From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] systemd policy
Date: Thu, 6 Feb 2014 09:40:51 -0500 [thread overview]
Message-ID: <52F39EF3.7000603@tresys.com> (raw)
In-Reply-To: <2057214.LVlr9fzTya@russell.coker.com.au>
On 01/27/14 01:56, Russell Coker wrote:
> On Tue, 14 Jan 2014 10:46:23 Dominick Grift wrote:
>>> I've attached a patch I'm using which defines some unit types and adds fc
>>> entries. Some of them are missing fc entries, presumably because the
>>> daemons in question didn't have unit files at the time (this policy was
>>> taken from Fedora some time ago).
>>>
>>> I've also added a stub systemd_unit_file() in init.if. The full systemd
>>> policy patch will have to remove that. I think this is OK to get the
>>> uncontroversial stuff included in the tree sooner.
>>
>> Please send your patches in-line so that we can easily comment on them.
>>
>> Here is one thing that can be improved in your patch:
>>
>> This is how its supposed to be:
>>
>> /lib/systemd/system/alsa-.*\.service --
>> gen_context(system_u:object_r:alsa_unit_file_t,s0)
>>
>> These are not optimal and its inconsistent with above:
>>
>> /lib/systemd/system/named.service --
>> gen_context(system_u:object_r:named_unit_file_t,s0)
>>
>> You see:
>>
>> # grep system /etc/selinux/targeted/contexts/files/*.subs_dist
>> /run/systemd/system /usr/lib/systemd/system
>> /run/systemd/generator /usr/lib/systemd/system
>> /etc/systemd/system /usr/lib/systemd/system
>>
>> So /etc/systemd/system is equivalent to /usr/lib/systemd/system
>>
>> Now consider me having a name daemon dns server on each of my two
>> networks. Then i need a instance for each. So i create two "named" unit
>> files in /etc/systemd/system/named_{network1,network2}.service
>>
>> So we can use the .* wildcard to catch these?
>>
>> So i would suggest we create file contexts for unit files with .*
>> consistently to catch prefixed service files
>
> How is this?
The name of the interface would have to start with init. It makes me wonder if we should extend the init_service_domain()/init_daemon_domain() interfaces instead. The unit file is related to the domain starting up from init/systemd, so one might argue it goes with those interfaces.
> Description: Add systemd unit types
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2014-01-12
>
> --- a/policy/modules/contrib/alsa.fc
> +++ b/policy/modules/contrib/alsa.fc
> @@ -24,3 +24,4 @@
> /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>
> /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
> +/lib/systemd/system/alsa.*\.service --
> gen_context(system_u:object_r:alsa_unit_file_t,s0)
> --- a/policy/modules/contrib/alsa.te
> +++ b/policy/modules/contrib/alsa.te
> @@ -27,6 +27,9 @@
> type alsa_home_t;
> userdom_user_home_content(alsa_home_t)
>
> +type alsa_unit_file_t;
> +systemd_unit_file(alsa_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/apache.fc
> +++ b/policy/modules/contrib/apache.fc
> @@ -26,6 +26,9 @@
> /etc/WebCalendar(/.*)?
> gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /etc/zabbix/web(/.*)?
> gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/lib/systemd/system/httpd.*\.service --
> gen_context(system_u:object_r:httpd_unit_file_t,s0)
> +/lib/systemd/system/jetty.*\.service --
> gen_context(system_u:object_r:httpd_unit_file_t,s0)
> +
> /opt/.*\.cgi --
> gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
> gen_context(system_u:object_r:httpd_var_run_t,s0)
>
> --- a/policy/modules/contrib/apache.te
> +++ b/policy/modules/contrib/apache.te
> @@ -286,6 +286,8 @@
> type httpd_keytab_t;
> files_type(httpd_keytab_t)
>
> +type httpd_unit_file_t;
> +systemd_unit_file(httpd_unit_file_t)
> type httpd_lock_t;
> files_lock_file(httpd_lock_t)
>
> --- a/policy/modules/contrib/apcupsd.fc
> +++ b/policy/modules/contrib/apcupsd.fc
> @@ -1,5 +1,7 @@
> /etc/rc\.d/init\.d/apcupsd --
> gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
>
> +/lib/systemd/system/apcupsd.*\.service --
> gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
> +
> /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
>
> /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
> --- a/policy/modules/contrib/apcupsd.te
> +++ b/policy/modules/contrib/apcupsd.te
> @@ -24,6 +24,9 @@
> type apcupsd_var_run_t;
> files_pid_file(apcupsd_var_run_t)
>
> +type apcupsd_unit_file_t;
> +systemd_unit_file(apcupsd_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/apm.fc
> +++ b/policy/modules/contrib/apm.fc
> @@ -17,3 +17,5 @@
> /var/run/powersave_socket -s
> gen_context(system_u:object_r:apmd_var_run_t,s0)
>
> /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
> +
> +/lib/systemd/system/apmd.*\.service --
> gen_context(system_u:object_r:apmd_unit_file_t,s0)
> --- a/policy/modules/contrib/apm.te
> +++ b/policy/modules/contrib/apm.te
> @@ -35,6 +35,9 @@
> type apmd_var_run_t;
> files_pid_file(apmd_var_run_t)
>
> +type apmd_unit_file_t;
> +systemd_unit_file(apmd_unit_file_t)
> +
> ########################################
> #
> # Client local policy
> --- a/policy/modules/contrib/arpwatch.fc
> +++ b/policy/modules/contrib/arpwatch.fc
> @@ -7,3 +7,5 @@
> /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> /var/run/arpwatch.*\.pid --
> gen_context(system_u:object_r:arpwatch_var_run_t,s0)
> +
> +/lib/systemd/system/arpwatch.*\.service --
> gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
> --- a/policy/modules/contrib/arpwatch.te
> +++ b/policy/modules/contrib/arpwatch.te
> @@ -21,6 +21,9 @@
> type arpwatch_var_run_t;
> files_pid_file(arpwatch_var_run_t)
>
> +type arpwatch_unit_file_t;
> +systemd_unit_file(arpwatch_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/automount.fc
> +++ b/policy/modules/contrib/automount.fc
> @@ -6,3 +6,5 @@
> /var/lock/subsys/autofs --
> gen_context(system_u:object_r:automount_lock_t,s0)
>
> /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
> +
> +/lib/systemd/system/autofs.*\.service --
> gen_context(system_u:object_r:automount_unit_file_t,s0)
> --- a/policy/modules/contrib/automount.te
> +++ b/policy/modules/contrib/automount.te
> @@ -25,6 +25,9 @@
> type automount_var_run_t;
> files_pid_file(automount_var_run_t)
>
> +type automount_unit_file_t;
> +systemd_unit_file(automount_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/avahi.fc
> +++ b/policy/modules/contrib/avahi.fc
> @@ -7,3 +7,5 @@
> /var/run/avahi-daemon(/.*)?
> gen_context(system_u:object_r:avahi_var_run_t,s0)
>
> /var/lib/avahi-autoipd(/.*)?
