File: //usr/share/selinux/devel/include/system/systemd.if
## <summary>Systemd components (not PID 1)</summary>
#########################################
## <summary>
## Template for systemd --user per-role domains.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for generated types
## </summary>
## </param>
## <param name="role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="userdomain">
## <summary>
## The user domain for the role.
## </summary>
## </param>
#
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
type systemd_run_exec_t, systemd_analyze_exec_t;
type systemd_conf_home_t, systemd_data_home_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t, systemd_user_runtime_unit_t;
type systemd_machined_t, user_devpts_t;
')
#################################
#
# Declarations
#
type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type;
init_pgm_spec_user_daemon_domain($1_systemd_t)
domain_user_exemption_target($1_systemd_t)
ubac_constrained($1_systemd_t)
role $2 types $1_systemd_t;
#################################
#
# Local policy
#
# This domain is per-role because of the below transitions.
# See the systemd --user section of systemd.te for the
# remainder of the rules.
allow $1_systemd_t self:process { getsched signal };
allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
corecmd_shell_entry_type($1_systemd_t)
# systemctl --user rules
allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file manage_sock_file_perms;
allow $1_systemd_t systemd_user_runtime_t:blk_file manage_blk_file_perms;
allow $1_systemd_t systemd_user_runtime_t:chr_file manage_chr_file_perms;
allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
allow $1_systemd_t systemd_user_runtime_t:fifo_file manage_fifo_file_perms;
allow $1_systemd_t systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
allow $1_systemd_t systemd_user_runtime_t:sock_file manage_sock_file_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file manage_lnk_file_perms;
allow $1_systemd_t $3:dir search_dir_perms;
allow $1_systemd_t $3:file read_file_perms;
allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.early")
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.late")
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "transient")
filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "user")
dev_read_urand($1_systemd_t)
files_search_home($1_systemd_t)
fs_manage_cgroup_files($1_systemd_t)
fs_watch_cgroup_files($1_systemd_t)
kernel_dontaudit_getattr_proc($1_systemd_t)
selinux_use_status_page($1_systemd_t)
init_linkable_keyring($1_systemd_t)
init_list_unit_dirs($1_systemd_t)
init_read_generic_units_files($1_systemd_t)
miscfiles_watch_localization($1_systemd_t)
mount_read_runtime_files($1_systemd_t)
mount_watch_runtime_files($1_systemd_t)
mount_watch_reads_runtime_files($1_systemd_t)
seutil_search_default_contexts($1_systemd_t)
seutil_read_file_contexts($1_systemd_t)
userdom_search_user_home_dirs($1_systemd_t)
# for machinectl shell
term_user_pty($1_systemd_t, user_devpts_t)
allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
systemd_manage_conf_home_content($1_systemd_t)
systemd_manage_data_home_content($1_systemd_t)
systemd_search_user_runtime_unit_dirs($1_systemd_t)
systemd_search_user_runtime_unit_dirs($1_systemd_t)
systemd_read_user_unit_files($1_systemd_t)
dbus_system_bus_client($1_systemd_t)
dbus_spec_session_bus_client($1, $1_systemd_t)
# userdomain rules
allow $3 $1_systemd_t:process signal;
allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
# Allow using file descriptors for user environment generators
allow $3 $1_systemd_t:fd use;
allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
allow $3 $1_systemd_t:system { disable enable reload start stop status };
allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
# for "machinectl shell"
allow $1_systemd_t systemd_machined_t:fd use;
allow $3 systemd_machined_t:fd use;
allow $3 systemd_machined_t:dbus send_msg;
allow systemd_machined_t $3:dbus send_msg;
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
allow $3 systemd_conf_home_t:service { reload start status stop };
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
init_dbus_chat($3)
systemd_list_journal_dirs($3)
systemd_read_journal_files($3)
systemd_manage_conf_home_content($3)
systemd_relabel_conf_home_content($3)
systemd_manage_data_home_content($3)
systemd_relabel_data_home_content($3)
systemd_read_user_unit_files($3)
systemd_list_user_runtime_unit_dirs($3)
systemd_read_user_runtime_units($3)
systemd_reload_user_runtime_units($3)
systemd_start_user_runtime_units($3)
systemd_status_user_runtime_units($3)
systemd_stop_user_runtime_units($3)
optional_policy(`
dirmngr_tmp_dir_search($1_systemd_t)
')
optional_policy(`
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
xdg_read_config_files($1_systemd_t)
xdg_read_data_files($1_systemd_t)
')
')
######################################
## <summary>
## Allow the specified domain to be started as a daemon by the
## specified systemd user instance.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the user domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Entry point file type for the domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain to allow the systemd user domain to run.
