[refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

[refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

[Justin Mattock]

with the next four emails I am sending some patches that(hopefully) add support to systemd from fedoras policy.
Note: I am not so git savvy so creating them I had some issues with the whole contrib thing.
Anyway the first two patches are initial systemd support. and the last two are build error fixes with make load(semodule errors)

I am unable to load the policy due to some libc error, and am looking into that at the moment, if anybody wants to try these out to see if this loads and runs then let me know. also I am unable to be connected all day(no office space) so responding might take some time.?

Justin P. mattock

[refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

[Christopher J. PeBenito]

On 12/20/11 11:51, Justin Mattock wrote:
> with the next four emails I am sending some patches that(hopefully) add support to systemd from fedoras policy.
> Note: I am not so git savvy so creating them I had some issues with the whole contrib thing.
> Anyway the first two patches are initial systemd support. and the last two are build error fixes with make load(semodule errors)
> 
> I am unable to load the policy due to some libc error, and am looking into that at the moment, if anybody wants to try these out to see if this loads and runs then let me know. also I am unable to be connected all day(no office space) so responding might take some time. 

Dropping the SELinux list as is unnecessary to cross post.

Same question as always, has systemd stabilized?  I glanced through the first patch, and it has severe whitespace problems.  It also has problems that must be fixed, such as:

@@ -861,3 +970,24 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
+
+tunable_policy(`init_systemd',`
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# not sure why fedora has double init_systemd here
+tunable_policy(`init_systemd',`
+	# Handle upstart/systemd direct transition to a executable
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')

Instead of having two blocks, they should be combined, as alluded to by the comment.  From what I can tell from the first patch, it looks like this needs more work.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

[Justin Mattock]

----- Original Message -----
From: Christopher J. PeBenito <cpebenito@tresys.com>
To: Justin Mattock <justinmattock@yahoo.com>
Cc: tresys <refpolicy@oss.tresys.com>
Sent: Wednesday, January 4, 2012 4:46 AM
Subject: Re: [refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

On 12/20/11 11:51, Justin Mattock wrote:
> with the next four emails I am sending some patches that(hopefully) add support to systemd from fedoras policy.
> Note: I am not so git savvy so creating them I had some issues with the whole contrib thing.
> Anyway the first two patches are initial systemd support. and the last two are build error fixes with make load(semodule errors)
> 
> I am unable to load the policy due to some libc error, and am looking into that at the moment, if anybody wants to try these out to see if this loads and runs then let me know. also I am unable to be connected all day(no office space) so responding might take some time. 

Dropping the SELinux list as is unnecessary to cross post.

ok!

Same question as always, has systemd stabilized?? I glanced through the first patch, and it has severe whitespace problems.? It also has problems that must be fixed, such as:

looking through at systemd seems fedora and suse have only adopted this. ubuntu looks like it does but not entirely(some files in /lib/systemd, but not as many as fedora or suse).
but to answer the question of stability I would say its still in the infant stage as opposed to sysvinit.

in regards to the whitespace yeah! seems having the contrib in there is mixing me up with my git skills in trying to create a clean patch to send out.
?
@@ -861,3 +970,24 @@ optional_policy(`
optional_policy(`
??? zebra_read_config(initrc_t)
')
+
+tunable_policy(`init_systemd',`
+??? allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+??? allow init_t daemon:unix_dgram_socket create_socket_perms;
+??? allow init_t daemon:tcp_socket create_stream_socket_perms;
+??? allow daemon init_t:unix_dgram_socket sendto;
+??? # need write to /var/run/systemd/notify
+??? init_write_pid_socket(daemon)
+??? allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# not sure why fedora has double init_systemd here
+tunable_policy(`init_systemd',`
+??? # Handle upstart/systemd direct transition to a executable
+??? allow init_t systemprocess:process { dyntransition siginh };
+??? allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+??? allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+??? allow systemprocess init_t:unix_dgram_socket sendto;
+??? allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')

Instead of having two blocks, they should be combined, as alluded to by the comment.? From what I can tell from the first patch, it looks like this needs more work.

I temporarily put in multiple interfaces, due to hitting a build error I ?
put all of the newly created interfaces ?at the bottom of the script, only to make things easy for cleaning up.

as for this patch needing more work? yes it most certainly does, my biggest problem right now is I cant load the policy to even test this due to a segfault that I am hitting.
looking into it before I continue on this. if anybody want to take a poke at this feel free!


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

[Justin Mattock]

I am going to resend this patch due to not realizing to use git add to add the files.
have a look if/when you have _free_ time.


----- Original Message -----
From: Christopher J. PeBenito <cpebenito@tresys.com>
To: Justin Mattock <justinmattock@yahoo.com>
Cc: tresys <refpolicy@oss.tresys.com>
Sent: Wednesday, January 4, 2012 4:46 AM
Subject: Re: [refpolicy] [RFC 0/4 v3] add systemd support to the Mainline policy from fedora's.

On 12/20/11 11:51, Justin Mattock wrote:
> with the next four emails I am sending some patches that(hopefully) add support to systemd from fedoras policy.
> Note: I am not so git savvy so creating them I had some issues with the whole contrib thing.
> Anyway the first two patches are initial systemd support. and the last two are build error fixes with make load(semodule errors)
> 
> I am unable to load the policy due to some libc error, and am looking into that at the moment, if anybody wants to try these out to see if this loads and runs then let me know. also I am unable to be connected all day(no office space) so responding might take some time. 

Dropping the SELinux list as is unnecessary to cross post.

Same question as always, has systemd stabilized?? I glanced through the first patch, and it has severe whitespace problems.? It also has problems that must be fixed, such as:

@@ -861,3 +970,24 @@ optional_policy(`
optional_policy(`
??? zebra_read_config(initrc_t)
')
+
+tunable_policy(`init_systemd',`
+??? allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+??? allow init_t daemon:unix_dgram_socket create_socket_perms;
+??? allow init_t daemon:tcp_socket create_stream_socket_perms;
+??? allow daemon init_t:unix_dgram_socket sendto;
+??? # need write to /var/run/systemd/notify
+??? init_write_pid_socket(daemon)
+??? allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# not sure why fedora has double init_systemd here
+tunable_policy(`init_systemd',`
+??? # Handle upstart/systemd direct transition to a executable
+??? allow init_t systemprocess:process { dyntransition siginh };
+??? allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+??? allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+??? allow systemprocess init_t:unix_dgram_socket sendto;
+??? allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')

Instead of having two blocks, they should be combined, as alluded to by the comment.? From what I can tell from the first patch, it looks like this needs more work.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com