> gen_context(system_u:object_r:avahi_var_lib_t,s0)
> +
> +/lib/systemd/system/avahi.*\.service --
> gen_context(system_u:object_r:avahi_unit_file_t,s0)
> --- a/policy/modules/contrib/avahi.te
> +++ b/policy/modules/contrib/avahi.te
> @@ -18,6 +18,9 @@
> type avahi_var_run_t;
> files_pid_file(avahi_var_run_t)
>
> +type avahi_unit_file_t;
> +systemd_unit_file(avahi_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/bind.fc
> +++ b/policy/modules/contrib/bind.fc
> @@ -14,6 +14,9 @@
> /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
> /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
>
> +/lib/systemd/system/unbound.*\.service --
> gen_context(system_u:object_r:named_unit_file_t,s0)
> +/lib/systemd/system/named.*\.service --
> gen_context(system_u:object_r:named_unit_file_t,s0)
> +
> /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
> /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
> /usr/sbin/named-checkconf --
> gen_context(system_u:object_r:named_checkconf_exec_t,s0)
> --- a/policy/modules/contrib/bind.te
> +++ b/policy/modules/contrib/bind.te
> @@ -47,6 +47,9 @@
> type named_keytab_t;
> files_type(named_keytab_t)
>
> +type named_unit_file_t;
> +systemd_unit_file(named_unit_file_t)
> +
> type named_log_t;
> logging_log_file(named_log_t)
>
> --- a/policy/modules/contrib/bluetooth.fc
> +++ b/policy/modules/contrib/bluetooth.fc
> @@ -22,3 +22,5 @@
>
> /var/run/bluetoothd_address --
> gen_context(system_u:object_r:bluetooth_var_run_t,s0)
> /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
> +
> +/lib/systemd/system/bluetooth.*\.service --
> gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
> --- a/policy/modules/contrib/bluetooth.te
> +++ b/policy/modules/contrib/bluetooth.te
> @@ -49,6 +49,9 @@
> type bluetooth_var_run_t;
> files_pid_file(bluetooth_var_run_t)
>
> +type bluetooth_unit_file_t;
> +systemd_unit_file(bluetooth_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/clamav.fc
> +++ b/policy/modules/contrib/clamav.fc
> @@ -24,3 +24,5 @@
> /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
>
> /var/spool/amavisd/clamd\.sock -s
> gen_context(system_u:object_r:clamd_var_run_t,s0)
> +
> +/lib/systemd/system/clamd.*\.service --
> gen_context(system_u:object_r:clamd_unit_file_t,s0)
> --- a/policy/modules/contrib/clamav.te
> +++ b/policy/modules/contrib/clamav.te
> @@ -38,6 +38,9 @@
> type clamd_initrc_exec_t;
> init_script_file(clamd_initrc_exec_t)
>
> +type clamd_unit_file_t;
> +systemd_unit_file(clamd_unit_file_t)
> +
> type clamd_tmp_t;
> files_tmp_file(clamd_tmp_t)
>
> --- a/policy/modules/contrib/consolekit.fc
> +++ b/policy/modules/contrib/consolekit.fc
> @@ -1,3 +1,5 @@
> +/lib/systemd/system/console-kit.*\.service --
> gen_context(system_u:object_r:consolekit_unit_file_t,s0)
> +
> /usr/sbin/console-kit-daemon --
> gen_context(system_u:object_r:consolekit_exec_t,s0)
>
> /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
> --- a/policy/modules/contrib/consolekit.te
> +++ b/policy/modules/contrib/consolekit.te
> @@ -19,6 +19,9 @@
> files_pid_file(consolekit_var_run_t)
> init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
>
> +type consolekit_unit_file_t;
> +systemd_unit_file(consolekit_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/cron.fc
> +++ b/policy/modules/contrib/cron.fc
> @@ -64,3 +64,6 @@
> /var/spool/cron/lastrun/[^/]* -- <<none>>
> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
> ')
> +
> +/lib/systemd/system/atd.*\.service --
> gen_context(system_u:object_r:crond_unit_file_t,s0)
> +/lib/systemd/system/crond.*\.service --
> gen_context(system_u:object_r:crond_unit_file_t,s0)
> --- a/policy/modules/contrib/cron.te
> +++ b/policy/modules/contrib/cron.te
> @@ -71,6 +71,9 @@
> type crond_initrc_exec_t;
> init_script_file(crond_initrc_exec_t)
>
> +type crond_unit_file_t;
> +systemd_unit_file(crond_unit_file_t)
> +
> type crond_tmp_t;
> files_tmp_file(crond_tmp_t)
> files_poly_parent(crond_tmp_t)
> --- a/policy/modules/contrib/cups.fc
> +++ b/policy/modules/contrib/cups.fc
> @@ -75,3 +75,5 @@
> /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
> /var/run/udev-configure-printer(/.*)?
> gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
> /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
> +
> +/lib/systemd/system/cups.*\.service --
> gen_context(system_u:object_r:cupsd_unit_file_t,s0)
> --- a/policy/modules/contrib/cups.te
> +++ b/policy/modules/contrib/cups.te
> @@ -62,6 +62,9 @@
> init_daemon_run_dir(cupsd_var_run_t, "cups")
> mls_trusted_object(cupsd_var_run_t)
>
> +type cupsd_unit_file_t;
> +systemd_unit_file(cupsd_unit_file_t)
> +
> type hplip_t;
> type hplip_exec_t;
> init_daemon_domain(hplip_t, hplip_exec_t)
> --- a/policy/modules/contrib/dhcp.fc
> +++ b/policy/modules/contrib/dhcp.fc
> @@ -6,3 +6,4 @@
> /var/lib/dhcp(3)?/dhcpd\.leases.* --
> gen_context(system_u:object_r:dhcpd_state_t,s0)
>
> /var/run/dhcpd(6)?\.pid --
> gen_context(system_u:object_r:dhcpd_var_run_t,s0)
> +/lib/systemd/system/dhcpcd.*\.service --
> gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
> --- a/policy/modules/contrib/dhcp.te
> +++ b/policy/modules/contrib/dhcp.te
> @@ -20,6 +20,9 @@
> type dhcpd_initrc_exec_t;
> init_script_file(dhcpd_initrc_exec_t)
>
> +type dhcpd_unit_file_t;
> +systemd_unit_file(dhcpd_unit_file_t)
> +
> type dhcpd_state_t;
> files_type(dhcpd_state_t)
>
> --- a/policy/modules/contrib/dnsmasq.fc
> +++ b/policy/modules/contrib/dnsmasq.fc
> @@ -12,3 +12,4 @@
>
> /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> /var/run/libvirt/network(/.*)?
> gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/lib/systemd/system/dnsmasq.*\.service --
> gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
> --- a/policy/modules/contrib/dnsmasq.te
> +++ b/policy/modules/contrib/dnsmasq.te
> @@ -24,6 +24,9 @@
> type dnsmasq_var_run_t;
> files_pid_file(dnsmasq_var_run_t)
>
> +type dnsmasq_unit_file_t;
> +systemd_unit_file(dnsmasq_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/contrib/ftp.fc
> +++ b/policy/modules/contrib/ftp.fc
> @@ -26,3 +26,6 @@
> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
> +
> +/lib/systemd/system/vsftpd.*\.service --
> gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +/lib/systemd/system/proftpd.*\.service --
> gen_context(system_u:object_r:iptables_unit_file_t,s0)
> --- a/policy/modules/contrib/ftp.te
> +++ b/policy/modules/contrib/ftp.te
> @@ -127,6 +127,9 @@
> type ftpd_keytab_t;
> files_type(ftpd_keytab_t)
>
> +type ftpd_unit_file_t;
> +systemd_unit_file(ftpd_unit_file_t)
> +
> type ftpd_lock_t;
> files_lock_file(ftpd_lock_t)
>
> --- a/policy/modules/contrib/kdump.fc
> +++ b/policy/modules/contrib/kdump.fc
> @@ -11,3 +11,5 @@
>
> /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
> /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
> +
> +/lib/systemd/system/kdump.*\.service --
> gen_context(system_u:object_r:iptables_unit_file_t,s0)
> --- a/policy/modules/contrib/kdump.te
> +++ b/policy/modules/contrib/kdump.te
> @@ -23,6 +23,9 @@
> type kdumpctl_tmp_t;
> files_tmp_file(kdumpctl_tmp_t)
>
> +type kdump_unit_file_t;
> +systemd_unit_file(kdump_unit_file_t)
> +
> #####################################
> #
> # Local policy
> --- a/policy/modules/contrib/ldap.fc
> +++ b/policy/modules/contrib/ldap.fc
> @@ -27,3 +27,5 @@
> /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
> /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
> /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
> +
> +/lib/systemd/system/slapd.*\.service --
> gen_context(system_u:object_r:slapd_unit_file_t,s0)
