@@ -39,6 +39,7 @@ F: package/flutter-gallery/
F: package/flutter-pi/
F: package/flutter-sdk-bin/
F: package/refpolicy/selinux/
+F: package/systemd/selinux/
F: package/sysvinit/selinux/
F: support/testing/tests/package/test_flutter.py
new file mode 100644
new file mode 100644
@@ -0,0 +1 @@
+## <summary>Buildroot systemd rules</summary>
new file mode 100644
@@ -0,0 +1,66 @@
+policy_module(buildroot-systemd, 1.0.0)
+
+#============= sysadm_t ==============
+allow sysadm_t init_t:fd use;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t init_t:unix_stream_socket connectto;
+
+#============= systemd_generator_t ==============
+allow systemd_generator_t locale_t:dir search;
+allow systemd_generator_t locale_t:file { getattr open read };
+allow systemd_generator_t locale_t:lnk_file read;
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t selinux_config_t:dir { getattr search };
+allow systemd_generator_t tty_device_t:chr_file { ioctl open read write };
+
+#============= systemd_homed_t ==============
+allow systemd_homed_t self:unix_stream_socket listen;
+allow systemd_homed_t selinux_config_t:dir search;
+
+#============= systemd_hw_t ==============
+# allow systemd_hw_t init_runtime_t:dir search;
+
+#============= systemd_journal_init_t ==============
+allow systemd_journal_init_t self:capability net_admin;
+allow systemd_journal_init_t selinux_config_t:dir { getattr search };
+
+#============= systemd_networkd_t ==============
+allow systemd_networkd_t net_conf_t:dir { getattr open read search };
+allow systemd_networkd_t selinux_config_t:dir { getattr search };
+allow systemd_networkd_t selinux_config_t:dir search;
+allow systemd_networkd_t system_dbusd_runtime_t:dir read;
+allow systemd_networkd_t system_dbusd_runtime_t:sock_file read;
+allow systemd_networkd_t var_run_t:dir read;
+
+#============= systemd_resolved_t ==============
+allow systemd_resolved_t system_dbusd_runtime_t:dir read;
+allow systemd_resolved_t system_dbusd_runtime_t:sock_file read;
+allow systemd_resolved_t var_run_t:dir read;
+
+#============= systemd_sessions_t ==============
+allow systemd_sessions_t self:capability net_admin;
+
+#============= systemd_sysctl_t ==============
+allow systemd_sysctl_t selinux_config_t:dir { getattr search };
+
+#============= systemd_sysusers_t ==============
+allow systemd_sysusers_t self:capability net_admin;
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t auditd_log_t:dir { create getattr open read relabelfrom relabelto };
+allow systemd_tmpfiles_t etc_t:dir relabelfrom;
+allow systemd_tmpfiles_t etc_t:file { relabelfrom relabelto };
+allow systemd_tmpfiles_t init_t:unix_stream_socket connectto;
+allow systemd_tmpfiles_t ssh_home_t:dir { getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t system_dbusd_var_lib_t:dir read;
+allow systemd_tmpfiles_t systemd_journal_t:lnk_file { read getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_dir_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t usr_t:dir read;
+allow systemd_tmpfiles_t usr_t:file { open read };
+allow systemd_tmpfiles_t var_spool_t:dir create;
+
+#============= systemd_update_done_t ==============
+allow systemd_update_done_t self:capability net_admin;
Systemd requires quite a bit of extra permissions not provided by the refpolicy systemd module to function properly in enforcing mode without denials. This is based off of Maxime Chevallier's previous work found here: https://patchwork.ozlabs.org/project/buildroot/patch/20210107135307.1762186-3-maxime.chevallier@bootlin.com/ Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- DEVELOPERS | 1 + package/systemd/selinux/buildroot-systemd.fc | 0 package/systemd/selinux/buildroot-systemd.if | 1 + package/systemd/selinux/buildroot-systemd.te | 66 ++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 package/systemd/selinux/buildroot-systemd.fc create mode 100644 package/systemd/selinux/buildroot-systemd.if create mode 100644 package/systemd/selinux/buildroot-systemd.te