From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.
Date: Wed, 4 Jan 2012 07:46:46 -0500 [thread overview]
Message-ID: <4F044A36.60900@tresys.com> (raw)
In-Reply-To: <1324399904.99298.YahooMailNeo@web114316.mail.gq1.yahoo.com>
On 12/20/11 11:51, Justin Mattock wrote:
> with the next four emails I am sending some patches that(hopefully) add support to systemd from fedoras policy.
> Note: I am not so git savvy so creating them I had some issues with the whole contrib thing.
> Anyway the first two patches are initial systemd support. and the last two are build error fixes with make load(semodule errors)
>
> I am unable to load the policy due to some libc error, and am looking into that at the moment, if anybody wants to try these out to see if this loads and runs then let me know. also I am unable to be connected all day(no office space) so responding might take some time.
Dropping the SELinux list as is unnecessary to cross post.
Same question as always, has systemd stabilized? I glanced through the first patch, and it has severe whitespace problems. It also has problems that must be fixed, such as:
@@ -861,3 +970,24 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
+
+tunable_policy(`init_systemd',`
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# not sure why fedora has double init_systemd here
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
Instead of having two blocks, they should be combined, as alluded to by the comment. From what I can tell from the first patch, it looks like this needs more work.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-01-04 12:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-20 16:51 [refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's Justin Mattock
2012-01-04 12:46 ` Christopher J. PeBenito [this message]
2012-01-04 17:57 ` Justin Mattock
2012-01-19 16:57 ` Justin Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F044A36.60900@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.