Draft: Update systemd-generators

Confine all current systemd generators and define a label for a generic generator. Update the old generators policy for the new scheme used.
zpytela · Jan 15, 2024 · 7937796 · 7937796
1 parent 12f821c
commit 7937796
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 24 deletions.
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
@@ -56,7 +56,7 @@ ifdef(`distro_gentoo', `
 
 /usr/lib/systemd/[^/]*		--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/fedora[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+#/usr/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
@@ -68,10 +68,19 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_network_generator_exec_t,s0)
+
+/usr/lib/systemd/system-generators/systemd-bless-boot-generator	--	gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-cryptsetup-generator	--	gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-debug-generator	--	gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-fstab-generator	--	gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-getty-generator	--	gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-rc-local-generator	--	gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-sysv-generator	--	gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/zram-generator	--	gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/.+	--	gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)
+/usr/lib/systemd/zram-generator.conf	--	gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0)
+
 /usr/lib/systemd/systemd-resolve(d|-host)			gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-importd		--	gen_context(system_u:object_r:systemd_importd_exec_t,s0)
 /usr/lib/systemd/systemd-journal-upload		--	gen_context(system_u:object_r:systemd_journal_upload_exec_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -60,6 +60,39 @@ template(`systemd_generator_template',`
 	systemd_create_unit_file_lnk($1_t)
 ')
 
+######################################
+## <summary>
+##  Creates types and rules for systemd generators - new version
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`systemd_generator_template_new',`
+	gen_require(`
+		attribute systemd_generator2;
+	')
+
+	type $1_t, systemd_generator2;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+	init_nnp_daemon_domain($1_t)
+
+	#kernel_read_system_state($1_t)
+
+	#auth_use_nsswitch($1_t)
+	#selinux_get_enforce_mode($1_t)
+
+	#systemd_unit_file_filetrans($1_t, $1_unit_file_t, file)
+	#systemd_create_unit_file_dirs(systemd_gpt_generator_t)
+	##manage misto create? zjistit testem kdyz uz existuje
+	#systemd_create_unit_file_lnk(systemd_gpt_generator_t)
+
+	permissive $1_t;
+')
+
 ######################################
 ## <summary>
 ##      Create a domain for processes which are started 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -24,6 +24,7 @@ gen_tunable(systemd_socket_proxyd_connect_any, false)
 attribute systemd_unit_file_type;
 attribute systemd_domain;
 attribute systemd_generator;
+attribute systemd_generator2;
 attribute systemctl_domain;
 attribute systemd_mount_directory;
 attribute systemd_private_tmp_type;
@@ -185,24 +186,52 @@ files_type(systemd_timedated_var_lib_t)
 
 systemd_domain_template(systemd_sysctl)
 
-#domain for gpt-auto-generator
-systemd_domain_template(systemd_gpt_generator)
-
-systemd_domain_template(systemd_network_generator)
+### domains and file types for systemd generators
 
+# gpt - old
+systemd_generator_template_new(systemd_gpt_generator)
+#prijde zrusit
 type systemd_gpt_generator_unit_file_t;
 systemd_unit_file(systemd_gpt_generator_unit_file_t)
 
-#domain for fstab-generator
-systemd_generator_template(systemd_fstab_generator)
+# not yet, not a generator, leave this way as a sd-domain?
+systemd_domain_template(systemd_network_generator)
+
+# now
+
+# domain for bless-boot-generator
+systemd_generator_template_new(systemd_bless_boot_generator)
+
+# domain for cryptsetup-generator
+systemd_generator_template_new(systemd_cryptsetup_generator)
+
+# domain for debug-generator
+systemd_generator_template_new(systemd_debug_generator)
+
+# domain for fstab-generator
+systemd_generator_template_new(systemd_fstab_generator)
 
-#domain for rc-local-generator
-systemd_generator_template(systemd_rc_local_generator)
+# domain for getty-generator
+systemd_generator_template_new(systemd_getty_generator)
 
