Update sponson selinux and add systemdmachine patch

5 years ago · 5650ba5548
5 changed files with 48 additions and 3 deletions
--- a/README.rst
+++ b/README.rst
@ -62,10 +62,13 @@ you can build the module using

    checkmodule -M -m -o {path to sponson}/selinux/sponson.mod {path to sponson}/selinux/sponson.te

-    semodule_package -o {path to sponson}/selinux/sponson.pp {path to sponson}/selinux/sponson.mod
+    semodule_package -o {path to sponson}/selinux/sponson.pp -m {path to sponson}/selinux/sponson.mod

    sudo semodule -i {path to sponson}/selinux/sponson.pp

+Fedora 25 also seems to have faults with `machinectl` accessing `/var/lib/machines`,
+so you might want to also use the provided `systemdmachine.pp`.
+

 Licence
 =======
--- a/selinux/sponson.pp
+++ b/selinux/sponson.pp
--- a/selinux/sponson.te
+++ b/selinux/sponson.te
@ -6,11 +6,11 @@ require {
 	type firewalld_t;
 	type systemd_machined_var_lib_t;
 	class dbus send_msg;
-	class dir { mounton read };
+	class dir { getattr mounton read };
 }

 #============= firewalld_t ==============
 allow firewalld_t init_t:dbus send_msg;

 #============= init_t ==============
-allow init_t systemd_machined_var_lib_t:dir { mounton read };
+allow init_t systemd_machined_var_lib_t:dir { getattr mounton read };
--- a/selinux/systemdmachine.pp
+++ b/selinux/systemdmachine.pp
--- a/selinux/systemdmachine.te
+++ b/selinux/systemdmachine.te
@ -0,0 +1,42 @@
+
+module systemdmachine 1.0;
+
+require {
+	type tmpfs_t;
+	type devpts_t;
+	type systemd_machined_t;
+	type systemd_unit_file_t;
+	type var_lib_t;
+	type unconfined_service_t;
+	class dir search;
+	class process signal;
+	class lnk_file read;
+	class cap_userns { kill sys_admin sys_ptrace };
+	class chr_file open;
+	class file { getattr open read };
+	class sock_file write;
+	class service stop;
+}
+
+#============= systemd_machined_t ==============
+
+allow systemd_machined_t devpts_t:chr_file open;
+
+allow systemd_machined_t self:cap_userns { kill sys_admin sys_ptrace };
+
+allow systemd_machined_t tmpfs_t:lnk_file read;
+
+allow systemd_machined_t tmpfs_t:sock_file write;
+
+allow systemd_machined_t unconfined_service_t:dir search;
+
+allow systemd_machined_t unconfined_service_t:file { getattr open read };
+
+allow systemd_machined_t unconfined_service_t:lnk_file read;
+
+allow systemd_machined_t unconfined_service_t:process signal;
+
+allow systemd_machined_t var_lib_t:lnk_file read;
+
+allow systemd_machined_t systemd_unit_file_t:service stop;
+