diff options
author | Chris PeBenito <chpebeni@linux.microsoft.com> | 2022-08-17 13:53:26 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2022-09-03 12:07:49 -0700 |
commit | 9f360ceda6290fc51e9f537d59574810e5a876b6 (patch) | |
tree | 08a208077f4d7878c565d160a5c9654f07f5a46a | |
parent | Drop explicit calls to seutil and kernel module interfaces in broad files int... (diff) | |
download | hardened-refpolicy-9f360ceda6290fc51e9f537d59574810e5a876b6.tar.gz hardened-refpolicy-9f360ceda6290fc51e9f537d59574810e5a876b6.tar.bz2 hardened-refpolicy-9f360ceda6290fc51e9f537d59574810e5a876b6.zip |
systemd: Add interface for systemctl exec.
Adds necessary baseline permissions for the command.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/system/systemd.if | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 62545021e..f48cc5413 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',` read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) ') +######################################## +## <summary> +## Execute the systemctl program. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_exec_systemctl',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + dontaudit $1 self:capability { net_admin sys_resource }; + allow $1 self:process signal; + allow $1 self:unix_stream_socket create_socket_perms; + + # the command is a regular bin + corecmd_exec_bin($1) + + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + allow $1 systemd_passwd_agent_t:process signal; + + init_read_state($1) + init_stream_connect($1) + init_telinit($1) + init_dbus_chat($1) +') + ####################################### ## <summary> ## Allow domain to getattr on .updated file (generated by systemd-update-done |