Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Systemd offline updates magic symlink #860

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Systemd offline updates magic symlink #860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ddfbb5
add permissions for the systemd.offline-updates symlink
sgtsnookums Feb 10, 2025
f12c35f
label dnf5 as rpm_exec_t
sgtsnookums Feb 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions policy/modules/admin/rpm.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@
/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-3 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf5 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-automatic-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/dnf-automatic-?[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/admin/rpm.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
ifdef(`init_systemd', `
systemd_use_logind_fds(rpm_t)
systemd_dbus_chat_logind(rpm_t)
systemd_manage_updates_symlink(rpm_t)
')

optional_policy(`
Expand Down
77 changes: 77 additions & 0 deletions policy/modules/kernel/files.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3677,6 +3677,37 @@ interface(`files_create_boot_flag',`
filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
')

########################################
## <summary>
## Create a symlink boot flag.
## </summary>
## <desc>
## <p>
## Create a boot flag that is a symlink, such as
## /system-update
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_create_link_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')

allow $1 etc_runtime_t:lnk_file manage_lnk_file_perms;
filetrans_pattern($1, root_t, etc_runtime_t, lnk_file, $2)
')

########################################
## <summary>
## Delete a boot flag.
Expand All @@ -3702,6 +3733,31 @@ interface(`files_delete_boot_flag',`
delete_files_pattern($1, root_t, etc_runtime_t)
')

########################################
## <summary>
## Delete a symlink boot flag.
## </summary>
## <desc>
## <p>
## Delete a symlink boot flag, such as
## /system-update
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_delete_link_boot_flag',`
gen_require(`
type root_t, etc_runtime_t;
')

delete_lnk_files_pattern($1, root_t, etc_runtime_t)
')

########################################
## <summary>
## Get the attributes of the
Expand Down Expand Up @@ -3953,6 +4009,27 @@ interface(`files_manage_etc_runtime_files',`
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')

########################################
## <summary>
## Create, read, write, and delete symlinks in
## /etc that are dynamically created on boot,
## such as mtab.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_manage_etc_runtime_symlinks',`
gen_require(`
type etc_t, etc_runtime_t;
')

manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')

########################################
## <summary>
## Relabel to etc_runtime_t files.
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/init.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,7 @@ ifdef(`init_systemd',`
systemd_manage_userdb_runtime_symlinks(init_t)
systemd_filetrans_userdb_runtime_dirs(init_t)
systemd_stream_connect_userdb(init_t)
systemd_clean_updates_symlink(initrc_t)

term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/system/systemd.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/system-update -l gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)

/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0)
Expand Down
31 changes: 31 additions & 0 deletions policy/modules/system/systemd.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2744,6 +2744,37 @@ interface(`systemd_getattr_updated_runtime',`
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')

#######################################
## <summary>
## Allow domain to clean up offline updates magic symlink
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_clean_updates_symlink',`
files_delete_link_boot_flag($1)
files_manage_etc_runtime_symlinks($1)
')

#######################################
## <summary>
## Allow domain to create, read, and clean up offline updates magic symlink
## </summary>
## <param name="domain">
## <summary>
## domain allowed access
## </summary>
## </param>
#
interface(`systemd_manage_updates_symlink',`
files_create_link_boot_flag($1, "system-update")
files_etc_filetrans_etc_runtime($1, lnk_file, "system-update")
files_read_etc_runtime_files($1)
')

########################################
## <summary>
## Search keys for the all systemd --user domains.
Expand Down
Loading