Skip to content

Commit

Permalink
add permissions for the systemd.offline-updates symlink
Browse files Browse the repository at this point in the history 
Adds support the "magic symlink" at /system-update or
/etc/system-update. The package manager is supposed to create this
link, a system generator checks for it, then the package manager needs
to read it and then delete it to clean up after itself. The initrc_t
permissions are because systemd provides a unit to forcibly cleanup in
case the update program doesn't for some reason.

Signed-off-by: Michael Snook <[email protected]>
  • Loading branch information
@sgtsnookums
sgtsnookums committed Feb 11, 2025
1 parent f6c4144 commit 5206d8c
Show file tree
Hide file tree
Showing 5 changed files with 111 additions and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/admin/rpm.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
ifdef(`init_systemd', `
systemd_use_logind_fds(rpm_t)
systemd_dbus_chat_logind(rpm_t)
systemd_manage_updates_symlink(rpm_t)
')

optional_policy(`
Expand Down
77 changes: 77 additions & 0 deletions policy/modules/kernel/files.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3677,6 +3677,37 @@ interface(`files_create_boot_flag',`
filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
')

########################################
## <summary>
## Create a symlink boot flag.
## </summary>
## <desc>
## <p>
## Create a boot flag that is a symlink, such as
## /system-update
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_create_link_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')

allow $1 etc_runtime_t:lnk_file manage_lnk_file_perms;
filetrans_pattern($1, root_t, etc_runtime_t, lnk_file, $2)
')

########################################
## <summary>
## Delete a boot flag.
Expand All @@ -3702,6 +3733,31 @@ interface(`files_delete_boot_flag',`
delete_files_pattern($1, root_t, etc_runtime_t)
')

########################################
## <summary>
## Delete a symlink boot flag.
## </summary>
## <desc>
## <p>
## Delete a symlink boot flag, such as
## /system-update
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_delete_link_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')

delete_lnk_files_pattern($1, root_t, etc_runtime_t)
')

########################################
## <summary>
## Get the attributes of the
Expand Down Expand Up @@ -3953,6 +4009,27 @@ interface(`files_manage_etc_runtime_files',`
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')

########################################
## <summary>
## Create, read, write, and delete symlinks in
## /etc that are dynamically created on boot,
## such as mtab.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_manage_etc_runtime_symlinks',`
gen_require(`
type etc_t, etc_runtime_t;
')

manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')

########################################
## <summary>
## Relabel to etc_runtime_t files.
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/init.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,7 @@ ifdef(`init_systemd',`
systemd_manage_userdb_runtime_symlinks(init_t)
systemd_filetrans_userdb_runtime_dirs(init_t)
systemd_stream_connect_userdb(init_t)
systemd_clean_updates_symlink(initrc_t)

term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/system/systemd.fc
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)

/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0)
Expand Down
30 changes: 30 additions & 0 deletions policy/modules/system/systemd.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2744,6 +2744,36 @@ interface(`systemd_getattr_updated_runtime',`
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')

#######################################
## <summary>
## Allow domain to clean up offline updates magic symlink
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_clean_updates_symlink',`
files_delete_link_boot_flag($1)
files_manage_etc_runtime_symlinks($1)
')

#######################################
## <summary>
## Allow domain to create, read, and clean up offline updates magic symlink
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_manage_updates_symlink',`
files_create_link_boot_flag($1, /system-update)
files_etc_filetrans_etc_runtime($1, lnk_file, /etc/system-update)
')

########################################
## <summary>
## Search keys for the all systemd --user domains.
Expand Down

0 comments on commit 5206d8c

Please sign in to comment.