> --- a/policy/modules/contrib/ldap.te
> +++ b/policy/modules/contrib/ldap.te
> @@ -24,6 +24,9 @@
> type slapd_keytab_t;
> files_type(slapd_keytab_t)
>
> +type slapd_unit_file_t;
> +systemd_unit_file(slapd_unit_file_t)
> +
> type slapd_lock_t;
> files_lock_file(slapd_lock_t)
>
> --- a/policy/modules/contrib/mysql.fc
> +++ b/policy/modules/contrib/mysql.fc
> @@ -25,3 +25,5 @@
> /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
> /var/run/mysqlmanager.* --
> gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
> /var/run/mysqld/mysqlmanager.* --
> gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
> +
> +/lib/systemd/system/mysqld.*\.service --
> gen_context(system_u:object_r:mysqld_unit_file_t,s0)
> --- a/policy/modules/contrib/mysql.te
> +++ b/policy/modules/contrib/mysql.te
> @@ -38,6 +38,9 @@
> type mysqld_home_t;
> userdom_user_home_content(mysqld_home_t)
>
> +type mysqld_unit_file_t;
> +systemd_unit_file(mysqld_unit_file_t)
> +
> type mysqld_initrc_exec_t;
> init_script_file(mysqld_initrc_exec_t)
>
> --- a/policy/modules/contrib/networkmanager.fc
> +++ b/policy/modules/contrib/networkmanager.fc
> @@ -1,3 +1,4 @@
> +/lib/systemd/system/NetworkManager.*\.service --
> gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
> /etc/rc\.d/init\.d/wicd --
> gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>
> /etc/NetworkManager(/.*)?
> gen_context(system_u:object_r:NetworkManager_etc_t,s0)
> --- a/policy/modules/contrib/networkmanager.te
> +++ b/policy/modules/contrib/networkmanager.te
> @@ -18,6 +18,9 @@
> type NetworkManager_initrc_exec_t;
> init_script_file(NetworkManager_initrc_exec_t)
>
> +type NetworkManager_unit_file_t;
> +systemd_unit_file(NetworkManager_unit_file_t)
> +
> type NetworkManager_log_t;
> logging_log_file(NetworkManager_log_t)
>
> --- a/policy/modules/contrib/nis.fc
> +++ b/policy/modules/contrib/nis.fc
> @@ -20,3 +20,8 @@
> /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
> /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
> /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
> +
> +/lib/systemd/system/ypbind.*\.service --
> gen_context(system_u:object_r:ypbind_unit_file_t,s0)
> +/lib/systemd/system/ypserv.*\.service --
> gen_context(system_u:object_r:nis_unit_file_t,s0)
> +/lib/systemd/system/yppasswdd.*\.service --
> gen_context(system_u:object_r:nis_unit_file_t,s0)
> +/lib/systemd/system/ypxfrd.*\.service --
> gen_context(system_u:object_r:nis_unit_file_t,s0)
> --- a/policy/modules/contrib/nis.te
> +++ b/policy/modules/contrib/nis.te
> @@ -27,6 +27,9 @@
> type ypbind_var_run_t;
> files_pid_file(ypbind_var_run_t)
>
> +type ypbind_unit_file_t;
> +systemd_unit_file(ypbind_unit_file_t)
> +
> type yppasswdd_t;
> type yppasswdd_exec_t;
> init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
> @@ -55,6 +58,9 @@
> type ypxfr_var_run_t;
> files_pid_file(ypxfr_var_run_t)
>
> +type nis_unit_file_t;
> +systemd_unit_file(nis_unit_file_t)
> +
> ########################################
> #
> # ypbind local policy
> --- a/policy/modules/contrib/nscd.te
> +++ b/policy/modules/contrib/nscd.te
> @@ -31,6 +31,9 @@
> type nscd_initrc_exec_t;
> init_script_file(nscd_initrc_exec_t)
>
> +type nscd_unit_file_t;
> +systemd_unit_file(nscd_unit_file_t)
> +
> type nscd_log_t;
> logging_log_file(nscd_log_t)
>
> --- a/policy/modules/contrib/ntp.fc
> +++ b/policy/modules/contrib/ntp.fc
> @@ -21,3 +21,7 @@
> /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
>
