|
|
7172f2 |
policy_module(systemd_hs,0.0.1)
|
|
|
7172f2 |
|
|
|
7172f2 |
# systemd overrides for 247
|
|
|
7172f2 |
gen_require(`
|
|
|
7172f2 |
type init_t;
|
|
|
7172f2 |
type init_var_run_t;
|
|
|
7172f2 |
type kmsg_device_t;
|
|
|
7172f2 |
type proc_kmsg_t;
|
|
|
10eaf0 |
type proc_security_t;
|
|
|
7172f2 |
type systemd_hostnamed_t;
|
|
|
7172f2 |
type systemd_localed_t;
|
|
|
7172f2 |
type systemd_logind_t;
|
|
|
7172f2 |
type systemd_resolved_t;
|
|
|
7172f2 |
type systemd_tmpfiles_t;
|
|
|
10eaf0 |
type systemd_hwdb_t;
|
|
|
10eaf0 |
type systemd_sysctl_t;
|
|
|
7172f2 |
type security_t;
|
|
|
10eaf0 |
type tpm_device_t;
|
|
|
10eaf0 |
type ramfs_t;
|
|
|
10eaf0 |
type shadow_t;
|
|
|
7172f2 |
type syslogd_t;
|
|
|
7172f2 |
type user_tmp_t;
|
|
|
10eaf0 |
type systemd_machined_t;
|
|
|
10eaf0 |
type system_dbusd_var_run_t;
|
|
|
10eaf0 |
type systemd_networkd_t;
|
|
|
7172f2 |
')
|
|
|
7172f2 |
|
|
|
10eaf0 |
#============= init_t ==============
|
|
|
7172f2 |
allow init_t kmsg_device_t:chr_file mounton;
|
|
|
7172f2 |
allow init_t proc_kmsg_t:file { getattr mounton };
|
|
|
10eaf0 |
allow init_t ramfs_t:file manage_file_perms;
|
|
|
10eaf0 |
allow init_t tpm_device_t:chr_file { read write open };
|
|
|
10eaf0 |
allow init_t shadow_t:file { read open };
|
|
|
10eaf0 |
|
|
|
10eaf0 |
#============= systemd_hwdb_t ==============
|
|
|
10eaf0 |
allow systemd_hwdb_t security_t:file { read open };
|
|
|
10eaf0 |
allow systemd_hwdb_t self:netlink_selinux_socket { create bind };
|
|
|
10eaf0 |
|
|
|
10eaf0 |
#============= systemd_sysctl_t ==============
|
|
|
10eaf0 |
allow systemd_sysctl_t proc_security_t:file read;
|
|
|
10eaf0 |
|
|
|
10eaf0 |
#============= syslogd_t ==============
|
|
|
10eaf0 |
allow syslogd_t user_tmp_t:dir search;
|
|
|
10eaf0 |
|
|
|
10eaf0 |
#============= systemd_machined_t ==============
|
|
|
10eaf0 |
allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms;
|
|
|
10eaf0 |
|
|
|
10eaf0 |
#============= systemd_networkd_t ==============
|
|
|
dc74ad |
# watch is not defined on centos stream 8 so use a glob to get around that.
|
|
|
dc74ad |
allow systemd_networkd_t system_dbusd_var_run_t:sock_file *;
|
|
|
dc74ad |
|
|
|
7172f2 |
|
|
|
7172f2 |
selinux_use_status_page(init_t)
|
|
|
7172f2 |
selinux_use_status_page(systemd_hostnamed_t)
|
|
|
7172f2 |
selinux_use_status_page(systemd_localed_t)
|
|
|
7172f2 |
selinux_use_status_page(systemd_logind_t)
|
|
|
7172f2 |
selinux_use_status_page(systemd_resolved_t)
|
|
|
7172f2 |
selinux_use_status_page(systemd_tmpfiles_t)
|
|
|
10eaf0 |
selinux_use_status_page(systemd_hwdb_t)
|