-#domain for sysv-generator
-systemd_generator_template(systemd_sysv_generator)
+# domain for rc-local-generator
+systemd_generator_template_new(systemd_rc_local_generator)
+
+# domain for sysv-generator
+systemd_generator_template_new(systemd_sysv_generator)
+
+# domains and types for zram-generator
+systemd_generator_template_new(systemd_zram_generator)
+type systemd_zram_generator_conf_t;
+files_type(systemd_zram_generator_conf_t)
+allow systemd_zram_generator_t systemd_zram_generator_conf_t:file read_file_perms;
+
+# domain for a generic generator
+systemd_generator_template_new(systemd_generic_generator)
+
+
+### domains and types for systemd-machined
 
-#domain for systemd-machined
 systemd_domain_template(systemd_machined)
 
 type systemd_machined_unit_file_t;
@@ -1192,6 +1221,16 @@ files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
 
 systemd_read_efivarfs(systemd_hwdb_t)
 
+
+###
+### MARK GENERATORS SECTION
+###
+
+########################################
+#
+# Rules for systemd generators
+#
+
 ########################################
 #
 # Common rules for systemd generators
@@ -1205,11 +1244,27 @@ fs_search_all(systemd_generator)
 
 logging_stream_connect_syslog(systemd_generator)
 
+### Common rules for systemd generators - new
+# do sablony nebo do atributu?
+#?allow systemd_generator self:unix_dgram_socket { create_socket_perms sendto };
+
+dev_write_kmsg(systemd_generator2)
+fs_getattr_cgroup(systemd_generator2)
+fs_search_cgroup_dirs(systemd_generator2)
+kernel_read_proc_files(systemd_generator2)
+
+### Rules for individual generators
+
+### getty generator
+dev_read_sysfs(systemd_getty_generator_t)
+
 #######################################
 #
-# systemd_gpt_generator domain
+# systemd generator domains
 #
 
+### gpt generator - old
+## fragile - do not modify
 allow systemd_gpt_generator_t self:capability sys_rawio;
 dontaudit systemd_gpt_generator_t self:capability sys_admin;
 allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -1248,6 +1303,9 @@ optional_policy(`
 #
 # systemd_fstab_generator_t 
 #
+#new
+allow systemd_fstab_generator_t self:process setfscreate;
+#old
 allow systemd_fstab_generator_t self:capability dac_override;
 dev_write_sysfs_dirs(systemd_fstab_generator_t)
 
@@ -1259,21 +1317,24 @@ fstools_exec(systemd_fstab_generator_t)
 
 systemd_manage_all_unit_files(systemd_fstab_generator_t)
 
-#######################################
-#
-# systemd_rc_local_generator_t 
-#
+### systemd rc_local generator 
+#tmp init_exec_script_files(systemd_rc_local_generator_t)
 
-init_exec_script_files(systemd_rc_local_generator_t)
+### sysv generator
+#tmp init_read_script_files(systemd_sysv_generator_t)
+#tmp systemd_manage_all_unit_files(systemd_sysv_generator_t)
+
+### zram generator
+# for systemd-detect-virt - confine it too?
+corecmd_exec_bin(systemd_zram_generator_t)
+#init_exec(systemd_zram_generator_t)
+storage_getattr_fixed_disk_dev(systemd_zram_generator_t)
 
-#######################################
-#
-# systemd_sysv_generator_t 
-#
 
-init_read_script_files(systemd_sysv_generator_t)
+###
+### MARK END-OF-GENERATORS SECTION
+###
 
-systemd_manage_all_unit_files(systemd_sysv_generator_t)
 
 #######################################
 #
@@ -1290,6 +1351,7 @@ optional_policy(`
 	logging_send_syslog_msg(systemd_network_generator_t)
 ')
 
+
 #######################################
 #
 # systemd_resolved domain