systemd: Add elogind support

Elogind is based off systemd-logind extracted to stand alone. Signed-off-by: Jason Zaman <[email protected]> Signed-off-by: Jason Zaman <[email protected]>
perfinion · Nov 30, 2020 · a2d5d05 · a2d5d05
1 parent 51aae07
commit a2d5d05
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 1 deletion.
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
@@ -160,6 +160,8 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		systemd_dbus_chat_logind($1_sudo_t)
+		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
@@ -71,6 +71,11 @@ interface(`auth_use_pam',`
 		optional_policy(`
 			fprintd_dbus_chat($1)
 		')
+
+		optional_policy(`
+			systemd_dbus_chat_logind($1)
+			systemd_write_inherited_logind_sessions_pipes($1)
+		')
 	')
 
 	optional_policy(`

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
+/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
 # Systemd generators
 /usr/lib/systemd/system-environment-generators/.*				--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/.*							--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
@@ -62,6 +66,7 @@
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -115,6 +115,9 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
 
 type systemd_logind_t;
 type systemd_logind_exec_t;
+optional_policy(`
+    dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
+')
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
 
@@ -125,6 +128,7 @@ init_mountpoint(systemd_logind_inhibit_runtime_t)
 type systemd_logind_runtime_t alias systemd_logind_var_run_t;
 files_runtime_file(systemd_logind_runtime_t)
 init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_runtime_file(systemd_logind_runtime_t, file, "elogind")
 init_mountpoint(systemd_logind_runtime_t)
 
 type systemd_logind_var_lib_t;
@@ -521,7 +525,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -533,6 +537,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
+files_runtime_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
+
+create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 
 manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
@@ -545,6 +552,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
 
 kernel_read_kernel_sysctls(systemd_logind_t)
 
+auth_write_login_records(systemd_logind_t)
+
 dev_getattr_dri_dev(systemd_logind_t)
 dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
@@ -564,10 +573,13 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_purge_tmp(systemd_logind_t)
 files_read_etc_files(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
+fs_manage_cgroup_dirs(systemd_logind_t)
+fs_manage_cgroup_files(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
@@ -577,6 +589,8 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 
+logging_send_audit_msgs(systemd_logind_t)
+
 selinux_use_status_page(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
@@ -589,6 +603,7 @@ term_use_unallocated_ttys(systemd_logind_t)
 
 auth_manage_faillog(systemd_logind_t)
 
+init_create_runtime_dirs(systemd_logind_t)
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
@@ -636,6 +651,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+       fs_read_nfs_files(systemd_logind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_read_cifs_files(systemd_logind_t)
+')
+
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -676,6 +699,10 @@ optional_policy(`
 	policykit_dbus_chat(systemd_logind_t)
 ')
 
+optional_policy(`
+	shutdown_domtrans(systemd_logind_t)
+')
+
 optional_policy(`
 	xserver_read_state(systemd_logind_t)
 	xserver_dbus_chat(systemd_logind_t)