diff mbox series

[04/12] package/systemd/selinux: Add buildroot systemd selinux policy

Message ID 20231012103210.2915871-5-adam.duskett@amarulasolutions.com
State New
Headers show
Series SELinux: Basic config enforcing mode support. | expand

Commit Message

Adam Duskett Oct. 12, 2023, 10:32 a.m. UTC 
Systemd requires quite a bit of extra permissions not provided by the refpolicy
systemd module to function properly in enforcing mode without denials. This is
based off of Maxime Chevallier's previous work found here:
https://patchwork.ozlabs.org/project/buildroot/patch/20210107135307.1762186-3-maxime.chevallier@bootlin.com/

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                   |  1 +
 package/systemd/selinux/buildroot-systemd.fc |  0
 package/systemd/selinux/buildroot-systemd.if |  1 +
 package/systemd/selinux/buildroot-systemd.te | 66 ++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 package/systemd/selinux/buildroot-systemd.fc
 create mode 100644 package/systemd/selinux/buildroot-systemd.if
 create mode 100644 package/systemd/selinux/buildroot-systemd.te
diff mbox series

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index 36108715bf..e49960f572 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -39,6 +39,7 @@  F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/refpolicy/selinux/
+F:	package/systemd/selinux/
 F:	package/sysvinit/selinux/
 F:	support/testing/tests/package/test_flutter.py
 
diff --git a/package/systemd/selinux/buildroot-systemd.fc b/package/systemd/selinux/buildroot-systemd.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/systemd/selinux/buildroot-systemd.if b/package/systemd/selinux/buildroot-systemd.if
new file mode 100644
index 0000000000..7c56777c32
--- /dev/null
+++ b/package/systemd/selinux/buildroot-systemd.if
@@ -0,0 +1 @@ 
+## <summary>Buildroot systemd rules</summary>
diff --git a/package/systemd/selinux/buildroot-systemd.te b/package/systemd/selinux/buildroot-systemd.te
new file mode 100644
index 0000000000..8d6dee99cf
--- /dev/null
+++ b/package/systemd/selinux/buildroot-systemd.te
@@ -0,0 +1,66 @@ 
+policy_module(buildroot-systemd, 1.0.0)
+
+#============= sysadm_t ==============
+allow sysadm_t init_t:fd use;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t init_t:unix_stream_socket connectto;
+
+#============= systemd_generator_t ==============
+allow systemd_generator_t locale_t:dir search;
+allow systemd_generator_t locale_t:file { getattr open read };
+allow systemd_generator_t locale_t:lnk_file read;
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t selinux_config_t:dir { getattr search };
+allow systemd_generator_t tty_device_t:chr_file { ioctl open read write };
+
+#============= systemd_homed_t ==============
+allow systemd_homed_t self:unix_stream_socket listen;
+allow systemd_homed_t selinux_config_t:dir search;
+
+#============= systemd_hw_t ==============
+# allow systemd_hw_t init_runtime_t:dir search;
+
+#============= systemd_journal_init_t ==============
+allow systemd_journal_init_t self:capability net_admin;
+allow systemd_journal_init_t selinux_config_t:dir { getattr search };
+
+#============= systemd_networkd_t ==============
+allow systemd_networkd_t net_conf_t:dir { getattr open read search };
+allow systemd_networkd_t selinux_config_t:dir { getattr search };
+allow systemd_networkd_t selinux_config_t:dir search;
+allow systemd_networkd_t system_dbusd_runtime_t:dir read;
+allow systemd_networkd_t system_dbusd_runtime_t:sock_file read;
+allow systemd_networkd_t var_run_t:dir read;
+
+#============= systemd_resolved_t ==============
+allow systemd_resolved_t system_dbusd_runtime_t:dir read;
+allow systemd_resolved_t system_dbusd_runtime_t:sock_file read;
+allow systemd_resolved_t var_run_t:dir read;
+
+#============= systemd_sessions_t ==============
+allow systemd_sessions_t self:capability net_admin;
+
+#============= systemd_sysctl_t ==============
+allow systemd_sysctl_t selinux_config_t:dir { getattr search };
+
+#============= systemd_sysusers_t ==============
+allow systemd_sysusers_t self:capability net_admin;
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t auditd_log_t:dir { create getattr open read relabelfrom relabelto };
+allow systemd_tmpfiles_t etc_t:dir relabelfrom;
+allow systemd_tmpfiles_t etc_t:file { relabelfrom relabelto };
+allow systemd_tmpfiles_t init_t:unix_stream_socket connectto;
+allow systemd_tmpfiles_t ssh_home_t:dir { getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t system_dbusd_var_lib_t:dir read;
+allow systemd_tmpfiles_t systemd_journal_t:lnk_file { read getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_dir_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t usr_t:dir read;
+allow systemd_tmpfiles_t usr_t:file { open read };
+allow systemd_tmpfiles_t var_spool_t:dir create;
+
+#============= systemd_update_done_t ==============
+allow systemd_update_done_t self:capability net_admin;