From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] systemd
Date: Mon, 3 Nov 2014 16:42:54 +0100 [thread overview]
Message-ID: <20141103154253.GB7676@e145.network2> (raw)
In-Reply-To: <20141103151643.GA7676@e145.network2>
On Mon, Nov 03, 2014 at 04:16:44PM +0100, Dominick Grift wrote:
>
> I was not accurate:
>
> (allow common_subject systemd_daemon_subject_type (process (signull)))
> (call systemd_rw_unix_stream_sockets (systemd_daemon_subject_type))
> (call systemd_read_state (systemd_daemon_subject_type))
>
> 1. systemd needs to send null signal to all daemons
Looks like systemd needs to send null signals to all processes period, but you can ignore that probably anyways since i suppose init_t is already allowed to send all signals to all processes
So yes its actually only all daemon reading/writing systemd unix stream sockets and reading systemd state
That applies to all daemons
then for socket activated daemons systemd needs to be able to create the sockets (its using setsockcreate() for that i think)
if the daemon maintains a pid file then systemd needs to read and delete that pid file
i basically created type attribute for the objects
(common_subject == init_t)
This for socket activation:
(allow common_subject systemd_socket_activated_subject_type
create_unix_dgram_stream_socket_perms)
(allow common_subject systemd_socket_activated_subject_type
create_unix_stream_stream_socket_perms)
(allow common_subject systemd_socket_activated_object_type
manage_dir_perms)
(allow common_subject systemd_socket_activated_object_type
relabel_dir_perms)
(allow common_subject systemd_socket_activated_object_type
manage_fifo_file_perms)
(allow common_subject systemd_socket_activated_object_type
relabel_fifo_file_perms)
(allow common_subject systemd_socket_activated_object_type
manage_sock_file_perms)
(allow common_subject systemd_socket_activated_object_type
relabel_sock_file_perms)
This for pid files
(call file_del_entry_generic_run (common_subject))
(call read_files_pattern
(common_subject systemd_pid_object_type systemd_pid_object_type))
(call delete_files_pattern
(common_subject systemd_pid_object_type systemd_pid_object_type))
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141103/b1e27191/attachment.bin
next prev parent reply other threads:[~2014-11-03 15:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-31 14:34 [refpolicy] systemd Christopher J. PeBenito
2014-10-31 16:00 ` Dominick Grift
2014-11-03 14:48 ` Christopher J. PeBenito
2014-11-03 15:16 ` Dominick Grift
2014-11-03 15:42 ` Dominick Grift [this message]
2014-11-02 12:44 ` Laurent Bigonville
2014-11-02 15:46 ` Dominick Grift
2014-11-03 14:32 ` Christopher J. PeBenito
2014-11-03 21:50 ` Laurent Bigonville
2014-11-04 13:01 ` Christopher J. PeBenito
2014-11-15 23:06 ` Laurent Bigonville
2014-11-17 14:13 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141103154253.GB7676@e145.network2 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.