commit: d92bdf260887935367802afbbaf25d399c020cd5
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 14:16:59 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:47 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26
Implement core systemd policy.
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
policy/modules/kernel/corecommands.fc | 2 +
policy/modules/kernel/domain.te | 6 +
policy/modules/kernel/files.if | 172 ++++++++++
policy/modules/kernel/filesystem.if | 73 ++++
policy/modules/kernel/kernel.if | 60 +++-
policy/modules/kernel/terminal.if | 19 ++
policy/modules/system/authlogin.if | 19 ++
policy/modules/system/init.fc | 4 +
policy/modules/system/init.if | 608 +++++++++++++++++++++++++++++++++-
policy/modules/system/init.te | 176 +++++++++-
policy/modules/system/locallogin.if | 21 ++
policy/modules/system/logging.if | 38 +++
policy/modules/system/lvm.if | 20 ++
policy/modules/system/systemd.fc | 39 +++
policy/modules/system/systemd.if | 195 +++++++++++
policy/modules/system/systemd.te | 264 +++++++++++++++
policy/modules/system/udev.if | 19 ++
17 files changed, 1711 insertions(+), 24 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh --
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)?
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 --
gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
dontaudit domain self:udp_socket listen;
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ shutdown_sigchld(domain)
+ ')
+')
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
########################################
## <summary>
+## Relabel from/to non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
## Get the attributes of all files.
## </summary>
## <param name="domain">
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
+## Create, read, write, and delete all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel from/to all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type,
non_security_file_type)
+')
+
+########################################
+## <summary>
## Read all files.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
+## Mount on the root directory (/)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
@@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+## Mount filesystems in the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -5678,6 +5770,25 @@ interface(`files_list_locks',`
########################################
## <summary>
+## Add entries in the /var/lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_add_entry_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ add_entry_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Add and remove entries in the /var/lock
## directories.
## </summary>
@@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',`
########################################
## <summary>
+## Relabel from/to all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
+ relabel_files_pattern($1, lockfile, lockfile)
+ relabel_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
@@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',`
########################################
## <summary>
+## Relabel to/from all var_run (pid) directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Relabel to/from all var_run (pid) files and directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+ relabel_files_pattern($1, pidfile, pidfile)
+ relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Mount filesystems on all polyinstantiation
## member directories.
## </summary>
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 4ddef7c..0db8233 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',`
########################################
## <summary>
+## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
dev_search_sysfs($1)
')
@@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
+## Getattr on pstore dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ getattr_files_pattern($1, pstore_t, pstore_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
########################################
## <summary>
+## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
## </summary>
@@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
+## Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Read tmpfs link files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index faa19d7..df42fa3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -8,6 +8,27 @@
########################################
## <summary>
+## Allows the kernel to start userland processes
+## by dynamic transitions to the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by the kernel.
+## </summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ domain_dyntrans_type(kernel_t)
+ allow kernel_t self:process setcurrent;
+ allow kernel_t $1:process dyntransition;
+')
+
+########################################
+## <summary>
## Allows to start userland processes
## by transitioning to the specified domain.
## </summary>
@@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',`
########################################
## <summary>
+## Read/write to kernel using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_stream_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Connect to kernel using a unix
## domain stream socket.
## </summary>
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
########################################
## <summary>
-## Read and write kernel unix datagram sockets.
+## Getattr on kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_dgram_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Read and write kernel unix datagram sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/kernel/terminal.if
b/policy/modules/kernel/terminal.if
index cbb729b..2e6a376 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
########################################
## <summary>
+## Relabel from and to pty directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of generic pty devices.
## </summary>
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 6aac59c..7bb4ecb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -773,6 +773,25 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Manage the login failure logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ allow $1 faillog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
#######################################
## <summary>
## Read the last logins log.
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 02ec851..b4bdf65 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-preset(/.*)?
gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/user-preset(/.*)?
gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/ntp-units\.d -d
gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 211d434..192508f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -44,6 +44,26 @@ interface(`init_script_file',`
########################################
## <summary>
+## Make the specified type usable for
+## systemd unit files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for systemd unit files.
+## </summary>
+## </param>
+#
+interface(`init_unit_file',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
## Create a domain used for init scripts.
## </summary>
## <desc>
@@ -108,6 +128,10 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
')
########################################
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
userdom_dontaudit_use_user_terminals($1)
')
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ # this may be because of late labelling
+ kernel_dgram_send($1)
+ ')
+
optional_policy(`
nscd_use($1)
')
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
type initrc_t;
')
- init_daemon_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_daemon_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
+')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+#########################################
+## <summary>
+## Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ ')
+')
+
+#########################################
+## <summary>
+## Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+## <param name="sock_file">
+## <summary>
+## The domain socket file type.
