Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/system/systemd.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/system/systemd.te')
-rw-r--r--policy/modules/system/systemd.te108
1 files changed, 93 insertions, 15 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d9da70e9..f5af4ce4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.12)
+policy_module(systemd, 1.3.13)
#########################################
#
@@ -199,14 +199,22 @@ fs_register_binary_executable_type(systemd_binfmt_t)
# Cgroups local policy
#
+allow systemd_cgroups_t self:capability net_admin;
+
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
kernel_dgram_send(systemd_cgroups_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_cgroups_t)
selinux_getattr_fs(systemd_cgroups_t)
# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
+# for /proc/1/environ
+init_read_state(systemd_cgroups_t)
+
+seutil_libselinux_linked(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
@@ -255,6 +263,8 @@ seutil_search_default_contexts(systemd_coredump_t)
kernel_read_kernel_sysctls(systemd_hostnamed_t)
+dev_read_sysfs(systemd_hostnamed_t)
+
files_read_etc_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
@@ -262,8 +272,12 @@ seutil_read_file_contexts(systemd_hostnamed_t)
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(systemd_hostnamed_t)
')
#######################################
@@ -307,8 +321,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
# Logind local policy
#
-allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
-allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
@@ -318,51 +332,115 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
-files_search_pids(systemd_logind_t)
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
-kernel_read_kernel_sysctls(systemd_logind_t)
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
-auth_manage_faillog(systemd_logind_t)
+kernel_read_kernel_sysctls(systemd_logind_t)
-dev_rw_sysfs(systemd_logind_t)
-dev_rw_input_dev(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
-dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
+dev_manage_wireless(systemd_logind_t)
+dev_read_urand(systemd_logind_t)
+dev_rw_dri(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
+domain_obj_id_change_exemption(systemd_logind_t)
+
files_read_etc_files(systemd_logind_t)
+files_search_pids(systemd_logind_t)
+fs_getattr_cgroup(systemd_logind_t)
+fs_getattr_tmpfs(systemd_logind_t)
+fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
+fs_mount_tmpfs(systemd_logind_t)
+fs_read_cgroup_files(systemd_logind_t)
fs_read_efivarfs_files(systemd_logind_t)
+fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
-fs_getattr_tmpfs(systemd_logind_t)
+selinux_get_enforce_mode(systemd_logind_t)
storage_getattr_removable_dev(systemd_logind_t)
-storage_setattr_removable_dev(systemd_logind_t)
storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
storage_setattr_scsi_generic_dev(systemd_logind_t)
+term_setattr_unallocated_ttys(systemd_logind_t)
term_use_unallocated_ttys(systemd_logind_t)
+auth_manage_faillog(systemd_logind_t)
+
+init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
+init_get_system_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
-init_service_status(systemd_logind_t)
-init_service_start(systemd_logind_t)
+init_start_system(systemd_logind_t)
+init_stop_system(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
+seutil_libselinux_linked(systemd_logind_t)
+seutil_read_default_contexts(systemd_logind_t)
+seutil_read_file_contexts(systemd_logind_t)
+
systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
+udev_list_pids(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)
+userdom_manage_user_runtime_dirs(systemd_logind_t)
+userdom_manage_user_runtime_root_dirs(systemd_logind_t)
+userdom_mounton_user_runtime_dirs(systemd_logind_t)
+userdom_read_all_users_state(systemd_logind_t)
+userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
+userdom_relabel_user_tmpfs_files(systemd_logind_t)
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
+userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+userdom_setattr_user_ttys(systemd_logind_t)
+userdom_delete_user_runtime_files(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
optional_policy(`
- dbus_system_bus_client(systemd_logind_t)
dbus_connect_system_bus(systemd_logind_t)
+ dbus_system_bus_client(systemd_logind_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(systemd_logind_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
+ xserver_read_state(systemd_logind_t)
+ xserver_dbus_chat(systemd_logind_t)
+ xserver_dbus_chat_xdm(systemd_logind_t)
+ xserver_read_xdm_state(systemd_logind_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(systemd_logind_t)
')
#########################################