From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: <mgrepl@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: [RFC] systemd the userspace object manager
Date: Tue, 18 Nov 2014 11:38:37 -0500 [thread overview]
Message-ID: <546B760D.8070407@tresys.com> (raw)
Systemd currently mixes userspace permissions into a kernel class
(system). This came up on the refpolicy list a few months ago[1], but
there has been no decision or progress[2][3] that I'm aware of, so I'd
like to reach a decision on the direction here.
Based on what was proposed for upstreaming into refpolicy, it looks like
all of the service class permissions were duplicated into system, in
addition to "halt" and "reboot". This conflates kernel functions with
systemd functions. With the current systemd implementation, I think a
minimum change should be:
class init_system
{
halt
reboot
}
class init_service
{
start
stop
status
reload
enable
disable
}
(init_ prefix added for naming convention consistency with other
userspace classes in refpolicy)
Since we are discussing the enforcement, I'd like to review all of
systemd's enforcement. Right now there are checks against unit files
and processes, both for the service object class. I think this has
problems as it conflates units (as service configurations) with services
(the daemon processes). In an ideal world (I don't know if the systemd
code could easily support this), I think the classes should be:
class init_system
{
halt
reboot
}
class init_unit
{
enable
disable
reload
}
class init_service
{
start
stop
status
}
Then init_system checks would always be against systemd's type (i.e.
init_t), init_unit would always check against the unit file type, and
init_service would always check against the daemon process type (which
systemd should be able to calculate since it does that for socket
activation).
[1] http://oss.tresys.com/pipermail/refpolicy/2014-July/007229.html
[2] https://bugs.freedesktop.org/show_bug.cgi?id=81105
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1132933
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next reply other threads:[~2014-11-18 16:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-18 16:38 Christopher J. PeBenito [this message]
2014-11-18 18:48 ` [RFC] systemd the userspace object manager Christopher J. PeBenito
2014-11-18 19:20 ` Dominick Grift
2014-11-20 13:52 ` Christopher J. PeBenito
2014-11-20 15:59 ` Dominick Grift
2014-11-20 20:44 ` Joshua Brindle
2014-11-21 11:31 ` Dominick Grift
2014-11-21 12:43 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=546B760D.8070407@tresys.com \
--to=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=mgrepl@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.