> /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
> +
> +/lib/systemd/system/ntpd.*\.service --
> gen_context(system_u:object_r:ntpd_unit_file_t,s0)
> +
> +/usr/lib/systemd/system/ntpd.*\.service --
> gen_context(system_u:object_r:ntpd_unit_file_t,s0)
> --- a/policy/modules/contrib/ntp.te
> +++ b/policy/modules/contrib/ntp.te
> @@ -21,6 +21,9 @@
> type ntp_conf_t;
> files_config_file(ntp_conf_t)
>
> +type ntpd_unit_file_t;
> +systemd_unit_file(ntpd_unit_file_t)
> +
> type ntpd_key_t;
> files_type(ntpd_key_t)
>
> --- a/policy/modules/contrib/ppp.fc
> +++ b/policy/modules/contrib/ppp.fc
> @@ -28,3 +28,5 @@
> /var/run/pppd[0-9]*\.tdb --
> gen_context(system_u:object_r:pppd_var_run_t,s0)
> /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
> /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
> +
> +/lib/systemd/system/ppp.*\.service --
> gen_context(system_u:object_r:pppd_unit_file_t,s0)
> --- a/policy/modules/contrib/ppp.te
> +++ b/policy/modules/contrib/ppp.te
> @@ -41,6 +41,9 @@
> type pppd_initrc_exec_t alias pppd_script_exec_t;
> init_script_file(pppd_initrc_exec_t)
>
> +type pppd_unit_file_t;
> +systemd_unit_file(pppd_unit_file_t)
> +
> type pppd_secret_t;
> files_type(pppd_secret_t)
>
> --- a/policy/modules/contrib/rpc.fc
> +++ b/policy/modules/contrib/rpc.fc
> @@ -20,3 +20,6 @@
>
> /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
> /var/run/rpc\.statd\.pid --
> gen_context(system_u:object_r:rpcd_var_run_t,s0)
> +
> +/lib/systemd/system/nfs.*\.service --
> gen_context(system_u:object_r:nfsd_unit_file_t,s0)
> +/lib/systemd/system/rpc.*\.service --
> gen_context(system_u:object_r:rpcd_unit_file_t,s0)
> --- a/policy/modules/contrib/rpc.te
> +++ b/policy/modules/contrib/rpc.te
> @@ -44,11 +44,17 @@
> type rpcd_initrc_exec_t;
> init_script_file(rpcd_initrc_exec_t)
>
> +type rpcd_unit_file_t;
> +systemd_unit_file(rpcd_unit_file_t)
> +
> rpc_domain_template(nfsd)
>
> type nfsd_initrc_exec_t;
> init_script_file(nfsd_initrc_exec_t)
>
> +type nfsd_unit_file_t;
> +systemd_unit_file(nfsd_unit_file_t)
> +
> type nfsd_rw_t;
> files_type(nfsd_rw_t)
>
> --- a/policy/modules/contrib/samba.fc
> +++ b/policy/modules/contrib/samba.fc
> @@ -8,6 +8,8 @@
> /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
> /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
>
> +/lib/systemd/system/smb.*\.service --
> gen_context(system_u:object_r:samba_unit_file_t,s0)
> +
> /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
> /usr/bin/ntlm_auth --
> gen_context(system_u:object_r:winbind_helper_exec_t,s0)
> /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
> --- a/policy/modules/contrib/samba.te
> +++ b/policy/modules/contrib/samba.te
> @@ -113,6 +113,9 @@
> type samba_initrc_exec_t;
> init_script_file(samba_initrc_exec_t)
>
> +type samba_unit_file_t;
> +systemd_unit_file(samba_unit_file_t)
> +
> type samba_log_t;
> logging_log_file(samba_log_t)
>
> --- a/policy/modules/contrib/tor.fc
> +++ b/policy/modules/contrib/tor.fc
> @@ -5,6 +5,8 @@
> /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
> /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
>
> +/lib/systemd/system/tor.*\.service --
> gen_context(system_u:object_r:tor_unit_file_t,s0)
> +
> /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
> /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
>
> --- a/policy/modules/contrib/tor.te
> +++ b/policy/modules/contrib/tor.te
> @@ -33,6 +33,9 @@
> files_pid_file(tor_var_run_t)