+## </summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $2:dir manage_dir_perms;
+ allow init_t $2:fifo_file manage_fifo_file_perms;
+ allow init_t $2:sock_file manage_sock_file_perms;
')
')
@@ -324,6 +407,10 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ ')
')
########################################
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
type initrc_t;
')
- init_system_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_system_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
- ')
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
')
@@ -579,10 +670,11 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
- type init_t;
+ type init_t, init_var_run_t;
')
- allow $1 init_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
')
########################################
@@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',`
########################################
## <summary>
+## Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
## Send UDP network traffic to init. (Deprecated)
## </summary>
## <param name="domain">
@@ -678,6 +809,276 @@ interface(`init_udp_send',`
########################################
## <summary>
+## Get all service status (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_system_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_enable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+## Disable all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_disable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+## Reload all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+## Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reboot_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+## Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+ gen_require(`
+ type init_t;
+ class service status;
+ ')
+
+ allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+ gen_require(`
+ type init_t;
+ class service start;
+ ')
+
+ allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create files in /var/lib/systemd
+## with an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## The type of object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
## Get the attributes of initctl.
## </summary>
## <param name="domain">
@@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',`
typeattribute $1 init_script_readable;
')
+
+######################################
+## <summary>
+## Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_units',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and
/run/systemd
+ files_search_etc($1)
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+ gen_require(`
+ type systemd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+## Start generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+## Stop generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+## Reload generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+## Get status of all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+ gen_require(`
+ attribute systemdunit;
+ class service status;
+ ')
+
+ allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+## Start all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service start;
+ ')
+
+ allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+## Stop all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service stop;
+ ')
+
+ allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+## Reload all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service reload;
+ ')
+
+ allow $1 systemdunit:service reload;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 95db0d0..d5d7b10 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute systemdunit;
# Mark process types as daemons
attribute daemon;
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type,
init_run_all_scripts_domain;
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
+init_named_socket_activation(initrc_t, init_var_run_t)
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -74,6 +76,9 @@ type initrc_devpts_t;
term_pty(initrc_devpts_t)
files_type(initrc_devpts_t)
+type initrc_lock_t;
+files_lock_file(initrc_lock_t)
+
type initrc_state_t;
files_type(initrc_state_t)
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
+type systemd_unit_t;
+init_unit_file(systemd_unit_t)
+
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
@@ -182,6 +190,115 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+ifdef(`init_systemd',`
+ # handle instances where an old labeled init script is encountered.
+ typeattribute init_t init_run_all_scripts_domain;
+
+ allow init_t self:process { getcap getsched setsched setpgid
setfscreate setsockcreate setcap setrlimit };
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t self:netlink_selinux_socket create_socket_perms;
+
+ manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+
+ manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+ manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ allow init_t systemd_unit_t:dir relabel_dir_perms;
+
+ kernel_dyntrans_to(init_t)
+ kernel_read_network_state(init_t)
+ kernel_read_kernel_sysctls(init_t)
+ kernel_read_vm_sysctls(init_t)
+ kernel_dgram_send(init_t)
+ kernel_stream_connect(init_t)
+ kernel_getattr_proc(init_t)
+ kernel_read_fs_sysctls(init_t)
+
+ dev_rw_autofs(init_t)
+ dev_create_generic_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_read_urand(init_t)
+ dev_write_kmsg(init_t)
+
+ domain_read_all_domains_state(init_t)
+
+ files_read_all_pids(init_t)
+ files_list_usr(init_t)
+ files_list_var(init_t)
+ files_list_var_lib(init_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_mounton_root(init_t)
+ files_search_pids(init_t)
+ files_relabel_all_pids(init_t)
+ files_read_all_locks(init_t)
+ files_search_kernel_modules(init_t)
+ # for privatetmp functions
+ files_manage_generic_tmp_dirs(init_t)
+ files_mounton_tmp(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_rw_cgroup_files(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_mount_autofs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_getattr_tmpfs(init_t)
+ fs_read_tmpfs_files(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_dontaudit_getattr_xattr_fs(init_t)
+ # for privatetmp functions
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ # mount-setup
+ fs_unmount_autofs(init_t)
+ fs_getattr_pstore_dirs(init_t)
+
+ # systemd_socket_activated policy
+ mls_socket_write_all_levels(init_t)
+
+ selinux_compute_create_context(init_t)
+ selinux_compute_access_vector(init_t)
+
+ term_relabel_pty_dirs(init_t)
+
+ clock_read_adjtime(init_t)
+
+ logging_manage_pid_sockets(init_t)
+ logging_send_audit_msgs(init_t)
+ logging_relabelto_devlog_sock_files(init_t)
+
+ seutil_read_file_contexts(init_t)
+
+ systemd_relabelto_kmod_files(init_t)
+ systemd_dbus_chat_logind(init_t)
+
+ # udevd is a "systemd kobject uevent socket activated daemon"
+ udev_create_kobject_uevent_sockets(init_t)
+
+ optional_policy(`
+ dbus_system_bus_client(init_t)
+ dbus_connect_system_bus(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ ')
+',`
+ tunable_policy(`init_upstart',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ sysadm_shell_domtrans(init_t)
+ ')
+')
+
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
@@ -201,14 +318,6 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-tunable_policy(`init_upstart',`
- corecmd_shell_domtrans(init_t, initrc_t)
-',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- sysadm_shell_domtrans(init_t)
-')
-
optional_policy(`
auth_rw_login_records(init_t)
')
@@ -609,6 +718,57 @@ ifdef(`distro_suse',`
')
')
+ifdef(`init_systemd',`
+ manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
+ files_lock_filetrans(initrc_t, initrc_lock_t, file)
+
+ manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
+
+ create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+
+ manage_files_pattern(initrc_t, systemdunit, systemdunit)
+ manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+
+ kernel_dgram_send(initrc_t)
+
+ # run systemd misc initializations
+ # in the initrc_t domain, as would be
+ # done in traditional sysvinit/upstart.
