* [refpolicy] Systemd policy @ 2015-10-19 18:17 Christopher J. PeBenito 2015-10-20 11:35 ` Dominick Grift 2015-10-23 19:23 ` Christopher J. PeBenito 0 siblings, 2 replies; 28+ messages in thread From: Christopher J. PeBenito @ 2015-10-19 18:17 UTC (permalink / raw) To: refpolicy The long-awaited (and long-overdue) policy changes for systemd are ready to be merged. Because of the size of the changes, I have done this as GitHub pull requests. [1][2] The policy was written against a RHEL7 system, so it likely needs more work to get it fully up to speed on today's systemd and on other distributions. Credits: * Major contributions to the policy were from Mike Palmiotto of the Tresys CLIP team. * Dominick Grift has provided review and feedback as it was developed * Laurent Bigonville also made some contributions. The purpose of this notice is to allow for comment, in case there are concerns about the overall structure. If you have concerns about individual rules, we can address them after the policy is merged. I plan to merge the policy Friday afternoon (UTC -4). [1] https://github.com/TresysTechnology/refpolicy/pull/8 [2] https://github.com/TresysTechnology/refpolicy-contrib/pull/4 -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] Systemd policy 2015-10-19 18:17 [refpolicy] Systemd policy Christopher J. PeBenito @ 2015-10-20 11:35 ` Dominick Grift 2015-10-23 19:23 ` Christopher J. PeBenito 1 sibling, 0 replies; 28+ messages in thread From: Dominick Grift @ 2015-10-20 11:35 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Oct 19, 2015 at 02:17:51PM -0400, Christopher J. PeBenito wrote: > The long-awaited (and long-overdue) policy changes for systemd are ready > to be merged. Because of the size of the changes, I have done this as > GitHub pull requests. [1][2] > > The policy was written against a RHEL7 system, so it likely needs more > work to get it fully up to speed on today's systemd and on other > distributions. > > Credits: > * Major contributions to the policy were from Mike Palmiotto of the > Tresys CLIP team. > * Dominick Grift has provided review and feedback as it was developed > * Laurent Bigonville also made some contributions. With all respect to all of the above for their appreciated work on this. I prefer to not have my name associated with this. Yes I did some reviewing but all within some boundaries. What I mean is that by reviewing it, and by having some of my concerns address, I do not automatically endorse or support this implementation. I am not saying that this policy is bad in any way. I am just saying that I would have (and I actually have) done this differently, and that I cannot in good faith sign off on it. > > The purpose of this notice is to allow for comment, in case there are > concerns about the overall structure. If you have concerns about > individual rules, we can address them after the policy is merged. > > I plan to merge the policy Friday afternoon (UTC -4). > > [1] https://github.com/TresysTechnology/refpolicy/pull/8 > [2] https://github.com/TresysTechnology/refpolicy-contrib/pull/4 > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWJibmAAoJENAR6kfG5xmcZ8sL/30IaOH/1BPh/UFIR//jBgiy CCJkj9Aoq1PX8s5BmOZzH/4aiZqn7azK+2JmsLcV+LrsxTcv6q1aG4R9V7GDN/fd mOjmrCov0+p6XxdgY91RsvhNHsabhC/nNI4/zz5oSAT2Xd6BcxNQI0gj+eXWaYMA gGQ6U/totYsuhKM0UcmQOsHxr9DJ+N/eUjP7oMAVQipU6SCLy4G9YFM7ee/e+HJ4 8DfE4TRZFyD2QQJleZhgB+9qM466kAdFlqCdvKMgpzgQcpgqcvJaMcDtBm1dPAC9 k5KSU5L7vEkknhrYFuNotiWHdNIDB13PMO6qrgKTbs6YSUoDdKDaq/yGcFG/jsm9 PG0ig4V/Dy4LCKtoDLcKyQmMIIIA4oJDVYYE+iVoyXJ/PnTLuzMa1Jfux+e7fnqz +3RGevOIlRZlDQN+DpdbtkGuOBOn9vMXfA5X/VO1obUoWdzIRZrTzR40D14lJPzL 508KahWvoW9HtP6h3p1fEyOJla8MT2IBntFeXgoUHg== =4FBU -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] Systemd policy 2015-10-19 18:17 [refpolicy] Systemd policy Christopher J. PeBenito 2015-10-20 11:35 ` Dominick Grift @ 2015-10-23 19:23 ` Christopher J. PeBenito 1 sibling, 0 replies; 28+ messages in thread From: Christopher J. PeBenito @ 2015-10-23 19:23 UTC (permalink / raw) To: refpolicy On 10/19/2015 2:17 PM, Christopher J. PeBenito wrote: > The long-awaited (and long-overdue) policy changes for systemd are ready > to be merged. Because of the size of the changes, I have done this as > GitHub pull requests. [1][2] This has been merged. There were several revisions of the original patches and a few known issues that came from the final reviews (see the github bug tracker[3] for more info) > The policy was written against a RHEL7 system, so it likely needs more > work to get it fully up to speed on today's systemd and on other > distributions. > > Credits: > * Major contributions to the policy were from Mike Palmiotto of the > Tresys CLIP team. > * Laurent Bigonville also made some contributions. > > The purpose of this notice is to allow for comment, in case there are > concerns about the overall structure. If you have concerns about > individual rules, we can address them after the policy is merged. > > I plan to merge the policy Friday afternoon (UTC -4). > > [1] https://github.com/TresysTechnology/refpolicy/pull/8 > [2] https://github.com/TresysTechnology/refpolicy-contrib/pull/4 [3] https://github.com/TresysTechnology/refpolicy/issues -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy
@ 2014-01-12 7:06 Russell Coker
2014-01-12 12:18 ` Laurent Bigonville
0 siblings, 1 reply; 28+ messages in thread
From: Russell Coker @ 2014-01-12 7:06 UTC (permalink / raw)
To: refpolicy
The below was in the Debian policy tree, it was ported from Fedora policy in
2012. What happened to this? Is it needed for systemd? It doesn't seem to
be in the git repository, has someone devised another way of doing this?