> init_daemon_run_dir(tor_var_run_t, "tor")
>
> +type tor_unit_file_t;
> +systemd_unit_file(tor_unit_file_t)
> +
> ########################################
> #
> # Local policy
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -3,6 +3,9 @@
> /etc/sysconfig/ip6?tables.* --
> gen_context(system_u:object_r:iptables_conf_t,s0)
> /etc/sysconfig/system-config-firewall.* --
> gen_context(system_u:object_r:iptables_conf_t,s0)
>
> +/lib/systemd/system/iptables.*\.service --
> gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +/lib/systemd/system/ip6tables.*\.service --
> gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +
> /sbin/ebtables --
> gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ebtables-restore --
> gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ipchains.* --
> gen_context(system_u:object_r:iptables_exec_t,s0)
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -25,6 +25,9 @@
> type iptables_var_run_t;
> files_pid_file(iptables_var_run_t)
>
> +type iptables_unit_file_t;
> +systemd_unit_file(iptables_unit_file_t)
> +
> ########################################
> #
> # Iptables local policy
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -6,6 +6,8 @@
> /etc/rc\.d/init\.d/auditd --
> gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/rsyslog --
> gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>
> +/lib/systemd/system/auditd.*\.service --
> gen_context(system_u:object_r:auditd_unit_file_t,s0)
> +
> /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
> /sbin/audisp-remote --
> gen_context(system_u:object_r:audisp_remote_exec_t,s0)
> /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
> @@ -23,6 +25,7 @@
> /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> +/lib/systemd/system/rsyslog.*\.service --
> gen_context(system_u:object_r:syslogd_unit_file_t,s0)
>
> /var/lib/misc/syslog-ng.persist-? --
> gen_context(system_u:object_r:syslogd_var_lib_t,s0)
> /var/lib/syslog-ng(/.*)?
> gen_context(system_u:object_r:syslogd_var_lib_t,s0)
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -12,6 +12,9 @@
> init_system_domain(auditctl_t, auditctl_exec_t)
> role system_r types auditctl_t;
>
> +type auditd_unit_file_t;
> +systemd_unit_file(auditd_unit_file_t)
> +
> type auditd_etc_t;
> files_security_file(auditd_etc_t)
>
> @@ -65,6 +68,9 @@
> type syslogd_exec_t;
> init_daemon_domain(syslogd_t, syslogd_exec_t)
>
> +type syslogd_unit_file_t;
> +systemd_unit_file(syslogd_unit_file_t)
> +
> type syslogd_initrc_exec_t;
> init_script_file(syslogd_initrc_exec_t)
>
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -389,10 +389,14 @@
> class system
> {
> ipc_info
> - syslog_read
> + syslog_read
> syslog_mod
> syslog_console
> module_request
> + halt
> + reboot
> + status
> + undefined
> }
>
> #
> @@ -865,3 +869,20 @@
> implement
> execute
> }
> +
> +class service
> +{
> + start
> + stop
> + status
> + reload
> + kill
> + load
> + enable
> + disable
> +}
> +
> +class proxy
> +{
> + read
> +}
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -131,4 +131,10 @@
> class db_sequence # userspace
> class db_language # userspace
>
> +# systemd services
> +class service
> +
> +# gssd services
> +class proxy
> +
> # FLASK
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1844,3 +1844,17 @@
> ')
> corenet_udp_recvfrom_labeled($1, daemon)
> ')
> +
> +#######################################
> +## <summary>
> +## Create a file type used for systemd unit files.