## </summary>
## </param>
#
template(`systemd_user_daemon_domain',`
gen_require(`
type $1_systemd_t;
')
domtrans_pattern($1_systemd_t, $2, $3)
allow $1_systemd_t $3:process signal_perms;
allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
')
######################################
## <summary>
## Associate the specified file type to be a type whose sock files
## can be managed by systemd user instances for socket activation.
## </summary>
## <param name="file_type">
## <summary>
## File type to be associated.
## </summary>
## </param>
#
interface(`systemd_user_activated_sock_file',`
gen_require(`
attribute systemd_user_activated_sock_file_type;
')
typeattribute $1 systemd_user_activated_sock_file_type;
')
######################################
## <summary>
## Associate the specified domain to be a domain whose unix stream
## sockets and sock files can be managed by systemd user instances
## for socket activation.
## </summary>
## <param name="domain">
## <summary>
## Domain to be associated.
## </summary>
## </param>
## <param name="sock_file_type">
## <summary>
## File type of the domain's sock files to be associated.
## </summary>
## </param>
#
interface(`systemd_user_unix_stream_activated_socket',`
gen_require(`
attribute systemd_user_unix_stream_activated_socket_type;
')
typeattribute $1 systemd_user_unix_stream_activated_socket_type;
systemd_user_activated_sock_file($2)
')
######################################
## <summary>
## Allow the specified domain to manage systemd config home
## content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_conf_home_content',`
gen_require(`
type systemd_conf_home_t;
')
manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
')
######################################
## <summary>
## Allow the specified domain to relabel systemd config home
## content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabel_conf_home_content',`
gen_require(`
type systemd_conf_home_t;
')
relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
')
######################################
## <summary>
## Allow the specified domain to manage systemd data home
## content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_data_home_content',`
gen_require(`
type systemd_data_home_t;
')
allow $1 systemd_data_home_t:dir manage_dir_perms;
allow $1 systemd_data_home_t:file manage_file_perms;
allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
')
######################################
## <summary>
## Allow the specified domain to relabel systemd data home
## content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabel_data_home_content',`
gen_require(`
type systemd_data_home_t;
')
relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
')
######################################
## <summary>
## Allow the specified domain to read systemd user runtime lnk files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_user_runtime_lnk_files',`
gen_require(`
type systemd_user_runtime_t;
')
read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
')
######################################
## <summary>
## Allow the specified domain to read system-wide systemd
## user unit files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_user_unit_files',`
gen_require(`
type systemd_user_unit_t;
')
allow $1 systemd_user_unit_t:dir list_dir_perms;
allow $1 systemd_user_unit_t:file read_file_perms;
allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
')
######################################
## <summary>
## Allow the specified domain to read systemd user runtime unit files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
')
read_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
read_lnk_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
## <summary>
## Allow the specified domain to search systemd user runtime unit
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_search_user_runtime_unit_dirs',`
gen_require(`
type systemd_user_runtime_unit_t;
')
search_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
## <summary>
## Allow the specified domain to list the contents of systemd
## user runtime unit directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_list_user_runtime_unit_dirs',`
gen_require(`
type systemd_user_runtime_unit_t;
')
list_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
')
######################################
## <summary>
## Allow the specified domain to get the status of systemd user runtime units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service status;
')
allow $1 systemd_user_runtime_unit_t:service status;
')
######################################
## <summary>
## Allow the specified domain to start systemd user runtime units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_start_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service start;
')
allow $1 systemd_user_runtime_unit_t:service start;
')
######################################
## <summary>
## Allow the specified domain to stop systemd user runtime units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_stop_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service stop;
')
allow $1 systemd_user_runtime_unit_t:service stop;
')
######################################
## <summary>
## Allow the specified domain to reload systemd user runtime units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_reload_user_runtime_units',`
gen_require(`
type systemd_user_runtime_unit_t;
class service reload;
')
allow $1 systemd_user_runtime_unit_t:service reload;
')
