)
+
+seutil_libselinux_linked(systemd_cgroups_t)
 
 systemd_log_parse_environment(systemd_cgroups_t)
 
@@ -255,6 +263,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
 
+dev_read_sysfs(systemd_hostnamed_t)
+
 files_read_etc_files(systemd_hostnamed_t)
 
 seutil_read_file_contexts(systemd_hostnamed_t)
@@ -262,8 +272,12 @@ seutil_read_file_contexts(systemd_hostnamed_t)
 systemd_log_parse_environment(systemd_hostnamed_t)
 
 optional_policy(`
-	dbus_system_bus_client(systemd_hostnamed_t)
 	dbus_connect_system_bus(systemd_hostnamed_t)
+	dbus_system_bus_client(systemd_hostnamed_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
 #######################################
@@ -307,8 +321,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
-allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
 allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
@@ -318,51 +332,115 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
-files_search_pids(systemd_logind_t)
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
 
-kernel_read_kernel_sysctls(systemd_logind_t)
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
 
-auth_manage_faillog(systemd_logind_t)
+kernel_read_kernel_sysctls(systemd_logind_t)
 
-dev_rw_sysfs(systemd_logind_t)
-dev_rw_input_dev(systemd_logind_t)
 dev_getattr_dri_dev(systemd_logind_t)
-dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_kvm_dev(systemd_logind_t)
 dev_getattr_sound_dev(systemd_logind_t)
+dev_manage_wireless(systemd_logind_t)
+dev_read_urand(systemd_logind_t)
+dev_rw_dri(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
 dev_setattr_sound_dev(systemd_logind_t)
 
+domain_obj_id_change_exemption(systemd_logind_t)
+
 files_read_etc_files(systemd_logind_t)
+files_search_pids(systemd_logind_t)
 
+fs_getattr_cgroup(systemd_logind_t)
+fs_getattr_tmpfs(systemd_logind_t)
+fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
+fs_mount_tmpfs(systemd_logind_t)
+fs_read_cgroup_files(systemd_logind_t)
 fs_read_efivarfs_files(systemd_logind_t)
+fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
 
-fs_getattr_tmpfs(systemd_logind_t)
+selinux_get_enforce_mode(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
-storage_setattr_removable_dev(systemd_logind_t)
 storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
 storage_setattr_scsi_generic_dev(systemd_logind_t)
 
+term_setattr_unallocated_ttys(systemd_logind_t)
 term_use_unallocated_ttys(systemd_logind_t)
 
+auth_manage_faillog(systemd_logind_t)
+
+init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
+init_get_system_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+init_service_status(systemd_logind_t)
 init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
-init_service_status(systemd_logind_t)
-init_service_start(systemd_logind_t)
+init_start_system(systemd_logind_t)
+init_stop_system(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
+seutil_libselinux_linked(systemd_logind_t)
+seutil_read_default_contexts(systemd_logind_t)
+seutil_read_file_contexts(systemd_logind_t)
+
 systemd_log_parse_environment(systemd_logind_t)
 systemd_start_power_units(systemd_logind_t)
 
+udev_list_pids(systemd_logind_t)
 udev_read_db(systemd_logind_t)
 udev_read_pid_files(systemd_logind_t)
 
+userdom_manage_user_runtime_dirs(systemd_logind_t)
+userdom_manage_user_runtime_root_dirs(systemd_logind_t)
+userdom_mounton_user_runtime_dirs(systemd_logind_t)
+userdom_read_all_users_state(systemd_logind_t)
+userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
+userdom_relabel_user_tmpfs_files(systemd_logind_t)
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+userdom_setattr_user_ttys(systemd_logind_t)
+userdom_delete_user_runtime_files(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
 optional_policy(`
-	dbus_system_bus_client(systemd_logind_t)
 	dbus_connect_system_bus(systemd_logind_t)
+	dbus_system_bus_client(systemd_logind_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_power(systemd_logind_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+	xserver_read_state(systemd_logind_t)
+	xserver_dbus_chat(systemd_logind_t)
+	xserver_dbus_chat_xdm(systemd_logind_t)
+	xserver_read_xdm_state(systemd_logind_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(systemd_logind_t)
 ')
 
 #########################################
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 847b65bf..bee6898b 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -354,6 +354,25 @@ interface(`udev_search_pids',`
 
 ########################################
 ## <summary>
+##      list udev pid content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`udev_list_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev run directories
 ## </summary>
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6db42d84..18b0e29c 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.4)
+policy_module(udev, 1.21.5)
 
 ########################################
 #
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9c527285..61065118 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2849,6 +2849,45 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	relabel to/from user tmpfs dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_tmpfs_dirs',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom };
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	relabel to/from user tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	allow $1 user_tmpfs_t:file { relabelto relabelfrom };
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -2964,6 +3003,43 @@ interface(`userdom_relabelto_user_runtime_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel from user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelfrom_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
+##	delete user runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_files',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir list_dir_perms;
+	allow $1 user_runtime_t:file unlink;
+')
+
+########################################
+## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to
 ##	the user runtime root type.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 67f26632..cf58bd27 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.4)
+policy_module(userdomain, 4.13.5)
 
 ########################################
 #