Index: refpolicy-2.20110726/policy/flask/security_classes
===================================================================
--- refpolicy-2.20110726.orig/policy/flask/security_classes 2012-06-30
12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/flask/security_classes 2012-06-30
12:32:00.236479159 +1000
@@ -131,4 +131,11 @@
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service
+
+# gssd services
+class proxy
+
+
# FLASK
Index: refpolicy-2.20110726/policy/flask/access_vectors
===================================================================
--- refpolicy-2.20110726.orig/policy/flask/access_vectors 2012-06-30
12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/flask/access_vectors 2012-06-30
12:32:00.236479159 +1000
@@ -393,6 +393,10 @@
syslog_mod
syslog_console
module_request
+ halt
+ reboot
+ status
+ undefined
}
#
@@ -862,3 +866,20 @@
implement
execute
}
+
+class service
+{
+ start
+ stop
+ status
+ reload
+ kill
+ load
+ enable
+ disable
+}
+
+class proxy
+{
+ read
+}
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 28+ messages in thread* [refpolicy] systemd policy 2014-01-12 7:06 [refpolicy] systemd policy Russell Coker @ 2014-01-12 12:18 ` Laurent Bigonville 2014-01-13 12:52 ` Russell Coker 0 siblings, 1 reply; 28+ messages in thread From: Laurent Bigonville @ 2014-01-12 12:18 UTC (permalink / raw) To: refpolicy Le Sun, 12 Jan 2014 18:06:18 +1100, Russell Coker <russell@coker.com.au> a ?crit : Hi, > The below was in the Debian policy tree, it was ported from Fedora > policy in 2012. What happened to this? Is it needed for systemd? > It doesn't seem to be in the git repository, has someone devised > another way of doing this? I also have some patches for systemd (looks some av have been removed/changed in the meantime). I could propose them even if there are very minimal (new av, new security classes, some filecontexts,..), but nothing like the fedora systemd.pp module. IIRC, Daniel said that somebody from RH or Fedora (I don't remember exactly) will look at upstreaming the code they have when they have time. Daniel do you know when this will happen? Can I already propose some of these patches? Cheers, Laurent Bigonville ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-12 12:18 ` Laurent Bigonville @ 2014-01-13 12:52 ` Russell Coker 2014-01-13 15:10 ` Daniel J Walsh 0 siblings, 1 reply; 28+ messages in thread From: Russell Coker @ 2014-01-13 12:52 UTC (permalink / raw) To: refpolicy On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote: > Daniel do you know when this will happen? Can I already propose some of > these patches? One thing that would be good to propose first is the labelling of unit files. Currently in Debian policy we have lots of patches to daemon policy like the following. If we can agree that each daemon should have it's own unit file type (which appears to me to have no benefit unless we make a significant addition to the daemon management functionality) then we can add the patch as- is. If we are going to add it as-is then the sooner the better, as a patch that affects lots of files is annoying to maintain. type apcupsd_unit_file_t; systemd_unit_file(apcupsd_unit_file_t) /lib/systemd/system/apcupsd\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) It seems to me that the only benefit of per-daemon types is that we can write policy allowing one user access to manage daemons with several types. The other possible way of allowing per-user management of daemons managed by the type of the unit file would be to have a default type for the unit files (which is easier for .fc files and no change to most daemon policy). Then whenever we need to delegate some sysadmin rights to a daemon we create a new type as appropriate and a fcontext rule to label the unit file. Regardless of when we merge the patches it would be good to get this design issue sorted out soon. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 12:52 ` Russell Coker @ 2014-01-13 15:10 ` Daniel J Walsh 2014-01-13 19:02 ` Dominick Grift 2014-01-13 23:37 ` Russell Coker 0 siblings, 2 replies; 28+ messages in thread From: Daniel J Walsh @ 2014-01-13 15:10 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2014 07:52 AM, Russell Coker wrote: > On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote: >> Daniel do you know when this will happen? Can I already propose some of >> these patches? > > One thing that would be good to propose first is the labelling of unit > files. > > Currently in Debian policy we have lots of patches to daemon policy like > the following. If we can agree that each daemon should have it's own unit > file type (which appears to me to have no benefit unless we make a > significant addition to the daemon management functionality) then we can > add the patch as- is. If we are going to add it as-is then the sooner the > better, as a patch that affects lots of files is annoying to maintain. > > type apcupsd_unit_file_t; systemd_unit_file(apcupsd_unit_file_t) > > /lib/systemd/system/apcupsd\.service -- > gen_context(system_u:object_r:apcupsd_unit_file_t,s0) > > It seems to me that the only benefit of per-daemon types is that we can > write policy allowing one user access to manage daemons with several > types. > > The other possible way of allowing per-user management of daemons managed > by the type of the unit file would be to have a default type for the unit > files (which is easier for .fc files and no change to most daemon policy). > Then whenever we need to delegate some sysadmin rights to a daemon we > create a new type as appropriate and a fcontext rule to label the unit > file. > > Regardless of when we merge the patches it would be good to get this design > issue sorted out soon. > Having separate labels on the unit file is not just for "user" domains. It is also for system domains, for example NetworkManager_t is allowed to start the following services. sesearch -A -s NetworkManager_t -p start Found 5 semantic av rules: allow NetworkManager_t nscd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t ntpd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t pppd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t polipo_unit_file_t : service { start stop status reload } ; allow NetworkManager_t dnsmasq_unit_file_t : service { start stop status reload } ; I rely on Dominick and Miroslav to get Fedora changes/fixes upstream. Could you guys take care of getting systemd policy upstream. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLUAdMACgkQrlYvE4MpobN05gCeOxOi9JtmMoiCfovdC5np0ed8 1BkAnRzCRpGoIiHTY0E1D7OjHIFPHnp1 =wZz7 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 15:10 ` Daniel J Walsh @ 2014-01-13 19:02 ` Dominick Grift 2014-01-13 20:16 ` Daniel J Walsh 2014-01-13 23:37 ` Russell Coker 1 sibling, 1 reply; 28+ messages in thread From: Dominick Grift @ 2014-01-13 19:02 UTC (permalink / raw) To: refpolicy On Mon, 2014-01-13 at 10:10 -0500, Daniel J Walsh wrote: > I rely on Dominick and Miroslav to get Fedora changes/fixes upstream. > > Could you guys take care of getting systemd policy upstream. > We rely on Chris I recently submitted a small patch just to get the ball rolling but it did not get any reply. Other than that, Fedora is also to blame to an extent. It would help if Fedora also considers things, also for its own benefit. For example: Fedora recently remove the init_run_daemon(unconfined_t) from her policy, while i submitted a solution here on this list that i believe is sustainable but it was ignore without any comments. I know Fedora does not have to , or wants to support other init systems but reference policy does not have that luxury. By going your own way, i believe you're shutting the door to alternative init systems in Fedora and you decrease chances of getting stuff up streamed. Now with every commit Fedora does i have to worry about this because i know Fedora seems to not care about other scenarios And then there is the issue that i am taking a bit