> +## </summary>
> +## <param name="script_file">
> +## <summary>
> +## Type to be used for an unit file.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_unit_file',`
> + files_type($1)
> +')
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -36,6 +36,7 @@
>
> /usr/sbin/load_policy --
> gen_context(system_u:object_r:load_policy_exec_t,s0)
> /usr/sbin/restorecond --
> gen_context(system_u:object_r:restorecond_exec_t,s0)
> +/lib/systemd/system/restorecond.*\.service --
> gen_context(system_u:object_r:restorecond_unit_file_t,s0)
> /usr/sbin/run_init --
> gen_context(system_u:object_r:run_init_exec_t,s0)
> /usr/sbin/setfiles.* --
> gen_context(system_u:object_r:setfiles_exec_t,s0)
> /usr/sbin/setsebool --
> gen_context(system_u:object_r:semanage_exec_t,s0)
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -85,6 +85,9 @@
> domain_obj_id_change_exemption(restorecond_t)
> role system_r types restorecond_t;
>
> +type restorecond_unit_file_t;
> +systemd_unit_file(restorecond_unit_file_t)
> +
> type restorecond_var_run_t;
> files_pid_file(restorecond_var_run_t)
>
> --- a/policy/modules/system/setrans.fc
> +++ b/policy/modules/system/setrans.fc
> @@ -1,5 +1,6 @@
> /etc/rc\.d/init\.d/mcstrans --
> gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
>
> /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
> +/lib/systemd/system/mcstrans.*\.service --
> gen_context(system_u:object_r:setrans_unit_file_t,s0)
>
> /var/run/setrans(/.*)?
> gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -13,6 +13,9 @@
> type setrans_exec_t;
> init_daemon_domain(setrans_t, setrans_exec_t)
>
> +type setrans_unit_file_t;
> +systemd_unit_file(setrans_unit_file_t)
> +
> type setrans_initrc_exec_t;
> init_script_file(setrans_initrc_exec_t)
>
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-02-06 14:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-12 7:06 [refpolicy] systemd policy Russell Coker
2014-01-12 12:18 ` Laurent Bigonville
2014-01-13 12:52 ` Russell Coker
2014-01-13 15:10 ` Daniel J Walsh
2014-01-13 19:02 ` Dominick Grift
2014-01-13 20:16 ` Daniel J Walsh
2014-01-13 20:22 ` Dominick Grift
2014-01-13 21:07 ` Dominick Grift
2014-01-14 14:49 ` Daniel J Walsh
2014-01-14 11:24 ` Dominick Grift
2014-01-13 23:37 ` Russell Coker
2014-01-14 9:46 ` Dominick Grift
2014-01-14 9:58 ` Dominick Grift
2014-01-14 12:35 ` Laurent Bigonville
2014-01-14 13:03 ` Dominick Grift
2014-01-27 6:56 ` Russell Coker
2014-02-06 14:40 ` Christopher J. PeBenito [this message]
2014-01-14 10:12 ` Dominick Grift
2014-01-14 12:22 ` Laurent Bigonville
2014-01-14 13:34 ` Christopher J. PeBenito
2014-01-14 13:54 ` Dominick Grift
2014-01-14 14:41 ` Laurent Bigonville
2014-01-14 14:55 ` Daniel J Walsh
2014-01-27 14:17 ` Miroslav Grepl
2014-02-06 16:32 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2015-10-19 18:17 [refpolicy] Systemd policy Christopher J. PeBenito
2015-10-20 11:35 ` Dominick Grift
2015-10-23 19:23 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F39EF3.7000603@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.