allow $1 crond_t:fifo_file read_fifo_file_perms;
')
+########################################
+## <summary>
+## Read crond state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_state_crond',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## crond over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_dbus_chat_crond',`
+ gen_require(`
+ type crond_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
+')
+
########################################
## <summary>
## Do not audit attempts to write cron daemon unnamed pipes.
postgresql_search_db(crond_t)
')
+optional_policy(`
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+
optional_policy(`
udev_read_db(crond_t)
')
sysnet_domtrans_dhcpc(system_dbusd_t)
')
+optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+')
+
optional_policy(`
udev_read_db(system_dbusd_t)
')
allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
')
+########################################
+## <summary>
+## Read XDM state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_state_xdm',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, xdm_t)
+')
+
########################################
## <summary>
## Use file descriptors for xdm.
shutdown_domtrans(xdm_t)
')
+optional_policy(`
+ systemd_use_fds_logind(xdm_t)
+ systemd_write_inherited_logind_sessions_pipes(xdm_t)
+')
+
optional_policy(`
udev_read_db(xdm_t)
')
type init_var_run_t;
')
+ files_search_pids($1)
filetrans_pattern($1, init_var_run_t, $2, $3)
- allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Create objects in /run/systemd directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="object_name">
+## <summary>
+## The name of the object to be created.
+## </summary>
+## </param>
+#
+interface(`init_named_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')
########################################
/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
dontaudit $1 systemd_unit_file_type:file read_file_perms;
')
+######################################
+## <summary>
+## Use and and inherited systemd
+## logind file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_fds_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+######################################
+## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_sessions_t;
+ ')
+
+ allow $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd logind over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+')
+
#######################################
## <summary>
## Execute a domain transition to run systemd-tmpfiles.
-
policy_module(systemd, 1.0.0)
#######################################
attribute systemd_unit_file_type;
+# New in f16
+permissive systemd_logind_t;
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
+
+# /run/systemd/sessions
+type systemd_logind_sessions_t;
+files_type(systemd_logind_sessions_t)
+
+# /run/systemd/{seats, users}
+type systemd_logind_var_run_t;
+files_type(systemd_logind_var_run_t)
+
# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
# systemd components
files_type(systemd_device_t)
dev_associate(systemd_device_t)
+#######################################
+#
+# Systemd_logind local policy
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, systemd_logind_sessions_t)
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+
+dev_read_sysfs(systemd_logind_t)
+
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+dev_getattr_video_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
+files_read_etc_files(systemd_logind_t)
+
+# /sys/fs/cgroup/systemd/user
+fs_manage_cgroup_dirs(systemd_logind_t)
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
+
+dbus_connect_system_bus(systemd_logind_t)
+dbus_system_bus_client(systemd_logind_t)
+
+init_dbus_chat(systemd_logind_t)
+init_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+miscfiles_read_localization(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(systemd_logind_t)
+ xserver_read_state_xdm(systemd_logind_t)
+ # Only search is confirmed (/tmp/$USER/X11-unix)
+ xserver_read_xdm_tmp_files(systemd_logind_t)
+')
+
#######################################
#
# Local policy