######################################
## <summary>
## Make the specified type usable as an
## log parse environment type.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a log parse environment type.
## </summary>
## </param>
#
interface(`systemd_log_parse_environment',`
gen_require(`
attribute systemd_log_parse_env_type;
')
typeattribute $1 systemd_log_parse_env_type;
')
######################################
## <summary>
## Allow domain to use systemd's Name Service Switch (NSS) module.
## This module provides UNIX user and group name resolution for dynamic users
## and groups allocated through the DynamicUser= option in systemd unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_use_nss',`
gen_require(`
type systemd_conf_t;
')
# Get attributes of /etc/systemd/dont-synthesize-nobody
files_search_etc($1)
allow $1 systemd_conf_t:file getattr;
optional_policy(`
dbus_system_bus_client($1)
# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
init_dbus_chat($1)
')
')
######################################
## <summary>
## Allow domain to be used as a systemd service with a unit
## that uses PrivateDevices=yes in section [Service].
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`systemd_PrivateDevices',`
# For services using PrivateDevices, systemd mounts a dedicated
# tmpfs filesystem for the /dev, which gets label tmpfs_t.
# Allow to traverse /dev and to read symlinks in /dev (for example /dev/log)
fs_read_tmpfs_symlinks($1)
')
#######################################
## <summary>
## Allow domain to read udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
#######################################
## <summary>
## Allow domain to map udev hwdb file
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_map_hwdb',`
gen_require(`
type systemd_hwdb_t;
')
allow $1 systemd_hwdb_t:file map;
')
######################################
## <summary>
## Read systemd_login PID files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_pids',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_read_logind_runtime_files() instead.')
systemd_read_logind_runtime_files($1)
')
######################################
## <summary>
## Manage systemd_login PID pipes. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_logind_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_manage_logind_runtime_pipes() instead.')
systemd_manage_logind_runtime_pipes($1)
')
######################################
## <summary>
## Write systemd_login named pipe. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_logind_pid_pipes',`
refpolicywarn(`$0($*) has been deprecated, please use systemd_write_logind_runtime_pipes() instead.')
