diff --git a/policy/modules.conf b/policy/modules.conf index e4103ce5e0..5c6fd8a305 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -3148,3 +3148,10 @@ afterburn = module # nvme_stas # nvme_stas = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module diff --git a/policy/modules/contrib/coreos_installer.fc b/policy/modules/contrib/coreos_installer.fc new file mode 100644 index 0000000000..68e5f6d540 --- /dev/null +++ b/policy/modules/contrib/coreos_installer.fc @@ -0,0 +1,7 @@ +/usr/bin/coreos-installer -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/libexec/coreos-installer-disable-device-auto-activation -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/libexec/coreos-installer-service -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/lib/systemd/system-generators/coreos-installer-generator -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/lib/systemd/system/coreos-installer.* -- gen_context(system_u:object_r:coreos_installer_unit_file_t,s0) diff --git a/policy/modules/contrib/coreos_installer.if b/policy/modules/contrib/coreos_installer.if new file mode 100644 index 0000000000..64ef208940 --- /dev/null +++ b/policy/modules/contrib/coreos_installer.if @@ -0,0 +1,39 @@ +## policy for coreos_installer + +######################################## +## +## Execute coreos_installer_exec_t in the coreos_installer domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`coreos_installer_domtrans',` + gen_require(` + type coreos_installer_t, coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, coreos_installer_exec_t, coreos_installer_t) +') + +###################################### +## +## Execute coreos_installer in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`coreos_installer_exec',` + gen_require(` + type coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, coreos_installer_exec_t) +') diff --git a/policy/modules/contrib/coreos_installer.te b/policy/modules/contrib/coreos_installer.te new file mode 100644 index 0000000000..d6c3a808e8 --- /dev/null +++ b/policy/modules/contrib/coreos_installer.te @@ -0,0 +1,47 @@ +policy_module(coreos_installer, 1.0.0) + +######################################## +# +# Declarations +# + +type coreos_installer_t; +type coreos_installer_exec_t; +init_daemon_domain(coreos_installer_t, coreos_installer_exec_t) + +type coreos_installer_unit_file_t; +systemd_unit_file(coreos_installer_unit_file_t) + +permissive coreos_installer_t; + +######################################## +# +# coreos_installer local policy +# +allow coreos_installer_t self:capability { setgid setuid sys_admin }; +allow coreos_installer_t self:process { fork setpgid }; +allow coreos_installer_t self:fifo_file rw_fifo_file_perms; +allow coreos_installer_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_proc_files(coreos_installer_t) + +corecmd_exec_bin(coreos_installer_t) +corecmd_exec_shell(coreos_installer_t) + +dev_write_kmsg(coreos_installer_t) + +domain_use_interactive_fds(coreos_installer_t) + +files_read_etc_files(coreos_installer_t) + +optional_policy(` + auth_read_passwd_file(coreos_installer_t) +') + +optional_policy(` + miscfiles_read_localization(coreos_installer_t) +') + +optional_policy(` + sysnet_dns_name_resolve(coreos_installer_t) +')