Re: [RFC 2/2] refpolicy: add systemd support to tresys main policy.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Guido Trentalancia <guido@trentalancia.com>
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: refpolicy@oss1.tresys.com, selinux@tycho.nsa.gov, dwalsh@redhat.com
Subject: Re: [RFC 2/2] refpolicy: add systemd support to tresys main policy.
Date: Mon, 19 Sep 2011 02:41:58 +0200	[thread overview]
Message-ID: <1316392918.2258.57.camel@vortex> (raw)
In-Reply-To: <1316366988-3882-2-git-send-email-justinmattock@gmail.com>

Hi Justin.

Here is the boolean you were looking for (quoted from your patch):

On Sun, 2011-09-18 at 10:29 -0700, Justin P. Mattock wrote:
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te
> index 5125d1d..6fcc939 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -16,6 +16,13 @@ gen_require(`
>  ## </desc>
>  gen_tunable(init_upstart, false)
>  
> +## <desc>
> +## <p>
> +## Enable support for systemd as the init program.
> +## </p>
> +## </desc>
> +gen_tunable(init_systemd, false) 

But please note it's disabled (false) by default. So you do need to make
sure it is enabled after having installed and loaded the policy, do not
forget:

setsebool -P init_systemd=on

After such boolean has been enabled, then all policy blocks that begin
with:

+       tunable_policy(`init_systemd',`

will eventually get included in the policy. Those are supposedly all
essential permissions needed to successfully run a system using systemd.

If you managed to create a patch which applies and compiles cleanly,
perhaps most of the job is done and you might only need to fine tune it.

Regards,

Guido

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

WARNING: multiple messages have this Message-ID (diff)

From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC 2/2] refpolicy: add systemd support to tresys main policy.
Date: Mon, 19 Sep 2011 02:41:58 +0200	[thread overview]
Message-ID: <1316392918.2258.57.camel@vortex> (raw)
In-Reply-To: <1316366988-3882-2-git-send-email-justinmattock@gmail.com>

Hi Justin.

Here is the boolean you were looking for (quoted from your patch):

On Sun, 2011-09-18 at 10:29 -0700, Justin P. Mattock wrote:
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te
> index 5125d1d..6fcc939 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -16,6 +16,13 @@ gen_require(`
>  ## </desc>
>  gen_tunable(init_upstart, false)
>  
> +## <desc>
> +## <p>
> +## Enable support for systemd as the init program.
> +## </p>
> +## </desc>
> +gen_tunable(init_systemd, false) 

But please note it's disabled (false) by default. So you do need to make
sure it is enabled after having installed and loaded the policy, do not
forget:

setsebool -P init_systemd=on

After such boolean has been enabled, then all policy blocks that begin
with:

+       tunable_policy(`init_systemd',`

will eventually get included in the policy. Those are supposedly all
essential permissions needed to successfully run a system using systemd.

If you managed to create a patch which applies and compiles cleanly,
perhaps most of the job is done and you might only need to fine tune it.

Regards,

Guido

next      parent reply	other threads:[~2011-09-19  0:48 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1316366988-3882-1-git-send-email-justinmattock@gmail.com>
     [not found] ` <1316366988-3882-2-git-send-email-justinmattock@gmail.com>
2011-09-19  0:41   ` Guido Trentalancia [this message]
2011-09-19  0:41     ` [refpolicy] [RFC 2/2] refpolicy: add systemd support to tresys main policy Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1316392918.2258.57.camel@vortex \
    --to=guido@trentalancia.com \
    --cc=dwalsh@redhat.com \
    --cc=justinmattock@gmail.com \
    --cc=refpolicy@oss1.tresys.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.