teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone
Blob Blame History Raw
policy_module(systemd_hs,0.0.1)

gen_require(`
	type cgroup_t;
	type default_t;
	type init_exec_t;
	type init_t;
	type init_var_run_t;
	type kernel_t;
	type loadkeys_t;
	type syslogd_t;
	type syslogd_var_run_t;
	type system_dbusd_var_run_t;
	type systemd_gpt_generator_t;
	type systemd_network_generator_t;
	type systemd_networkd_t;
	type systemd_userdbd_t;
	type tmpfs_t;
')

#============= init_t ==============
allow init_t self:netlink_netfilter_socket { bind create getattr getopt setopt };
allow init_t self:vsock_socket { bind connect create getopt setopt };
allow init_t syslogd_var_run_t:file { setattr write };

#============= loadkeys_t ==============
allow loadkeys_t default_t:lnk_file read;
allow loadkeys_t init_exec_t:file getattr;

#============= syslogd_t ==============

#!!!! This avc can be allowed using the boolean 'logging_syslogd_list_non_security_dirs'
allow syslogd_t cgroup_t:dir read;

#============= systemd_gpt_generator_t ==============
allow systemd_gpt_generator_t tmpfs_t:filesystem mount;

#============= systemd_network_generator_t ==============
allow systemd_network_generator_t init_var_run_t:file { create getattr open read rename setattr write };
allow systemd_network_generator_t kernel_t:unix_dgram_socket sendto;

#============= systemd_networkd_t ==============
allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch;

#============= systemd_userdbd_t ==============
allow systemd_userdbd_t self:capability sys_resource;