systemd_write_logind_runtime_pipes($1)
')
######################################
## <summary>
## Read systemd-logind runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_runtime_files',`
gen_require(`
type systemd_logind_runtime_t;
')
files_search_runtime($1)
allow $1 systemd_logind_runtime_t:dir list_dir_perms;
allow $1 systemd_logind_runtime_t:file read_file_perms;
')
######################################
## <summary>
## Manage systemd-logind runtime pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_logind_runtime_pipes',`
gen_require(`
type systemd_logind_runtime_t;
')
files_search_runtime($1)
manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t)
')
######################################
## <summary>
## Write systemd-logind runtime named pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_logind_runtime_pipes',`
gen_require(`
type systemd_logind_runtime_t;
')
init_search_run($1)
files_search_runtime($1)
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
')
######################################
## <summary>
## Watch systemd-logind runtime dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_watch_logind_runtime_dirs',`
gen_require(`
type systemd_logind_runtime_t;
')
allow $1 systemd_logind_runtime_t:dir watch;
')
######################################
## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_logind_fds',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
')
######################################
## <summary>
## Read logind sessions files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_logind_sessions_files',`
gen_require(`
type systemd_sessions_runtime_t, systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
init_search_run($1)
allow $1 systemd_sessions_runtime_t:dir list_dir_perms;
read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
')
######################################
## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
gen_require(`
type systemd_logind_t, systemd_sessions_runtime_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_sessions_runtime_t:fifo_file write;
allow systemd_logind_t $1:process signal;
')
######################################
## <summary>
## Watch logind sessions dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_watch_logind_sessions_dirs',`
gen_require(`
type systemd_sessions_runtime_t;
')
allow $1 systemd_sessions_runtime_t:dir watch;
')
######################################
## <summary>
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_inhibit_pipes',`
gen_require(`
type systemd_logind_inhibit_runtime_t;
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_logind_inhibit_runtime_t:fifo_file write;
')
########################################
## <summary>
## Send and receive messages from
## systemd logind over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_logind',`
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
')
########################################
## <summary>
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_logind',`
gen_require(`
type systemd_logind_t;
class service status;
')
allow $1 systemd_logind_t:service status;
')
########################################
## <summary>
## Send systemd_login a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_signull_logind',`
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
')
########################################
## <summary>
## Manage systemd userdb runtime directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_userdb_runtime_dirs', `
gen_require(`
type systemd_userdb_runtime_t;
')
manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
')
########################################
## <summary>
## Manage socket files under /run/systemd/userdb .
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_userdb_runtime_sock_files', `
gen_require(`
type systemd_userdb_runtime_t;
')
manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
')
########################################
## <summary>
## Connect to /run/systemd/userdb/io.systemd.DynamicUser .
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_stream_connect_userdb', `
gen_require(`
type systemd_userdb_runtime_t;
')
init_search_runtime($1)
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
init_unix_stream_socket_connectto($1)
')
########################################
## <summary>
## Allow reading /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain that can access the machines files
## </summary>
## </param>
#
interface(`systemd_read_machines',`
gen_require(`
type systemd_machined_runtime_t;
')
allow $1 systemd_machined_runtime_t:dir list_dir_perms;
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
## </summary>
## <param name="domain">
## <summary>
## Domain that can access the socket
## </summary>
## </param>
#
interface(`systemd_connect_machined',`
gen_require(`
type systemd_machined_t;
')
allow $1 systemd_machined_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Allow watching /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain that can watch the machines files
## </summary>
## </param>
#
interface(`systemd_watch_machines_dirs',`
gen_require(`
type systemd_machined_runtime_t;
')
allow $1 systemd_machined_runtime_t:dir watch;
')
########################################
## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_hostnamed',`
gen_require(`
type systemd_hostnamed_t;
class dbus send_msg;
')
allow $1 systemd_hostnamed_t:dbus send_msg;
allow systemd_hostnamed_t $1:dbus send_msg;
')
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
## </summary>
## <param name="domain">
## <summary>
## Domain that owns the fds
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent_fds',`
gen_require(`
type systemd_passwd_agent_t;
')
allow systemd_passwd_agent_t $1:fd use;
')
########################################
## <summary>
## allow systemd_passwd_agent to be run by admin
## </summary>
## <param name="domain">
## <summary>
## Domain that runs it
## </summary>
## </param>
## <param name="role">
## <summary>
## role that it runs in
## </summary>
## </param>
#
interface(`systemd_run_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')
domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
allow systemd_passwd_agent_t $1:fd use;
role $2 types systemd_passwd_agent_t;
')
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
## that needs a password from the sysadmin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_use_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t;
type systemd_passwd_runtime_t;
')
manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
allow systemd_passwd_agent_t $1:process signull;
ps_process_pattern(systemd_passwd_agent_t, $1)
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
########################################
## <summary>
## Transition to systemd_passwd_runtime_t when creating dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_filetrans_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_runtime_t;
')
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block")
init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
')
########################################
## <summary>
## Transition to systemd_userdb_runtime_t when
## creating the userdb directory inside an init runtime
## directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_filetrans_userdb_runtime_dirs', `
gen_require(`
type systemd_userdb_runtime_t;
')
init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
')
######################################
## <summary>
## Allow to domain to create systemd-passwd symlink
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_passwd_runtime_symlinks',`
gen_require(`
type systemd_passwd_runtime_t;
')
allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## watch systemd_passwd_runtime_t dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_watch_passwd_runtime_dirs',`
gen_require(`
type systemd_passwd_runtime_t;
')
allow $1 systemd_passwd_runtime_t:dir watch;
')
########################################
## <summary>
## manage systemd unit dirs and the files in them (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_all_units',`
refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
init_manage_all_unit_files($1)
')
########################################
## <summary>
## Allow domain to list the contents of systemd_journal_t dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_list_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
')
########################################
## <summary>
## Allow domain to read systemd_journal_t files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_journal_files',`
gen_require(`
type systemd_journal_t;
')
list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
')
########################################
## <summary>
## Allow domain to create/manage systemd_journal_t files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_journal_files',`
gen_require(`
type systemd_journal_t;
')
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
allow $1 systemd_journal_t:file map;
')
########################################
## <summary>
## Relabel to systemd-journald directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_dirs',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
allow $1 systemd_journal_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Relabel to systemd-journald file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_journal_files',`
gen_require(`
type systemd_journal_t;
')
files_search_var($1)
list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
allow $1 systemd_journal_t:file relabelto_file_perms;
')
########################################
## <summary>
## Allow domain to read systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow domain to create/manage systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow specified domain to enable systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_enabledisable_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { enable disable };
')
allow $1 systemd_networkd_unit_t:service { enable disable };
')
########################################
## <summary>
## Allow specified domain to start systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_startstop_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { start stop };
')
allow $1 systemd_networkd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of systemd-networkd
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service status;
')
allow $1 systemd_networkd_unit_t:service status;
')
#######################################
## <summary>
## Relabel systemd_networkd tun socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelfrom_networkd_tun_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:tun_socket relabelfrom;
')
#######################################
## <summary>
## Read/Write from systemd_networkd netlink route socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_rw_networkd_netlink_route_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
')
#######################################
## <summary>
## Allow domain to list dirs under /run/systemd/netif
## </summary>
## <param name="domain">
## <summary>
## domain permitted the access
## </summary>
## </param>
#
interface(`systemd_list_networkd_runtime',`
gen_require(`
type systemd_networkd_runtime_t;
')
init_list_runtime($1)
allow $1 systemd_networkd_runtime_t:dir list_dir_perms;
')
#######################################
## <summary>
## Watch directories under /run/systemd/netif
## </summary>
## <param name="domain">
## <summary>
## Domain permitted the access
## </summary>
## </param>
#
interface(`systemd_watch_networkd_runtime_dirs',`
gen_require(`
type systemd_networkd_runtime_t;
')
allow $1 systemd_networkd_runtime_t:dir watch;
')
#######################################
## <summary>
## Allow domain to read files generated by systemd_networkd
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_networkd_runtime',`
gen_require(`
type systemd_networkd_runtime_t;
')
list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
')
