From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] systemd
Date: Mon, 3 Nov 2014 16:16:44 +0100 [thread overview]
Message-ID: <20141103151643.GA7676@e145.network2> (raw)
In-Reply-To: <545795A7.9020705@tresys.com>
On Mon, Nov 03, 2014 at 09:48:07AM -0500, Christopher J. PeBenito wrote:
> >
> > - As for systemd daemons there are, in my view, globally three
> > different kinds (not counting systemd daemon with and without
> > units, or long and short running daemons) - systemd daemons -
> > systemd daemons that are socket activated - systemd daemons that
> > maintain a pid file
>
> The first and third seem to be the same from the policy perspective,
> other than the third has an extra type and some rules in it's local
> policy. The second is the new one to the policy.
The difference between regular systemd daemons and systemd daemons that
maintain "systemd pid files" is that systemd needs to be able to read and delete the latters' pid files
So the daemons themselves do not delete them, but systemd does it for them
>
>
> > systemd needs to be able to rw, i believe, unix stream socket of
> > target daemon (and probably use fd), maybe more
>
> For all daemons or just the socket-activated ones? What is the socket
> for if it's not for socket activation?
>
I was not accurate:
(allow common_subject systemd_daemon_subject_type (process (signull)))
(call systemd_rw_unix_stream_sockets (systemd_daemon_subject_type))
(call systemd_read_state (systemd_daemon_subject_type))
1. systemd needs to send null signal to all daemons
2. all daemon need to rw (getattr read write ioctl) systemd unix_stream_socket
3. all daemon need to read system state
addiitonally if one decides to split shutdown out of systemd domain then all daemons also need to be able send child terminated signal to shutdown (because shutdown becomes pid 1 on shutdown
> >
> > There is probably more, that i have overlooked.
>
> That wouldn't be surprising since the entirety of systemd and it's
> helper tools is massive.
I would probably move systemd utmp out into its own domain since in maintains /run/utmp but probably not feasible for your configuration since init_t is probably already allow to maintain utmp anyways
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141103/87ac2915/attachment.bin
next prev parent reply other threads:[~2014-11-03 15:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-31 14:34 [refpolicy] systemd Christopher J. PeBenito
2014-10-31 16:00 ` Dominick Grift
2014-11-03 14:48 ` Christopher J. PeBenito
2014-11-03 15:16 ` Dominick Grift [this message]
2014-11-03 15:42 ` Dominick Grift
2014-11-02 12:44 ` Laurent Bigonville
2014-11-02 15:46 ` Dominick Grift
2014-11-03 14:32 ` Christopher J. PeBenito
2014-11-03 21:50 ` Laurent Bigonville
2014-11-04 13:01 ` Christopher J. PeBenito
2014-11-15 23:06 ` Laurent Bigonville
2014-11-17 14:13 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141103151643.GA7676@e145.network2 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.