Add SELinux support for systemd-bootchart

fedora-selinux · Feb 7, 2017 · 695d9fa · 695d9fa
1 parent 4f4a91b
commit 695d9fa
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
@@ -18,6 +18,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home
 /usr/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 /usr/bin/systemd-hwdb		--	gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
 
+/usr/lib/systemd/systemd-bootchart	--	gen_context(system_u:object_r:systemd_bootchart_exec_t,s0)
+
 /usr/lib/dracut/modules.d/.*\.service	gen_context(system_u:object_r:systemd_unit_file_t,s0)
 /usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
 /run/systemd/transient(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
@@ -29,6 +31,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home
 /usr/lib/systemd/system/systemd-rfkill\.service	--	gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
 /usr/lib/systemd/system/systemd-time.*\.service	--	gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
 /usr/lib/systemd/system/systemd-hwdb.*\.service	--	gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-bootchart.*\.service 	--	gen_context(system_u:object_r:systemd_bootchart_unit_file_t,s0)
+
 /usr/lib/systemd/system/.*halt.(service|target)	--	gen_context(system_u:object_r:power_unit_file_t,s0)
 /usr/lib/systemd/system/.*hibernate.*\.(service|target)		--	gen_context(system_u:object_r:power_unit_file_t,s0)
 /usr/lib/systemd/system/.*power.*\.(service|target)		--	gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -69,4 +73,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home
 /var/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /var/run/systemd/resolve(/.*)?	gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /var/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
+
+/var/run/log/bootchart.*	--	gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0)
+
 /var/run/initramfs(/.*)?	<<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -52,6 +52,14 @@ systemd_unit_file(systemd_networkd_unit_file_t)
 type systemd_networkd_var_run_t;
 files_pid_file(systemd_networkd_var_run_t)
 
+systemd_domain_template(systemd_bootchart)
+
+type systemd_bootchart_unit_file_t;
+systemd_unit_file(systemd_bootchart_unit_file_t)
+
+type systemd_bootchart_var_run_t;
+files_pid_file(systemd_bootchart_var_run_t)
+
 systemd_domain_template(systemd_resolved)
 
 type systemd_resolved_var_run_t;
@@ -978,3 +986,19 @@ dev_read_sysfs(systemd_modules_load_t)
 files_read_kernel_modules(systemd_modules_load_t)
 modutils_read_module_config(systemd_modules_load_t)
 
+
+#######################################
+#
+# systemd_modules_load domain
+#
+
+allow systemd_bootchart_t self:capability2 wake_alarm;
+
+kernel_dgram_send(systemd_bootchart_t)
+kernel_rw_kernel_sysctl(systemd_bootchart_t)
+dev_list_sysfs(systemd_bootchart_t)
+
+domain_read_all_domains_state(systemd_bootchart_t)
+
+manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t)
+logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file)