########################################
## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
## <summary>
## Domain systemd_logind_t may access.
## </summary>
## </param>
#
interface(`systemd_read_logind_state',`
gen_require(`
type systemd_logind_t;
')
allow systemd_logind_t $1:dir list_dir_perms;
allow systemd_logind_t $1:file read_file_perms;
')
########################################
## <summary>
## Allow specified domain to start power units
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`systemd_start_power_units',`
gen_require(`
type power_unit_t;
class service start;
')
allow $1 power_unit_t:service start;
')
########################################
## <summary>
## Get the system status information about power units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_power_units',`
gen_require(`
type power_unit_t;
class service status;
')
allow $1 power_unit_t:service status;
')
########################################
## <summary>
## Allows connections to the systemd-socket-proxyd's socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_stream_connect_socket_proxyd', `
gen_require(`
type systemd_socket_proxyd_t;
')
allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Make the specified type usable for
## systemd tmpfiles config files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd tmpfiles config files.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
files_config_file($1)
typeattribute $1 systemd_tmpfiles_conf_type;
')
########################################
## <summary>
## Allow the specified domain to create
## the tmpfiles config directory with
## the correct context.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_runtime_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
allow $1 systemd_tmpfiles_conf_t:dir create;
')
########################################
## <summary>
## Create an object in the systemd tmpfiles config
## directory, with a private type
## using a type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`systemd_tmpfiles_conf_filetrans',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
files_search_runtime($1)
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
########################################
## <summary>
## Allow domain to list systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_list_tmpfiles_conf',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_dirs',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
')
########################################
## <summary>
## Allow domain to relabel to systemd tmpfiles config files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelto_tmpfiles_conf_files',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
')
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
## </summary>
## <param name="type">
## <summary>
## type of object to manage
## </summary>
## </param>
## <param name="class">
## <summary>
## object class to manage
## </summary>
## </param>
#
interface(`systemd_tmpfilesd_managed',`
gen_require(`
type systemd_tmpfiles_t;
')
allow systemd_tmpfiles_t $1:dir list_dir_perms;
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
########################################
## <summary>
## Send and receive messages from
## systemd resolved over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dbus_chat_resolved',`
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
allow systemd_resolved_t $1:dbus send_msg;
')
#######################################
## <summary>
## Allow domain to read resolv.conf file generated by systemd_resolved
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_read_resolved_runtime',`
gen_require(`
type systemd_resolved_runtime_t;
')
read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
')
#######################################
## <summary>
## Allow domain to getattr on .updated file (generated by systemd-update-done
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_getattr_updated_runtime',`
gen_require(`
type systemd_update_run_t;
')
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
########################################
## <summary>
## Search keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_search_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key search;
')
########################################
## <summary>
## Create keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_create_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key create;
')
########################################
## <summary>
## Write keys for the all systemd --user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_write_all_user_keys',`
gen_require(`
attribute systemd_user_session_type;
')
allow $1 systemd_user_session_type:key write;
')
########################################
## <summary>
## Execute systemd-sysusers in the
## systemd sysusers domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_domtrans_sysusers', `
gen_require(`
type systemd_sysusers_t, systemd_sysusers_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, systemd_sysusers_exec_t, systemd_sysusers_t)
')
########################################
## <summary>
## Run systemd-sysusers with a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_run_sysusers', `
gen_require(`
attribute_role systemd_sysusers_roles;
')
systemd_domtrans_sysusers($1)
roleattribute $2 systemd_sysusers_roles;
')
########################################
## <summary>
## receive and use a systemd_machined_devpts_t file handle
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`systemd_use_inherited_machined_ptys', `
gen_require(`
type systemd_machined_t, systemd_machined_devpts_t;
')
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')
########################################
## <summary>
## run systemd-nspawn in systemd_nspawn_t domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role of the object to create.
## </summary>
## </param>
#
interface(`systemd_run_nspawn', `
gen_require(`
type systemd_nspawn_t, systemd_nspawn_exec_t;
')
role $2 types systemd_nspawn_t;
domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
')
########################################
## <summary>
## send datagrams to systemd_nspawn_t
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_dgram_nspawn', `
gen_require(`
type systemd_nspawn_t, systemd_nspawn_var_run_t;
')
dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t)
')
########################################
## <summary>
## search systemd_user_runtime_t dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_search_user_runtime', `
gen_require(`
type systemd_user_runtime_t;
')
allow $1 systemd_user_runtime_t:dir search;
')