of distance from the community. I have to focus on other things unfortunately, but ces't la vie _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 19:02 ` Dominick Grift @ 2014-01-13 20:16 ` Daniel J Walsh 2014-01-13 20:22 ` Dominick Grift 2014-01-14 11:24 ` Dominick Grift 0 siblings, 2 replies; 28+ messages in thread From: Daniel J Walsh @ 2014-01-13 20:16 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2014 02:02 PM, Dominick Grift wrote: > On Mon, 2014-01-13 at 10:10 -0500, Daniel J Walsh wrote: > >> I rely on Dominick and Miroslav to get Fedora changes/fixes upstream. >> >> Could you guys take care of getting systemd policy upstream. >> > > We rely on Chris > > I recently submitted a small patch just to get the ball rolling but it did > not get any reply. > > Other than that, Fedora is also to blame to an extent. > > It would help if Fedora also considers things, also for its own benefit. > > For example: > > Fedora recently remove the init_run_daemon(unconfined_t) from her policy, > while i submitted a solution here on this list that i believe is > sustainable but it was ignore without any comments. > > I know Fedora does not have to , or wants to support other init systems but > reference policy does not have that luxury. By going your own way, i > believe you're shutting the door to alternative init systems in Fedora and > you decrease chances of getting stuff up streamed. > > Now with every commit Fedora does i have to worry about this because i know > Fedora seems to not care about other scenarios > > And then there is the issue that i am taking a bit of distance from the > community. I have to focus on other things unfortunately, but ces't la vie > > _______________________________________________ >> refpolicy mailing list refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > Well I would not say we don't care about other init systems, since we still need to support systemV init scripts. I removed init_run_daemon(unconfined_t) because it was causing us problems with "Daemons" attempting to run as unconfined_u:system_r:unconfined_t:s0. We are attempting to tighten security on confined domains being able to transition to unconfined domains. Currently we allow unconfined domains to be entered by all file types. We wanted to remove this since a confined domain that transitions to an unconfined domain. samba_t -> samba_unconfined_exec_t -> samba_unconfined_t, was only intended to happen on scripts labeled samba_unconfined_exec_t. But we were not blocking the entrypoint, so potentially if samba was allowed to do setexeccon(samba_unconfined_t) it could execute any script to get to it. After we turned off the entrypoint ability for all confined domains, then we saw this problem with unconfined_t. My understanding of the auto transitions for initscripts was supposed to be unconfined_r:unconfined_t @ *initrc_t -> system_r:initrc_t @httpd_exec_t -> system_r:httpd_t. The interface we removed was causing unconfined_r:unconfined_t @ httpd_exec_t -> system_r:unconfined_t and generating an entrypoint error. I don't see why we want unconfined_r role changing to system_r just because it executed a daemon domain. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLUSaIACgkQrlYvE4MpobOCBACgxHyirOGSvJCOlALbYxkdoACh 9/EAn1J/2PYe3SOK9K641BwBxSUt+BGP =dUCz -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 20:16 ` Daniel J Walsh @ 2014-01-13 20:22 ` Dominick Grift 2014-01-13 21:07 ` Dominick Grift 2014-01-14 11:24 ` Dominick Grift 1 sibling, 1 reply; 28+ messages in thread From: Dominick Grift @ 2014-01-13 20:22 UTC (permalink / raw) To: refpolicy On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote: > > > Well I would not say we don't care about other init systems, since we still > need to support systemV init scripts. I removed init_run_daemon(unconfined_t) > because it was causing us problems with "Daemons" attempting to run as > unconfined_u:system_r:unconfined_t:s0. We are attempting to tighten security > on confined domains being able to transition to unconfined domains. I suspect you removed it to get rid of the role transition on init daemon entry files, and i believe my solution deals with that without the need to remove that interface call. http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html I briefly tested the above patch and it seems to "work" ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 20:22 ` Dominick Grift @ 2014-01-13 21:07 ` Dominick Grift 2014-01-14 14:49 ` Daniel J Walsh 0 siblings, 1 reply; 28+ messages in thread From: Dominick Grift @ 2014-01-13 21:07 UTC (permalink / raw) To: refpolicy On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote: > On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote: > > > > > > Well I would not say we don't care about other init systems, since we still > > need to support systemV init scripts. I removed init_run_daemon(unconfined_t) > > because it was causing us problems with "Daemons" attempting to run as > > unconfined_u:system_r:unconfined_t:s0. We are attempting to tighten security > > on confined domains being able to transition to unconfined domains. > > I suspect you removed it to get rid of the role transition on init > daemon entry files, and i believe my solution deals with that without > the need to remove that interface call. > > http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html > > I briefly tested the above patch and it seems to "work" > > https://www.youtube.com/watch?v=gqUFSKplehA Here is a quick demo with some tests to see if above patch works youtube is also processing a larger video that demonstrates the whole process from implementing the change to testing it ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 21:07 ` Dominick Grift @ 2014-01-14 14:49 ` Daniel J Walsh 0 siblings, 0 replies; 28+ messages in thread From: Daniel J Walsh @ 2014-01-14 14:49 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2014 04:07 PM, Dominick Grift wrote: > On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote: >> On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote: >> >>>> >>> Well I would not say we don't care about other init systems, since we >>> still need to support systemV init scripts. I removed >>> init_run_daemon(unconfined_t) because it was causing us problems with >>> "Daemons" attempting to run as unconfined_u:system_r:unconfined_t:s0. >>> We are attempting to tighten security on confined domains being able to >>> transition to unconfined domains. >> >> I suspect you removed it to get rid of the role transition on init daemon >> entry files, and i believe my solution deals with that without the need >> to remove that interface call. >> >> http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html >> >> I briefly tested the above patch and it seems to "work" >> >> > > https://www.youtube.com/watch?v=gqUFSKplehA > > Here is a quick demo with some tests to see if above patch works > > youtube is also processing a larger video that demonstrates the whole > process from implementing the change to testing it > > > Yes I like your solution. Could you make the change in Fedora. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLVTnIACgkQrlYvE4MpobNmFgCeMSXg+mlWsbVuQOV7xw7L1BGJ fx0AoNu8WGvX/eQJTc1XZOChZutpim0u =Y4bT -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 20:16 ` Daniel J Walsh 2014-01-13 20:22 ` Dominick Grift @ 2014-01-14 11:24 ` Dominick Grift 1 sibling, 0 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 11:24 UTC (permalink / raw) To: refpolicy On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote: > On 01/13/2014 02:02 PM, Dominick Grift wrote: > > On Mon, 2014-01-13 at 10:10 -0500, Daniel J Walsh wrote: > > > >> I rely on Dominick and Miroslav to get Fedora changes/fixes upstream. > >> > >> Could you guys take care of getting systemd policy upstream. > >> > > > > We rely on Chris > > > > I recently submitted a small patch just to get the ball rolling but it did > > not get any reply. > > > > Other than that, Fedora is also to blame to an extent. > > > > It would help if Fedora also considers things, also for its own benefit. > > > > For example: > > > > Fedora recently remove the init_run_daemon(unconfined_t) from her policy, > > while i submitted a solution here on this list that i believe is > > sustainable but it was ignore without any comments. > > > > I know Fedora does not have to , or wants to support other init systems but > > reference policy does not have that luxury. By going your own way, i > > believe you're shutting the door to alternative init systems in Fedora and > > you decrease chances of getting stuff up streamed. > > > > Now with every commit Fedora does i have to worry about this because i know > > Fedora seems to not care about other scenarios > > > > And then there is the issue that i am taking a bit of distance from the > > community. I have to focus on other things unfortunately, but ces't la vie > > > > _______________________________________________ > >> refpolicy mailing list refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > Well I would not say we don't care about other init systems, since we still > need to support systemV init scripts. I removed init_run_daemon(unconfined_t) > because it was causing us problems with "Daemons" attempting to run as > unconfined_u:system_r:unconfined_t:s0. We are attempting to tighten security > on confined domains being able to transition to unconfined domains. Currently > we allow unconfined domains to be entered by all file types. We wanted to > remove this since a confined domain that transitions to an unconfined domain. > samba_t -> samba_unconfined_exec_t -> samba_unconfined_t, was only intended to > happen on scripts labeled samba_unconfined_exec_t. But we were not blocking > the entrypoint, so potentially if samba was allowed to do > setexeccon(samba_unconfined_t) it could execute any script to get to it. > > After we turned off the entrypoint ability for all confined domains, then we > saw this problem with unconfined_t. > > My understanding of the auto transitions for initscripts was supposed to be > > unconfined_r:unconfined_t @ *initrc_t -> system_r:initrc_t @httpd_exec_t -> > system_r:httpd_t. > > The interface we removed was causing > > unconfined_r:unconfined_t @ httpd_exec_t -> system_r:unconfined_t and > generating an entrypoint error. > > I don't see why we want unconfined_r role changing to system_r just because it > executed a daemon domain. > > Let me try this another way: Your solution "solves" the issue only for unconfined_t. My solution: 1. fixes a broken interface, 2. "solves" the issue for sysadm_t as well as for unconfined_t. 3. Does not break direct_initrc (or at least should work with my other patches titled "make direct_initrc apply to unconfined_t", if they are applied fully) ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 15:10 ` Daniel J Walsh 2014-01-13 19:02 ` Dominick Grift @ 2014-01-13 23:37 ` Russell Coker 2014-01-14 9:46 ` Dominick Grift ` (3 more replies) 1 sibling, 4 replies; 28+ messages in thread From: Russell Coker @ 2014-01-13 23:37 UTC (permalink / raw) To: refpolicy On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > Having separate labels on the unit file is not just for "user" domains. It > is also for system domains, for example NetworkManager_t is allowed to > start the following services. OK. I've attached a patch I'm using which defines some unit types and adds fc entries. Some of them are missing fc entries, presumably because the daemons in question didn't have unit files at the time (this policy was taken from Fedora some time ago). I've also added a stub systemd_unit_file() in init.if. The full systemd policy patch will have to remove that. I think this is OK to get the uncontroversial stuff included in the tree sooner. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -------------- next part -------------- Description: Add systemd unit types Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-01-14 --- a/policy/modules/contrib/alsa.fc +++ b/policy/modules/contrib/alsa.fc @@ -24,3 +24,4 @@ /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/lib/systemd/system/alsa-.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0) --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -27,6 +27,9 @@ type alsa_home_t; userdom_user_home_content(alsa_home_t) +type alsa_unit_file_t; +systemd_unit_file(alsa_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/apache.fc +++ b/policy/modules/contrib/apache.fc @@ -26,6 +26,9 @@ /etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) + /opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -286,6 +286,8 @@ type httpd_keytab_t; files_type(httpd_keytab_t) +type httpd_unit_file_t; +systemd_unit_file(httpd_unit_file_t) type httpd_lock_t; files_lock_file(httpd_lock_t) --- a/policy/modules/contrib/apcupsd.fc +++ b/policy/modules/contrib/apcupsd.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/lib/systemd/system/apcupsd\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) --- a/policy/modules/contrib/apcupsd.te +++ b/policy/modules/contrib/apcupsd.te @@ -24,6 +24,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) +type apcupsd_unit_file_t; +systemd_unit_file(apcupsd_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/apm.fc +++ b/policy/modules/contrib/apm.fc @@ -17,3 +17,5 @@ /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) + +/lib/systemd/system/apmd\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0) --- a/policy/modules/contrib/apm.te +++ b/policy/modules/contrib/apm.te @@ -35,6 +35,9 @@ type apmd_var_run_t; files_pid_file(apmd_var_run_t) +type apmd_unit_file_t; +systemd_unit_file(apmd_unit_file_t) + ######################################## # # Client local policy --- a/policy/modules/contrib/arpwatch.fc +++ b/policy/modules/contrib/arpwatch.fc @@ -7,3 +7,5 @@ /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) + +/lib/systemd/system/arpwatch.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) --- a/policy/modules/contrib/arpwatch.te +++ b/policy/modules/contrib/arpwatch.te @@ -21,6 +21,9 @@ type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) +type arpwatch_unit_file_t; +systemd_unit_file(arpwatch_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/automount.fc +++ b/policy/modules/contrib/automount.fc @@ -6,3 +6,5 @@ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) + +/lib/systemd/system/autofs\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0) --- a/policy/modules/contrib/automount.te +++ b/policy/modules/contrib/automount.te @@ -25,6 +25,9 @@ type automount_var_run_t; files_pid_file(automount_var_run_t) +type automount_unit_file_t; +systemd_unit_file(automount_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/avahi.fc +++ b/policy/modules/contrib/avahi.fc @@ -7,3 +7,5 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) + +/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0) --- a/policy/modules/contrib/avahi.te +++ b/policy/modules/contrib/avahi.te @@ -18,6 +18,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) +type avahi_unit_file_t; +systemd_unit_file(avahi_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/bind.fc +++ b/policy/modules/contrib/bind.fc @@ -14,6 +14,10 @@ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/lib/systemd/system/unbound.service -- gen_context(system_u:object_r:named_unit_file_t,s0) +/lib/systemd/system/unbound-keygen.service -- gen_context(system_u:object_r:named_unit_file_t,s0) +/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -47,6 +47,9 @@ type named_keytab_t; files_type(named_keytab_t) +type named_unit_file_t; +systemd_unit_file(named_unit_file_t) + type named_log_t; logging_log_file(named_log_t) --- a/policy/modules/contrib/bluetooth.fc +++ b/policy/modules/contrib/bluetooth.fc @@ -22,3 +22,5 @@ /var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) + +/lib/systemd/system/bluetooth\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) --- a/policy/modules/contrib/bluetooth.te +++ b/policy/modules/contrib/bluetooth.te @@ -49,6 +49,9 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) +type bluetooth_unit_file_t; +systemd_unit_file(bluetooth_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/clamav.fc +++ b/policy/modules/contrib/clamav.fc @@ -24,3 +24,7 @@ /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/lib/systemd/system/clamd at scan\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0) +/lib/systemd/system/clamd@\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0) +/lib/systemd/system/clamd\.clamav\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0) --- a/policy/modules/contrib/clamav.te +++ b/policy/modules/contrib/clamav.te @@ -38,6 +38,9 @@ type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) +type clamd_unit_file_t; +systemd_unit_file(clamd_unit_file_t) + type clamd_tmp_t; files_tmp_file(clamd_tmp_t) --- a/policy/modules/contrib/consolekit.fc +++ b/policy/modules/contrib/consolekit.fc @@ -1,3 +1,5 @@ +/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -19,6 +19,9 @@ files_pid_file(consolekit_var_run_t) init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") +type consolekit_unit_file_t; +systemd_unit_file(consolekit_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/cron.fc +++ b/policy/modules/contrib/cron.fc @@ -64,3 +64,6 @@ /var/spool/cron/lastrun/[^/]* -- <<none>> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') + +/lib/systemd/system/atd\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) +/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -71,6 +71,9 @@ type crond_initrc_exec_t; init_script_file(crond_initrc_exec_t) +type crond_unit_file_t; +systemd_unit_file(crond_unit_file_t) + type crond_tmp_t; files_tmp_file(crond_tmp_t) files_poly_parent(crond_tmp_t) --- a/policy/modules/contrib/cups.fc +++ b/policy/modules/contrib/cups.fc @@ -75,3 +75,5 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + +/lib/systemd/system/cups\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) --- a/policy/modules/contrib/cups.te +++ b/policy/modules/contrib/cups.te @@ -62,6 +62,9 @@ init_daemon_run_dir(cupsd_var_run_t, "cups") mls_trusted_object(cupsd_var_run_t) +type cupsd_unit_file_t; +systemd_unit_file(cupsd_unit_file_t) + type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) --- a/policy/modules/contrib/dhcp.fc +++ b/policy/modules/contrib/dhcp.fc @@ -6,3 +6,4 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) --- a/policy/modules/contrib/dhcp.te +++ b/policy/modules/contrib/dhcp.te @@ -20,6 +20,9 @@ type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) +type dhcpd_unit_file_t; +systemd_unit_file(dhcpd_unit_file_t) + type dhcpd_state_t; files_type(dhcpd_state_t) --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -12,3 +12,4 @@ /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -24,6 +24,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) +type dnsmasq_unit_file_t; +systemd_unit_file(dnsmasq_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/ftp.fc +++ b/policy/modules/contrib/ftp.fc @@ -26,3 +26,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) + +/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) --- a/policy/modules/contrib/ftp.te +++ b/policy/modules/contrib/ftp.te @@ -127,6 +127,9 @@ type ftpd_keytab_t; files_type(ftpd_keytab_t) +type ftpd_unit_file_t; +systemd_unit_file(ftpd_unit_file_t) + type ftpd_lock_t; files_lock_file(ftpd_lock_t) --- a/policy/modules/contrib/kdump.fc +++ b/policy/modules/contrib/kdump.fc @@ -11,3 +11,5 @@ /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) --- a/policy/modules/contrib/kdump.te +++ b/policy/modules/contrib/kdump.te @@ -23,6 +23,9 @@ type kdumpctl_tmp_t; files_tmp_file(kdumpctl_tmp_t) +type kdump_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + ##################################### # # Local policy --- a/policy/modules/contrib/ldap.fc +++ b/policy/modules/contrib/ldap.fc @@ -27,3 +27,5 @@ /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -24,6 +24,9 @@ type slapd_keytab_t; files_type(slapd_keytab_t) +type slapd_unit_file_t; +systemd_unit_file(slapd_unit_file_t) + type slapd_lock_t; files_lock_file(slapd_lock_t) --- a/policy/modules/contrib/mysql.fc +++ b/policy/modules/contrib/mysql.fc @@ -25,3 +25,5 @@ /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) + +/lib/systemd/system/mysqld\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) --- a/policy/modules/contrib/mysql.te +++ b/policy/modules/contrib/mysql.te @@ -38,6 +38,9 @@ type mysqld_home_t; userdom_user_home_content(mysqld_home_t) +type mysqld_unit_file_t; +systemd_unit_file(mysqld_unit_file_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -1,3 +1,4 @@ +/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -18,6 +18,9 @@ type NetworkManager_initrc_exec_t; init_script_file(NetworkManager_initrc_exec_t) +type NetworkManager_unit_file_t; +systemd_unit_file(NetworkManager_unit_file_t) + type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) --- a/policy/modules/contrib/nis.fc +++ b/policy/modules/contrib/nis.fc @@ -20,3 +20,8 @@ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) + +/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) +/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) --- a/policy/modules/contrib/nis.te +++ b/policy/modules/contrib/nis.te @@ -27,6 +27,9 @@ type ypbind_var_run_t; files_pid_file(ypbind_var_run_t) +type ypbind_unit_file_t; +systemd_unit_file(ypbind_unit_file_t) + type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) @@ -55,6 +58,9 @@ type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) +type nis_unit_file_t; +systemd_unit_file(nis_unit_file_t) + ######################################## # # ypbind local policy --- a/policy/modules/contrib/nscd.te +++ b/policy/modules/contrib/nscd.te @@ -31,6 +31,9 @@ type nscd_initrc_exec_t; init_script_file(nscd_initrc_exec_t) +type nscd_unit_file_t; +systemd_unit_file(nscd_unit_file_t) + type nscd_log_t; logging_log_file(nscd_log_t) --- a/policy/modules/contrib/ntp.fc +++ b/policy/modules/contrib/ntp.fc @@ -21,3 +21,7 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + +/usr/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -21,6 +21,9 @@ type ntp_conf_t; files_config_file(ntp_conf_t) +type ntpd_unit_file_t; +systemd_unit_file(ntpd_unit_file_t) + type ntpd_key_t; files_type(ntpd_key_t) --- a/policy/modules/contrib/ppp.fc +++ b/policy/modules/contrib/ppp.fc @@ -28,3 +28,5 @@ /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + +/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:pppd_unit_file_t,s0) --- a/policy/modules/contrib/ppp.te +++ b/policy/modules/contrib/ppp.te @@ -41,6 +41,9 @@ type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) +type pppd_unit_file_t; +systemd_unit_file(pppd_unit_file_t) + type pppd_secret_t; files_type(pppd_secret_t) --- a/policy/modules/contrib/rpc.fc +++ b/policy/modules/contrib/rpc.fc @@ -20,3 +20,6 @@ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + +/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -44,11 +44,17 @@ type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) +type rpcd_unit_file_t; +systemd_unit_file(rpcd_unit_file_t) + rpc_domain_template(nfsd) type nfsd_initrc_exec_t; init_script_file(nfsd_initrc_exec_t) +type nfsd_unit_file_t; +systemd_unit_file(nfsd_unit_file_t) + type nfsd_rw_t; files_type(nfsd_rw_t) --- a/policy/modules/contrib/samba.fc +++ b/policy/modules/contrib/samba.fc @@ -8,6 +8,8 @@ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) +/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0) + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -113,6 +113,9 @@ type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) +type samba_unit_file_t; +systemd_unit_file(samba_unit_file_t) + type samba_log_t; logging_log_file(samba_log_t) --- a/policy/modules/contrib/tor.fc +++ b/policy/modules/contrib/tor.fc @@ -5,6 +5,8 @@ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/lib/systemd/system/tor\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0) + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) --- a/policy/modules/contrib/tor.te +++ b/policy/modules/contrib/tor.te @@ -33,6 +33,9 @@ files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") +type tor_unit_file_t; +systemd_unit_file(tor_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -3,6 +3,9 @@ /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/lib/systemd/system/iptables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/lib/systemd/system/ip6tables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -25,6 +25,9 @@ type iptables_var_run_t; files_pid_file(iptables_var_run_t) +type iptables_unit_file_t; +systemd_unit_file(iptables_unit_file_t) + ######################################## # # Iptables local policy --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -6,6 +6,8 @@ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/lib/systemd/system/auditd\.service -- gen_context(system_u:object_r:auditd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -33,6 +33,9 @@ type auditd_var_run_t; files_pid_file(auditd_var_run_t) +type auditd_unit_file_t; +systemd_unit_file(auditd_unit_file_t) + type audisp_t; type audisp_exec_t; init_system_domain(audisp_t, audisp_exec_t) --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -389,10 +389,14 @@ class system { ipc_info - syslog_read + syslog_read syslog_mod syslog_console module_request + halt + reboot + status + undefined } # @@ -865,3 +869,20 @@ implement execute } + +class service +{ + start + stop + status + reload + kill + load + enable + disable +} + +class proxy +{ + read +} --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -131,4 +131,10 @@ class db_sequence # userspace class db_language # userspace +# systemd services +class service + +# gssd services +class proxy + # FLASK --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1844,3 +1844,17 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') + +####################################### +## <summary> +## Create a file type used for systemd unit files. +## </summary> +## <param name="script_file"> +## <summary> +## Type to be used for an unit file. +## </summary> +## </param> +# +interface(`systemd_unit_file',` + files_type($1) +') ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 23:37 ` Russell Coker @ 2014-01-14 9:46 ` Dominick Grift 2014-01-14 9:58 ` Dominick Grift ` (2 more replies) 2014-01-14 10:12 ` Dominick Grift ` (2 subsequent siblings) 3 siblings, 3 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 9:46 UTC (permalink / raw) To: refpolicy On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > Having separate labels on the unit file is not just for "user" domains. It > > is also for system domains, for example NetworkManager_t is allowed to > > start the following services. > > OK. > > I've attached a patch I'm using which defines some unit types and adds fc > entries. Some of them are missing fc entries, presumably because the daemons > in question didn't have unit files at the time (this policy was taken from > Fedora some time ago). > > I've also added a stub systemd_unit_file() in init.if. The full systemd policy > patch will have to remove that. I think this is OK to get the uncontroversial > stuff included in the tree sooner. Please send your patches in-line so that we can easily comment on them. Here is one thing that can be improved in your patch: This is how its supposed to be: /lib/systemd/system/alsa-.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0) These are not optimal and its inconsistent with above: /lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) You see: # grep system /etc/selinux/targeted/contexts/files/*.subs_dist /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system /etc/systemd/system /usr/lib/systemd/system So /etc/systemd/system is equivalent to /usr/lib/systemd/system Now consider me having a name daemon dns server on each of my two networks. Then i need a instance for each. So i create two "named" unit files in /etc/systemd/system/named_{network1,network2}.service So we can use the .* wildcard to catch these? So i would suggest we create file contexts for unit files with .* consistently to catch prefixed service files ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 9:46 ` Dominick Grift @ 2014-01-14 9:58 ` Dominick Grift 2014-01-14 12:35 ` Laurent Bigonville 2014-01-27 6:56 ` Russell Coker 2 siblings, 0 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 9:58 UTC (permalink / raw) To: refpolicy On Tue, 2014-01-14 at 10:46 +0100, Dominick Grift wrote: > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > Having separate labels on the unit file is not just for "user" domains. It > > > is also for system domains, for example NetworkManager_t is allowed to > > > start the following services. > > > > OK. > > > > I've attached a patch I'm using which defines some unit types and adds fc > > entries. Some of them are missing fc entries, presumably because the daemons > > in question didn't have unit files at the time (this policy was taken from > > Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full systemd policy > > patch will have to remove that. I think this is OK to get the uncontroversial > > stuff included in the tree sooner. > > Please send your patches in-line so that we can easily comment on them. > > Here is one thing that can be improved in your patch: > > This is how its supposed to be: > > /lib/systemd/system/alsa-.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > These are not optimal and its inconsistent with above: > > /lib/systemd/system/named.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > > You see: > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > /run/systemd/system /usr/lib/systemd/system > /run/systemd/generator /usr/lib/systemd/system > /etc/systemd/system /usr/lib/systemd/system > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system > > Now consider me having a name daemon dns server on each of my two > networks. Then i need a instance for each. So i create two "named" unit > files in /etc/systemd/system/named_{network1,network2}.service > > So we can use the .* wildcard to catch these? > > So i would suggest we create file contexts for unit files with .* > consistently to catch prefixed service files > > Maybe not the best example but what i am saying is that i think for example this: /lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) should be: /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0) and that this should be implemented consistently for all unit file context specifications where possible even that may not be optimal but i think it makes more sense ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 9:46 ` Dominick Grift 2014-01-14 9:58 ` Dominick Grift @ 2014-01-14 12:35 ` Laurent Bigonville 2014-01-14 13:03 ` Dominick Grift 2014-01-27 6:56 ` Russell Coker 2 siblings, 1 reply; 28+ messages in thread From: Laurent Bigonville @ 2014-01-14 12:35 UTC (permalink / raw) To: refpolicy Le Tue, 14 Jan 2014 10:46:23 +0100, Dominick Grift <dominick.grift@gmail.com> a ?crit : > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > Having separate labels on the unit file is not just for "user" > > > domains. It is also for system domains, for example > > > NetworkManager_t is allowed to start the following services. > > > > OK. > > > > I've attached a patch I'm using which defines some unit types and > > adds fc entries. Some of them are missing fc entries, presumably > > because the daemons in question didn't have unit files at the time > > (this policy was taken from Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full > > systemd policy patch will have to remove that. I think this is OK > > to get the uncontroversial stuff included in the tree sooner. > > Please send your patches in-line so that we can easily comment on > them. > > Here is one thing that can be improved in your patch: > > This is how its supposed to be: > > /lib/systemd/system/alsa-.