Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion policy/modules/kernel/kernel.te
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,11 @@ type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
sid init gen_context(system_u:system_r:kernel_t,mls_systemhigh)

type init_t;
domain_type(init_t)
role system_r types init_t;
sid init gen_context(system_u:system_r:init_t,mls_systemhigh)
Comment on lines +54 to +57

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move the sid into the init module instead. It will need this after the summary block in init.if:

## <required val="true">
##	Required for init initial SID.
## </required>


#
# DebugFS
Expand Down
11 changes: 6 additions & 5 deletions policy/modules/system/init.te
Original file line number Diff line number Diff line change
Expand Up @@ -67,12 +67,13 @@ files_type(init_random_seed_t)
#
# init_t is the domain of the init process.
#
type init_t, initrc_transition_domain;
gen_require(`
type init_t;
')
typeattribute init_t initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;

optional_policy(`
# required by calico
Expand Down Expand Up @@ -208,7 +209,7 @@ files_runtime_filetrans(init_t, initctl_t, fifo_file)
# Modify utmp.
allow init_t initrc_runtime_t:file { rw_file_perms setattr };

allow init_t init_tmpfs_t:file manage_file_perms;
allow init_t init_tmpfs_t:file { manage_file_perms relabelfrom };
Comment thread
pebenito marked this conversation as resolved.
fs_tmpfs_filetrans(init_t, init_tmpfs_t, file)

kernel_read_psi(init_t)
Expand Down Expand Up @@ -1183,7 +1184,7 @@ ifdef(`init_systemd',`
allow initrc_t init_script_file_type:service { reload start status stop };

# Access to notify socket for services with Type=notify
kernel_dgram_send(initrc_t)
init_dgram_send(initrc_t)

# run systemd misc initializations
# in the initrc_t domain, as would be
Expand Down
4 changes: 2 additions & 2 deletions policy/modules/system/logging.if
Original file line number Diff line number Diff line change
Expand Up @@ -702,8 +702,8 @@ interface(`logging_send_syslog_msg',`
# Allow systemd-journald to check whether the process died
allow syslogd_t $1:process signull;

kernel_dgram_send($1)
kernel_stream_connect($1)
init_dgram_send($1)
init_stream_connect($1)
')

')
Expand Down
7 changes: 3 additions & 4 deletions policy/modules/system/logging.te
Original file line number Diff line number Diff line change
Expand Up @@ -521,12 +521,11 @@ ifdef(`init_systemd',`
# remove /run/log/journal when switching to permanent storage
allow syslogd_t var_log_t:dir rmdir;

kernel_getattr_dgram_sockets(syslogd_t)
kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
kernel_rw_unix_dgram_sockets(syslogd_t)
init_rw_stream_sockets(syslogd_t)
allow syslogd_t init_t:unix_dgram_socket { getattr ioctl read write };

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs an interface.

kernel_rw_netlink_audit_sockets(syslogd_t)
kernel_use_fds(syslogd_t)
init_use_fds(syslogd_t)

dev_read_kmsg(syslogd_t)
dev_read_urand(syslogd_t)
Expand Down
Loading