* Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202

- Allow systemd_logind_t to start init_t BZ(1355861) - Add init_start() interface - Allow sysadm user to run systemd-tmpfiles - Add interface systemd_tmpfiles_run
2016-07-13 08:55:29 +02:00 · 2016-07-13 08:55:29 +02:00 · 449da6b428
commit 449da6b428
parent 1ad8909907
3 changed files with 64 additions and 13 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -25374,7 +25374,7 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..fe03d6d 100644
+index 2522ca6..a23a472 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@ -25807,7 +25807,7 @@ index 2522ca6..fe03d6d 100644
 ')
 
 optional_policy(`
-@@ -345,30 +490,37 @@ optional_policy(`
+@@ -345,30 +490,38 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25820,6 +25820,7 @@ index 2522ca6..fe03d6d 100644
 +	systemd_login_reboot(sysadm_t)
 +	systemd_login_halt(sysadm_t)
 +	systemd_login_undefined(sysadm_t)
+	systemd_tmpfiles_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@ -25854,7 +25855,7 @@ index 2522ca6..fe03d6d 100644
 ')
 
 optional_policy(`
-@@ -380,10 +532,6 @@ optional_policy(`
+@@ -380,10 +533,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25865,7 +25866,7 @@ index 2522ca6..fe03d6d 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +539,9 @@ optional_policy(`
+@@ -391,6 +540,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -25875,7 +25876,7 @@ index 2522ca6..fe03d6d 100644
 ')
 
 optional_policy(`
-@@ -398,31 +549,34 @@ optional_policy(`
+@@ -398,31 +550,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25916,7 +25917,7 @@ index 2522ca6..fe03d6d 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -435,10 +589,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +590,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -25927,7 +25928,7 @@ index 2522ca6..fe03d6d 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -459,15 +609,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +610,79 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -35258,7 +35259,7 @@ index bc0ffc8..37b8ea5 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e176b9f 100644
+index 79a45f6..9926eaf 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -36301,7 +36302,7 @@ index 79a45f6..e176b9f 100644
 ')
 
 ########################################
-@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
@ -36729,6 +36730,24 @@ index 79a45f6..e176b9f 100644
 +
 +########################################
 +## <summary>
+##	Start  system from init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system start;
+')
+
+########################################
+## <summary>
 +##	Tell init to reboot the system.
 +## </summary>
 +## <param name="domain">
@ -46795,10 +46814,10 @@ index 0000000..8b77d7a
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..513b97b
+index 0000000..16cd1ac
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1738 @@
+@@ -0,0 +1,1763 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -47405,6 +47424,31 @@ index 0000000..513b97b
 +
 +########################################
 +## <summary>
+##	Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and
+##	allow the specified role the systemd_tmpfiles domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the systemd_tmpfiles domain.
+##	</summary>
+## </param>
+#
+interface(`systemd_tmpfiles_run',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+
+	systemd_passwd_agent_domtrans($1)
+	role $2 types systemd_tmpfiles_t;
+')
+
+########################################
+## <summary>
 +##	Role access for systemd_passwd_agent
 +## </summary>
 +## <param name="role">
@ -48539,10 +48583,10 @@ index 0000000..513b97b
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..7877160
+index 0000000..180e701
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,957 @@
+@@ -0,0 +1,958 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48770,6 +48814,7 @@ index 0000000..7877160
 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
 +
 +init_status(systemd_logind_t)
+init_start(systemd_logind_t)
 +init_signal(systemd_logind_t)
 +init_reboot(systemd_logind_t)
 +init_halt(systemd_logind_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -648,6 +648,12 @@ exit 0
 %endif

 %changelog
+* Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
+- Allow systemd_logind_t to start init_t BZ(1355861)
+- Add init_start() interface
+- Allow sysadm user to run systemd-tmpfiles
+- Add interface systemd_tmpfiles_run
+
 * Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
 - Allow lttng tools to block suspending
 - Allow creation of vpnaas in openstack