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > These are not optimal and its inconsistent with above: > > /lib/systemd/system/named.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > > You see: > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > /run/systemd/system /usr/lib/systemd/system > /run/systemd/generator /usr/lib/systemd/system > /etc/systemd/system /usr/lib/systemd/system > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system Here come a question, are we using the Fedora or the Debian paths for systemd? In Fedora everything is in /usr/lib/systemd, in Debian it's /lib/systemd. This should be standardized, and then we can add an equivalence for the others. I personally don't care, as most of the patches will come from Fedora, I guess we could use the Fedora way. ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 12:35 ` Laurent Bigonville @ 2014-01-14 13:03 ` Dominick Grift 0 siblings, 0 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 13:03 UTC (permalink / raw) To: refpolicy On Tue, 2014-01-14 at 13:35 +0100, Laurent Bigonville wrote: > Le Tue, 14 Jan 2014 10:46:23 +0100, > Dominick Grift <dominick.grift@gmail.com> a ?crit : > > > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > > Having separate labels on the unit file is not just for "user" > > > > domains. It is also for system domains, for example > > > > NetworkManager_t is allowed to start the following services. > > > > > > OK. > > > > > > I've attached a patch I'm using which defines some unit types and > > > adds fc entries. Some of them are missing fc entries, presumably > > > because the daemons in question didn't have unit files at the time > > > (this policy was taken from Fedora some time ago). > > > > > > I've also added a stub systemd_unit_file() in init.if. The full > > > systemd policy patch will have to remove that. I think this is OK > > > to get the uncontroversial stuff included in the tree sooner. > > > > Please send your patches in-line so that we can easily comment on > > them. > > > > Here is one thing that can be improved in your patch: > > > > This is how its supposed to be: > > > > /lib/systemd/system/alsa-.*\.service -- > > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > > > These are not optimal and its inconsistent with above: > > > > /lib/systemd/system/named.service -- > > gen_context(system_u:object_r:named_unit_file_t,s0) > > > > You see: > > > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > > /run/systemd/system /usr/lib/systemd/system > > /run/systemd/generator /usr/lib/systemd/system > > /etc/systemd/system /usr/lib/systemd/system > > > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system > > Here come a question, are we using the Fedora or the Debian paths for > systemd? In Fedora everything is in /usr/lib/systemd, in Debian > it's /lib/systemd. This should be standardized, and then we can add an > equivalence for the others. I personally don't care, as most of the > patches will come from Fedora, I guess we could use the Fedora way. > Good question. I think its probably easier to make /lib(64)? equivalent to /usr/lib(64)? E.g. use /usr/lib(64)? and add: /lib /usr/lib /lib64 /usr/lib64 .. To file_contexts.subs_dist ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 9:46 ` Dominick Grift 2014-01-14 9:58 ` Dominick Grift 2014-01-14 12:35 ` Laurent Bigonville @ 2014-01-27 6:56 ` Russell Coker 2014-02-06 14:40 ` Christopher J. PeBenito 2 siblings, 1 reply; 28+ messages in thread From: Russell Coker @ 2014-01-27 6:56 UTC (permalink / raw) To: refpolicy On Tue, 14 Jan 2014 10:46:23 Dominick Grift wrote: > > I've attached a patch I'm using which defines some unit types and adds fc > > entries. Some of them are missing fc entries, presumably because the > > daemons in question didn't have unit files at the time (this policy was > > taken from Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full systemd > > policy patch will have to remove that. I think this is OK to get the > > uncontroversial stuff included in the tree sooner. > > Please send your patches in-line so that we can easily comment on them. > > Here is one thing that can be improved in your patch: > > This is how its supposed to be: > > /lib/systemd/system/alsa-.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > These are not optimal and its inconsistent with above: > > /lib/systemd/system/named.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > > You see: > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > /run/systemd/system /usr/lib/systemd/system > /run/systemd/generator /usr/lib/systemd/system > /etc/systemd/system /usr/lib/systemd/system > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system > > Now consider me having a name daemon dns server on each of my two > networks. Then i need a instance for each. So i create two "named" unit > files in /etc/systemd/system/named_{network1,network2}.service > > So we can use the .* wildcard to catch these? > > So i would suggest we create file contexts for unit files with .* > consistently to catch prefixed service files How is this? Description: Add systemd unit types Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-01-12 --- a/policy/modules/contrib/alsa.fc +++ b/policy/modules/contrib/alsa.fc @@ -24,3 +24,4 @@ /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/lib/systemd/system/alsa.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0) --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -27,6 +27,9 @@ type alsa_home_t; userdom_user_home_content(alsa_home_t) +type alsa_unit_file_t; +systemd_unit_file(alsa_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/apache.fc +++ b/policy/modules/contrib/apache.fc @@ -26,6 +26,9 @@ /etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) + /opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -286,6 +286,8 @@ type httpd_keytab_t; files_type(httpd_keytab_t) +type httpd_unit_file_t; +systemd_unit_file(httpd_unit_file_t) type httpd_lock_t; files_lock_file(httpd_lock_t) --- a/policy/modules/contrib/apcupsd.fc +++ b/policy/modules/contrib/apcupsd.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) --- a/policy/modules/contrib/apcupsd.te +++ b/policy/modules/contrib/apcupsd.te @@ -24,6 +24,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) +type apcupsd_unit_file_t; +systemd_unit_file(apcupsd_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/apm.fc +++ b/policy/modules/contrib/apm.fc @@ -17,3 +17,5 @@ /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) + +/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0) --- a/policy/modules/contrib/apm.te +++ b/policy/modules/contrib/apm.te @@ -35,6 +35,9 @@ type apmd_var_run_t; files_pid_file(apmd_var_run_t) +type apmd_unit_file_t; +systemd_unit_file(apmd_unit_file_t) + ######################################## # # Client local policy --- a/policy/modules/contrib/arpwatch.fc +++ b/policy/modules/contrib/arpwatch.fc @@ -7,3 +7,5 @@ /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) + +/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) --- a/policy/modules/contrib/arpwatch.te +++ b/policy/modules/contrib/arpwatch.te @@ -21,6 +21,9 @@ type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) +type arpwatch_unit_file_t; +systemd_unit_file(arpwatch_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/automount.fc +++ b/policy/modules/contrib/automount.fc @@ -6,3 +6,5 @@ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) + +/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0) --- a/policy/modules/contrib/automount.te +++ b/policy/modules/contrib/automount.te @@ -25,6 +25,9 @@ type automount_var_run_t; files_pid_file(automount_var_run_t) +type automount_unit_file_t; +systemd_unit_file(automount_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/avahi.fc +++ b/policy/modules/contrib/avahi.fc @@ -7,3 +7,5 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) + +/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0) --- a/policy/modules/contrib/avahi.te +++ b/policy/modules/contrib/avahi.te @@ -18,6 +18,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) +type avahi_unit_file_t; +systemd_unit_file(avahi_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/bind.fc +++ b/policy/modules/contrib/bind.fc @@ -14,6 +14,9 @@ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0) +/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0) + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -47,6 +47,9 @@ type named_keytab_t; files_type(named_keytab_t) +type named_unit_file_t; +systemd_unit_file(named_unit_file_t) + type named_log_t; logging_log_file(named_log_t) --- a/policy/modules/contrib/bluetooth.fc +++ b/policy/modules/contrib/bluetooth.fc @@ -22,3 +22,5 @@ /var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) + +/lib/systemd/system/bluetooth.