+ corecmd_bin_entry_type(initrc_t)
+ corecmd_shell_entry_type(initrc_t)
+ corecmd_bin_domtrans(init_t, initrc_t)
+ corecmd_shell_domtrans(init_t, initrc_t)
+
+ files_read_boot_files(initrc_t)
+ files_setattr_pid_dirs(initrc_t)
+
+ selinux_set_enforce_mode(initrc_t)
+
+ init_stream_connect(initrc_t)
+ init_manage_var_lib_files(initrc_t)
+ init_rw_stream_sockets(initrc_t)
+ init_get_all_units_status(initrc_t)
+ init_stop_all_units(initrc_t)
+
+ # Create /etc/audit.rules.prev after firstboot remediation
+ logging_manage_audit_config(initrc_t)
+
+ # lvm2-activation-generator checks file labels
+ seutil_read_file_contexts(initrc_t)
+
+ systemd_start_power_units(initrc_t)
+
+ optional_policy(`
+ # create /var/lock/lvm/
+ lvm_create_lock_dirs(initrc_t)
+ ')
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
diff --git a/policy/modules/system/locallogin.if
b/policy/modules/system/locallogin.if
index 0e3c2a9..4305a86 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -24,6 +24,27 @@ interface(`locallogin_domtrans',`
########################################
## <summary>
+## Allow calling domain to read locallogin state.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed permission.
+## </summary>
+## </param>
+#
+interface(`locallogin_read_state',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 local_login_t:file read_file_perms;
+ allow $1 local_login_t:lnk_file read_lnk_file_perms;
+ allow $1 local_login_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow processes to inherit local login file descriptors.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9fa0f5d..6a279f3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
+## Allow domain to relabelto devlog sock_files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabelto_devlog_sock_files',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',`
########################################
## <summary>
+## Create, read, write, and delete syslog PID sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 86b223c..6561474 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
')
+########################################
+## <summary>
+## Create lvm_lock_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_create_lock_dirs',`
+ gen_require(`
+ type lvm_lock_t;
+ ')
+
+ create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+ files_add_entry_lock_dirs($1)
+')
+
######################################
## <summary>
## Execute a domain transition to run clvmd.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..864979d
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,39 @@
+/bin/systemd-analyze --
gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
+/bin/systemd-cgtop --
gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
+/bin/systemd-coredump --
gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/bin/systemd-detect-virt --
gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/bin/systemd-nspawn --
gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
+/bin/systemd-run --
gen_context(system_u:object_r:systemd_run_exec_t,s0)
+/bin/systemd-stdio-bridge --
gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
+/bin/systemd-tmpfiles --
gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/bin/systemd-tty-ask-password-agent --
gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/systemd-activate --
gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight --
gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt --
gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-cgroups-agent --
gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-coredump --
gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed --
gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-localed --
gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-machined --
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*halt.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*hibernate.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*power.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*reboot.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*shutdown.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*sleep.* --
gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*suspend.* --
gen_context(system_u:object_r:power_unit_t,s0)
+
+/var/lib/systemd/linger(/.*)?
gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+
+/var/run/\.nologin[^/]* --
gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/nologin --
gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+
+/var/run/systemd/seats(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/users(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/inhibit(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod.conf
gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..8bca3a3
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,195 @@
+## <summary>Systemd components (not PID 1)</summary>
+
+######################################
+## <summary>
+## Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_pids',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, systemd_logind_var_run_t,
systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Manage systemd_login PID pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, systemd_logind_var_run_t,
systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Use inherited systemd
+## logind file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_logind_fds',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd logind over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow process to write to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_write_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
+')
+
+########################################
+## <summary>
+## Allow process to relabel to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_relabelto_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+## Read systemd homedir content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_home_content',`
+ gen_require(`
+ type systemd_home_t;
+ ')
+
+ optional_policy(`
+ gnome_search_gconf_data_dir($1)
+ ')
+ read_files_pattern($1, systemd_home_t, systemd_home_t)
+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
+
+########################################
+## <summary>
+## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class service status;
+ ')
+
+ allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+## Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow specified domain to start power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_start_power_units',`
+ gen_require(`
+ type power_unit_t;
+ class service start;
+ ')
+
+ allow $1 power_unit_t:service start;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..597d4aa
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,264 @@
+policy_module(systemd, 1.0.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for systemd-tmpfiles to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfiles_manage_all, false)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_analyze_t;
+type systemd_analyze_exec_t;
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_cgroups_t;
+type systemd_cgroups_exec_t;
+domain_type(systemd_cgroups_t)
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
+role system_r types systemd_cgroups_t;
+
+type systemd_cgroups_var_run_t;
+files_pid_file(systemd_cgroups_var_run_t)
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
+
+type systemd_cgtop_t;
+type systemd_cgtop_exec_t;
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_detect_virt_t;
+type systemd_detect_virt_exec_t;
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
+type systemd_hostnamed_t;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
+type systemd_locale_t;
+type systemd_locale_exec_t;
+init_system_domain(systemd_locale_t, systemd_locale_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
+
+type systemd_logind_var_lib_t;
+files_type(systemd_logind_var_lib_t)
+
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_nspawn_t;
+type systemd_nspawn_exec_t;
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+
+type systemd_run_t;
+type systemd_run_exec_t;
+init_daemon_domain(systemd_run_t, systemd_run_exec_t)
+
+type systemd_stdio_bridge_t;
+type systemd_stdio_bridge_exec_t;
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_sessions_t;
+type systemd_sessions_exec_t;
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+type systemd_sessions_var_run_t;
+files_pid_file(systemd_sessions_var_run_t)
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
+
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+type systemd_kmod_conf_t;
+files_config_file(systemd_kmod_conf_t)
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+#
+# Unit file types
+#
+
+type power_unit_t;
+init_unit_file(power_unit_t)
+
+######################################
+#
+# Cgroups local policy
+#
+
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+
+init_stream_connect(systemd_cgroups_t)
+
+logging_send_syslog_msg(systemd_cgroups_t)
+
+kernel_dgram_send(systemd_cgroups_t)
+
+#######################################
+#
+# locale local policy
+#
+
+files_read_etc_files(systemd_locale_t)
+
+logging_send_syslog_msg(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_locale_t)
+ dbus_system_bus_client(systemd_locale_t)
+')
+
+#######################################
+#
+# Hostnamed policy
+#
+
+files_read_etc_files(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
+#########################################
+#
+# Logind local policy
+#
+
+allow systemd_logind_t self:capability { fowner sys_tty_config chown
dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
+
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t,
systemd_logind_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t,
systemd_logind_var_run_t)
+files_search_pids(systemd_logind_t)
+
+auth_manage_faillog(systemd_logind_t)
+
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_tmpfs(systemd_logind_t)
+
+storage_getattr_removable_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+init_get_all_units_status(systemd_logind_t)
+init_start_all_units(systemd_logind_t)
+init_stop_all_units(systemd_logind_t)
+init_service_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+# This is for reading /proc/1/cgroup
+init_read_state(systemd_logind_t)
+
+locallogin_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+systemd_start_power_units(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_read_pid_files(systemd_logind_t)
+
+userdom_use_user_ttys(systemd_logind_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_logind_t)
+ dbus_connect_system_bus(systemd_logind_t)
+')
+
+#########################################
+#
+# Sessions local policy
+#
+
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+
+logging_send_syslog_msg(systemd_sessions_t)
+
+#########################################
+#
+# Tmpfiles local policy
+#
+
+allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override
mknod };
+allow systemd_tmpfiles_t self:process { setfscreate getcap };
+
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+tunable_policy(`systemd_tmpfiles_manage_all',`
+ # systemd-tmpfiles can be configured to manage anything.
+ # have a last-resort option for users to do this.
+ files_manage_non_security_dirs(systemd_tmpfiles_t)
+ files_manage_non_security_files(systemd_tmpfiles_t)
+ files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ files_relabel_non_security_files(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 06175a7..d4c92cc 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -92,6 +92,25 @@ interface(`udev_read_state',`
allow $1 udev_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## Allow domain to create uevent sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_sockets',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to inherit a
