[selinux-policy/f14/master: 3224/3230] Parts of systemd are now doing readahead and tmpreaper functionality systemd relabeles tmpfs_t to cg

Daniel J Walsh dwalsh at fedoraproject.org
Tue Oct 12 20:17:43 UTC 2010 

commit 6da16a33990aff459cfa6b98595eaeb52e666422
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Oct 8 11:53:09 2010 -0400

    Parts of systemd are now doing readahead and tmpreaper functionality
    systemd relabeles tmpfs_t to cgroup_t
    Other systemd fixes

 policy/modules/admin/readahead.fc   |    2 +
 policy/modules/admin/tmpreaper.fc   |    1 +
 policy/modules/admin/tmpreaper.te   |    1 +
 policy/modules/kernel/filesystem.if |   37 +++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te       |    6 +++++
 5 files changed, 47 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
index 7077413..70edcd6 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
@@ -1,3 +1,5 @@
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 /sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/lib/systemd/systemd-readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
+
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
index 81077db..8208e86 100644
--- a/policy/modules/admin/tmpreaper.fc
+++ b/policy/modules/admin/tmpreaper.fc
@@ -1,2 +1,3 @@
 /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 /usr/sbin/tmpwatch		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/lib/systemd/systemd-tmpfiles	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 50cd538..c59c3cd 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
 
 type tmpreaper_t;
 type tmpreaper_exec_t;
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
 application_domain(tmpreaper_t, tmpreaper_exec_t)
 role system_r types tmpreaper_t;
 
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 51d47a0..c0e1d3a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -652,6 +652,25 @@ interface(`fs_search_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##	Relabelto cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelto_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
 ##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -4143,6 +4162,24 @@ interface(`fs_dontaudit_read_tmpfs_blk_dev',`
 
 ########################################
 ## <summary>
+##	Relabelfrom directory  on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_dir',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e90e509..740a352 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -160,6 +160,7 @@ domain_read_all_domains_state(init_t)
 
 files_read_etc_files(init_t)
 files_read_all_pids(init_t)
+files_read_system_conf_files(init_t)
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
@@ -233,6 +234,8 @@ tunable_policy(`init_systemd',`
 
 	kernel_list_unlabeled(init_t)
 	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
 	kernel_unmount_debugfs(init_t)
 
 	dev_write_kmsg(init_t)
@@ -246,14 +249,17 @@ tunable_policy(`init_systemd',`
 
 	files_mounton_all_mountpoints(init_t)
 	files_manage_all_pids_dirs(init_t)
+	files_manage_urandom_seed(initrc_t)
 
 	fs_manage_cgroup_dirs(init_t)
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_manage_tmpfs_dirs(init_t)
+	fs_relabelfrom_tmpfs_dir(init_t)
 	fs_mount_all_fs(init_t)
 	fs_list_auto_mountpoints(init_t)
 	fs_read_cgroup_files(init_t)
 	fs_write_cgroup_files(init_t)
+	fs_relabelto_cgroup_dirs(init_t)
 	fs_search_cgroup_dirs(daemon)
 
 	selinux_compute_create_context(init_t)

More information about the scm-commits mailing list