Correct policy structure

fedora-selinux · Sep 12, 2024 · 8b10286 · 8b10286
1 parent d20397d
commit 8b10286
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 53 deletions.
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
@@ -229,11 +229,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_homed_write_pipes(system_dbusd_t)
 	systemd_status_systemd_services(system_dbusd_t)
 	systemd_use_fds_logind(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 	systemd_write_inhibit_pipes(system_dbusd_t)
-	systemd_write_homed_pipes(system_dbusd_t)
 # These are caused by broken systemd patch
 	systemd_start_power_services(system_dbusd_t)
 	systemd_config_all_services(system_dbusd_t)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
@@ -1154,8 +1154,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-    systemd_write_homed_pid_sock_files(xdm_t)
-    systemd_write_homed_pipes(xdm_t)
+    systemd_homed_write_pid_sock_files(xdm_t)
+    systemd_homed_write_pipes(xdm_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
@@ -33,8 +33,6 @@ interface(`fstools_nnp_domtrans',`
 	gen_require(`
 		type fsadm_t;
 	')
-
-	fstools_domtrans($1)
 	allow $1 fsadm_t:process2 nnp_transition;
 
 ')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -880,7 +880,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_homed_dbus_chat(init_t)
-	systemd_write_homed_pipes(init_t)
+	systemd_homed_write_pipes(init_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/systemd-homed.fc b/policy/modules/system/systemd-homed.fc
@@ -16,12 +16,4 @@
 /var/lib/systemd/home/local\.public                       --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
 /var/lib/systemd/home                                     -d  gen_context(system_u:object_r:systemd_homed_library_dir_t,s0)
 
-/var/run/cryptsetup                                       -d  gen_context(system_u:object_r:systemd_homed_cryptsetup_dir_t,s0)
-
-/var/run/systemd/home/(.+)\.dont-suspend                  -p  gen_context(system_u:object_r:systemd_homed_runtime_pipe_t,s0)
-/var/run/systemd/home/notify                              -s  gen_context(system_u:object_r:systemd_homed_runtime_socket_t,s0)
-/var/run/systemd/home                                     -d  gen_context(system_u:object_r:systemd_homed_runtime_dir_t,s0)
-/var/run/systemd/user-home-mount                          -d  gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0)
-/var/run/systemd/userdb/io.systemd.Home                   -s  gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)
-
 HOME_DIR/\.identity                                       --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
diff --git a/policy/modules/system/systemd-homed.if b/policy/modules/system/systemd-homed.if
@@ -50,7 +50,7 @@ interface(`systemd_homed_stream_connect',`
 ##  </summary>
 ## </param>
 #
-interface(`systemd_write_homed_pid_sock_files',`
+interface(`systemd_homed_write_pid_sock_files',`
     gen_require(`
         type systemd_homed_runtime_dir_t;
         type systemd_homed_runtime_socket_t;
@@ -69,7 +69,7 @@ interface(`systemd_write_homed_pid_sock_files',`
 ##	</summary>
 ## </param>
 #
-interface(`systemd_write_homed_pipes',`
+interface(`systemd_homed_write_pipes',`
 	gen_require(`
 		type systemd_homed_runtime_dir_t;
 		type systemd_homed_runtime_pipe_t;

diff --git a/policy/modules/system/systemd-homed.te b/policy/modules/system/systemd-homed.te
@@ -52,8 +52,7 @@ systemd_unit_file(systemd_homed_unit_file_t)
 # systemd_homed local policy
 #
 
-allow systemd_homed_t self:capability { sys_admin sys_resource };
-allow systemd_homed_t self:capability { dac_override dac_read_search setuid setgid };
+allow systemd_homed_t self:capability { sys_admin sys_resource dac_override dac_read_search setuid setgid };
 allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_homed_t self:unix_dgram_socket create_socket_perms;
 
@@ -69,10 +68,6 @@ libs_read_lib_files(systemd_homed_t)
 files_watch_home(systemd_homed_t)
 files_search_home(systemd_homed_t)
 
-# labeled home directories
-userdom_home_manager(systemd_homed_t)
-userdom_manage_home_role(system_r, systemd_homed_t)
-
 # unlabeled home directories
 files_manage_isid_type_dirs(systemd_homed_t)
 files_manage_isid_type_files(systemd_homed_t)
@@ -98,7 +93,6 @@ filetrans_pattern(systemd_homed_t, systemd_homed_runtime_dir_t, systemd_homed_ru
 # /var/run/systemd/userdb/io.systemd.Home
 systemd_manage_userdbd_runtime_sock_files(systemd_homed_t)
 add_entry_dirs_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
-filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, sock_file, "io.systemd.Home")
 
 # /tmp
 rw_files_pattern(systemd_homed_t, systemd_homed_tmpfs_t, systemd_homed_tmpfs_t)
@@ -107,8 +101,6 @@ fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)
 kernel_dgram_send(systemd_homed_t)
 kernel_read_system_state(systemd_homed_t)
 
-auth_use_nsswitch(systemd_homed_t)
-
 dev_getattr_generic_blk_files(systemd_homed_t)
 dev_read_sysfs(systemd_homed_t)
 
@@ -117,16 +109,12 @@ fs_getattr_xattr_fs(systemd_homed_t)
 fs_search_cgroup_dirs(systemd_homed_t)
 fs_write_cgroup_files(systemd_homed_t)
 
