From d2ac9ff2b64de7b295f2cc4bcf01364f402714bb Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 17 Dec 2024 16:28:39 +0100 Subject: [PATCH] Confine vsftpd systemd system generator Resolves: rhbz#2317180 --- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 58e4d1666b..9246cea2b0 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -88,6 +88,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit /usr/lib/systemd/system-generators/systemd-ssh-generator -- gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-tpm2-generator -- gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-vsftpd-generator -- gen_context(system_u:object_r:systemd_vsftpd_generator_exec_t,s0) /usr/lib/systemd/system-generators/zram-generator -- gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0) /usr/lib/systemd/system-generators/.+ -- gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0) /usr/lib/systemd/zram-generator.conf -- gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9189e167c0..6b2234077b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -216,6 +216,8 @@ systemd_generator_template(systemd_ssh_generator) systemd_generator_template(systemd_sysv_generator) # tpm2-generator systemd_generator_template(systemd_tpm2_generator) +# vsftpd-generator +systemd_generator_template(systemd_vsftpd_generator) # zram-generator systemd_generator_template(systemd_zram_generator) type systemd_zram_generator_conf_t; @@ -1396,6 +1398,14 @@ init_read_script_files(systemd_sysv_generator_t) ### tpm2 generator dev_read_sysfs(systemd_tpm2_generator_t) +### vsftpd generator +corecmd_exec_bin(systemd_vsftpd_generator_t) +corecmd_exec_shell(systemd_vsftpd_generator_t) + +optional_policy(` + auth_dontaudit_read_passwd_file(systemd_vsftpd_generator_t) +') + ### zram generator allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file write_file_perms; permissive systemd_zram_generator_t;