[refpolicy] [PATCH 2/3] Label systemd-tmpfiles static configuration files

Krzysztof Nowicki krzysztof.a.nowicki at gmail.com
Thu May 18 19:31:09 UTC 2017


From: Krzysztof Nowicki <krissn at op.pl>

Reuse the label from dynamically created configuration.
---
 policy/modules/system/modutils.te | 2 +-
 policy/modules/system/systemd.fc  | 6 ++++++
 policy/modules/system/systemd.if  | 4 ++--
 policy/modules/system/systemd.te  | 1 +
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1f7bdcd..625129f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -118,7 +118,7 @@ ifdef(`init_systemd',`
 	# for /run/tmpfiles.d/kmod.conf
 	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
 	# kmod needs to create /run/tmpdiles.d
-	systemd_tmpfiles_creator(kmod_t)
+	systemd_tmpfiles_config_creator(kmod_t)
 
 	init_rw_stream_sockets(kmod_t)
 ')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 57944e1..8bff2fa 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -37,10 +37,16 @@
 /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
+# Systemd tmpfiles configuration
+/usr/lib/tmpfiles.d(/.*)?		gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
+# Systemd tmpfiles configuration factory
+/usr/share/factory(/.*)?		gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de..4359d74 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
 ##	</summary>
 ## </param>
 #
-	interface(`systemd_tmpfiles_conf_file',`
+interface(`systemd_tmpfiles_conf_file',`
 	gen_require(`
 		attribute systemd_tmpfiles_conf_type;
 	')
@@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
 ##	</summary>
 ## </param>
 #
-interface(`systemd_tmpfiles_creator',`
+interface(`systemd_tmpfiles_config_creator',`
 	gen_require(`
 		type systemd_tmpfiles_conf_t;
 	')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index eb70c77..4535182 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
 allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
 
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
-- 
2.10.2



More information about the refpolicy mailing list