-logging_send_syslog_msg(systemd_homed_t)
-
-miscfiles_read_all_certs(systemd_homed_t)
-
 storage_getattr_fixed_disk_dev(systemd_homed_t)
 storage_raw_read_removable_device(systemd_homed_t)
 
-udev_manage_pid_files(systemd_homed_t)
-
-usermanage_read_crack_db(systemd_homed_t)
+optional_policy(`
+    auth_use_nsswitch(systemd_homed_t)
+')
 
 optional_policy(`
     container_runtime_read_tmpfs_files(systemd_homed_t)
@@ -136,19 +124,39 @@ optional_policy(`
     dbus_connect_system_bus(systemd_homed_t)
 ')
 
+optional_policy(`
+    logging_send_syslog_msg(systemd_homed_t)
+')
+
+optional_policy(`
+    miscfiles_read_all_certs(systemd_homed_t)
+')
+
 optional_policy(`
     mta_getattr_spool(systemd_homed_t)
 ')
 
+optional_policy(`
+    udev_manage_pid_files(systemd_homed_t)
+')
+
+optional_policy(`
+   # labeled home directories
+   userdom_home_manager(systemd_homed_t)
+   userdom_manage_home_role(system_r, systemd_homed_t)
+')
+
+optional_policy(`
+   usermanage_read_crack_db(systemd_homed_t)
+')
+
 #######################################
 #
 # systemd_homework local policy
 #
 
 allow systemd_homework_t self:cap_userns { sys_admin sys_ptrace  };
-allow systemd_homework_t self:capability { chown fowner fsetid setfcap };
-allow systemd_homework_t self:capability { dac_override dac_read_search setuid setgid };
-allow systemd_homework_t self:capability { sys_admin sys_resource };
+allow systemd_homework_t self:capability { chown fowner fsetid setfcap dac_override dac_read_search setuid setgid sys_admin sys_resource };
 allow systemd_homework_t self:file mounton;
 allow systemd_homework_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_homework_t self:process { setsched getsched };
@@ -163,20 +171,11 @@ files_search_home(systemd_homework_t)
 files_home_filetrans(systemd_homework_t, systemd_homed_crypto_luks_t, file)
 files_home_filetrans(systemd_homework_t, user_home_dir_t, dir)
 
-# labeled home directories
-userdom_home_manager(systemd_homework_t)
-userdom_manage_home_role(system_r, systemd_homework_t)
-
 # unlabeled home directories
 files_manage_isid_type_dirs(systemd_homework_t)
 files_manage_isid_type_files(systemd_homework_t)
 files_mounton_isid(systemd_homework_t)
 
-# /var/run/cryptsetup
-manage_dirs_pattern(systemd_homework_t, var_run_t, systemd_homed_cryptsetup_dir_t)
-manage_files_pattern(systemd_homework_t, systemd_homed_cryptsetup_dir_t, systemd_homed_cryptsetup_dir_t)
-files_pid_filetrans(systemd_homework_t, systemd_homed_cryptsetup_dir_t, dir, "cryptsetup")
-
 # /var/run/systemd/home/notify
 write_sock_files_pattern(systemd_homework_t, systemd_homed_runtime_dir_t, systemd_homed_runtime_socket_t)
 
@@ -197,8 +196,6 @@ kernel_read_fs_sysctls(systemd_homework_t)
 kernel_read_system_state(systemd_homework_t)
 kernel_request_load_module(systemd_homework_t)
 
-auth_read_passwd_file(systemd_homework_t)
-
 corecmd_exec_shell(systemd_homework_t)
 
 dev_getattr_fs(systemd_homework_t)
@@ -218,18 +215,41 @@ fs_relabelfrom_xattr_fs(systemd_homework_t)
 fs_search_all(systemd_homework_t)
 
 fsadm_manage_pid(systemd_homework_t)
-fstools_nnp_domtrans(systemd_homework_t)
 
 init_read_state(systemd_homework_t)
 init_rw_stream_sockets(systemd_homework_t)
 
-logging_send_syslog_msg(systemd_homework_t)
-
-miscfiles_read_all_certs(systemd_homework_t)
-
 storage_raw_read_removable_device(systemd_homework_t)
 storage_rw_inherited_removable_device(systemd_homework_t)
 storage_manage_fixed_disk(systemd_homework_t)
 
-udev_read_pid_files(systemd_homework_t)
-udev_search_pids(systemd_homework_t)
+optional_policy(`
+    auth_read_passwd_file(systemd_homework_t)
+
+optional_policy(`
+    fstools_domtrans(systemd_homework_t)
+    fstools_nnp_domtrans(systemd_homework_t)
+')
+
+optional_policy(`
+    lvm_manage_var_run(systemd_homework_t)
+')
+
+optional_policy(`
+    logging_send_syslog_msg(systemd_homework_t)
+')
+
+optional_policy(`
+    miscfiles_read_all_certs(systemd_homework_t)
+')
+
+optional_policy(`
+    udev_read_pid_files(systemd_homework_t)
+    udev_search_pids(systemd_homework_t)
+')
+
+optional_policy(`
+    # labeled home directories
+    userdom_home_manager(systemd_homework_t)
+    userdom_manage_home_role(system_r, systemd_homework_t)
+')