Merge pull request #840 from cgzones/systemd

systemd v257 tweaks

policy/modules/services/ntp.te

@@ -125,6 +125,7 @@ files_watch_runtime_dirs(ntpd_t)
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+fs_getattr_nsfs_files(ntpd_t)
 
 term_use_ptmx(ntpd_t)
 

policy/modules/system/logging.te

@@ -532,6 +532,7 @@ ifdef(`init_systemd',`
 
 	fs_list_cgroup_dirs(syslogd_t)
 	fs_watch_memory_pressure(syslogd_t)
+	fs_getattr_nsfs_files(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")

policy/modules/system/systemd.te

@@ -302,6 +302,8 @@ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
+# create /etc/group
+domain_obj_id_change_exemption(systemd_sysusers_t)
 role systemd_sysusers_roles types systemd_sysusers_t;
 
 type systemd_tmpfiles_t;
@@ -450,6 +452,7 @@ fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
 
 fs_getattr_cgroup(systemd_binfmt_t)
 fs_search_cgroup_dirs(systemd_binfmt_t)
+fs_getattr_nsfs_files(systemd_binfmt_t)
 
 ######################################
 #
@@ -565,6 +568,7 @@ files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)
+fs_getattr_nsfs_files(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -862,6 +866,7 @@ manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_
 
 fs_getattr_all_fs(systemd_journal_init_t)
 fs_search_cgroup_dirs(systemd_journal_init_t)
+fs_getattr_nsfs_files(systemd_journal_init_t)
 
 kernel_getattr_proc(systemd_journal_init_t)
 kernel_read_kernel_sysctls(systemd_journal_init_t)
@@ -999,6 +1004,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 fs_getattr_xattr_fs(systemd_logind_t)
 fs_watch_memory_pressure(systemd_logind_t)
+fs_getattr_nsfs_files(systemd_logind_t)
 
 selinux_use_status_page(systemd_logind_t)
 
@@ -1226,6 +1232,7 @@ init_read_state(systemd_machine_id_setup_t)
 
 fs_getattr_cgroup(systemd_modules_load_t)
 fs_getattr_xattr_fs(systemd_modules_load_t)
+fs_getattr_nsfs_files(systemd_modules_load_t)
 
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
@@ -1787,6 +1794,7 @@ fs_getattr_all_fs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
 fs_search_tmpfs(systemd_sessions_t)
 fs_search_ramfs(systemd_sessions_t)
+fs_getattr_nsfs_files(systemd_sessions_t)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1821,6 +1829,7 @@ fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
 fs_search_ramfs(systemd_sysctl_t)
 fs_search_tmpfs(systemd_sysctl_t)
+fs_getattr_nsfs_files(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 
@@ -1935,6 +1944,7 @@ fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_all_fs(systemd_tmpfiles_t)
 fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_nsfs_files(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -2185,6 +2195,7 @@ fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
 fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
 fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
+fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)

policy/modules/system/udev.te

@@ -273,6 +273,7 @@ ifdef(`init_systemd',`
 	fs_create_cgroup_dirs(udev_t)
 	fs_create_cgroup_files(udev_t)
 	fs_rw_cgroup_files(udev_t)
+	fs_getattr_nsfs_files(udev_t)
 
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)