*\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) --- a/policy/modules/contrib/bluetooth.te +++ b/policy/modules/contrib/bluetooth.te @@ -49,6 +49,9 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) +type bluetooth_unit_file_t; +systemd_unit_file(bluetooth_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/clamav.fc +++ b/policy/modules/contrib/clamav.fc @@ -24,3 +24,5 @@ /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0) --- a/policy/modules/contrib/clamav.te +++ b/policy/modules/contrib/clamav.te @@ -38,6 +38,9 @@ type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) +type clamd_unit_file_t; +systemd_unit_file(clamd_unit_file_t) + type clamd_tmp_t; files_tmp_file(clamd_tmp_t) --- a/policy/modules/contrib/consolekit.fc +++ b/policy/modules/contrib/consolekit.fc @@ -1,3 +1,5 @@ +/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -19,6 +19,9 @@ files_pid_file(consolekit_var_run_t) init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") +type consolekit_unit_file_t; +systemd_unit_file(consolekit_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/cron.fc +++ b/policy/modules/contrib/cron.fc @@ -64,3 +64,6 @@ /var/spool/cron/lastrun/[^/]* -- <<none>> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') + +/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) +/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -71,6 +71,9 @@ type crond_initrc_exec_t; init_script_file(crond_initrc_exec_t) +type crond_unit_file_t; +systemd_unit_file(crond_unit_file_t) + type crond_tmp_t; files_tmp_file(crond_tmp_t) files_poly_parent(crond_tmp_t) --- a/policy/modules/contrib/cups.fc +++ b/policy/modules/contrib/cups.fc @@ -75,3 +75,5 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + +/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) --- a/policy/modules/contrib/cups.te +++ b/policy/modules/contrib/cups.te @@ -62,6 +62,9 @@ init_daemon_run_dir(cupsd_var_run_t, "cups") mls_trusted_object(cupsd_var_run_t) +type cupsd_unit_file_t; +systemd_unit_file(cupsd_unit_file_t) + type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) --- a/policy/modules/contrib/dhcp.fc +++ b/policy/modules/contrib/dhcp.fc @@ -6,3 +6,4 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) --- a/policy/modules/contrib/dhcp.te +++ b/policy/modules/contrib/dhcp.te @@ -20,6 +20,9 @@ type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) +type dhcpd_unit_file_t; +systemd_unit_file(dhcpd_unit_file_t) + type dhcpd_state_t; files_type(dhcpd_state_t) --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -12,3 +12,4 @@ /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/lib/systemd/system/dnsmasq.*\.service -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -24,6 +24,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) +type dnsmasq_unit_file_t; +systemd_unit_file(dnsmasq_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/contrib/ftp.fc +++ b/policy/modules/contrib/ftp.fc @@ -26,3 +26,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) + +/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) --- a/policy/modules/contrib/ftp.te +++ b/policy/modules/contrib/ftp.te @@ -127,6 +127,9 @@ type ftpd_keytab_t; files_type(ftpd_keytab_t) +type ftpd_unit_file_t; +systemd_unit_file(ftpd_unit_file_t) + type ftpd_lock_t; files_lock_file(ftpd_lock_t) --- a/policy/modules/contrib/kdump.fc +++ b/policy/modules/contrib/kdump.fc @@ -11,3 +11,5 @@ /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) --- a/policy/modules/contrib/kdump.te +++ b/policy/modules/contrib/kdump.te @@ -23,6 +23,9 @@ type kdumpctl_tmp_t; files_tmp_file(kdumpctl_tmp_t) +type kdump_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + ##################################### # # Local policy --- a/policy/modules/contrib/ldap.fc +++ b/policy/modules/contrib/ldap.fc @@ -27,3 +27,5 @@ /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_file_t,s0) --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -24,6 +24,9 @@ type slapd_keytab_t; files_type(slapd_keytab_t) +type slapd_unit_file_t; +systemd_unit_file(slapd_unit_file_t) + type slapd_lock_t; files_lock_file(slapd_lock_t) --- a/policy/modules/contrib/mysql.fc +++ b/policy/modules/contrib/mysql.fc @@ -25,3 +25,5 @@ /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) + +/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) --- a/policy/modules/contrib/mysql.te +++ b/policy/modules/contrib/mysql.te @@ -38,6 +38,9 @@ type mysqld_home_t; userdom_user_home_content(mysqld_home_t) +type mysqld_unit_file_t; +systemd_unit_file(mysqld_unit_file_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -1,3 +1,4 @@ +/lib/systemd/system/NetworkManager.*\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -18,6 +18,9 @@ type NetworkManager_initrc_exec_t; init_script_file(NetworkManager_initrc_exec_t) +type NetworkManager_unit_file_t; +systemd_unit_file(NetworkManager_unit_file_t) + type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) --- a/policy/modules/contrib/nis.fc +++ b/policy/modules/contrib/nis.fc @@ -20,3 +20,8 @@ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) + +/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) +/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) --- a/policy/modules/contrib/nis.te +++ b/policy/modules/contrib/nis.te @@ -27,6 +27,9 @@ type ypbind_var_run_t; files_pid_file(ypbind_var_run_t) +type ypbind_unit_file_t; +systemd_unit_file(ypbind_unit_file_t) + type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) @@ -55,6 +58,9 @@ type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) +type nis_unit_file_t; +systemd_unit_file(nis_unit_file_t) + ######################################## # # ypbind local policy --- a/policy/modules/contrib/nscd.te +++ b/policy/modules/contrib/nscd.te @@ -31,6 +31,9 @@ type nscd_initrc_exec_t; init_script_file(nscd_initrc_exec_t) +type nscd_unit_file_t; +systemd_unit_file(nscd_unit_file_t) + type nscd_log_t; logging_log_file(nscd_log_t) --- a/policy/modules/contrib/ntp.fc +++ b/policy/modules/contrib/ntp.fc @@ -21,3 +21,7 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + +/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) --- a/policy/modules/contrib/ntp.te +++ b/policy/modules/contrib/ntp.te @@ -21,6 +21,9 @@ type ntp_conf_t; files_config_file(ntp_conf_t) +type ntpd_unit_file_t; +systemd_unit_file(ntpd_unit_file_t) + type ntpd_key_t; files_type(ntpd_key_t) --- a/policy/modules/contrib/ppp.fc +++ b/policy/modules/contrib/ppp.fc @@ -28,3 +28,5 @@ /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + +/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_file_t,s0) --- a/policy/modules/contrib/ppp.te +++ b/policy/modules/contrib/ppp.te @@ -41,6 +41,9 @@ type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) +type pppd_unit_file_t; +systemd_unit_file(pppd_unit_file_t) + type pppd_secret_t; files_type(pppd_secret_t) --- a/policy/modules/contrib/rpc.fc +++ b/policy/modules/contrib/rpc.fc @@ -20,3 +20,6 @@ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + +/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -44,11 +44,17 @@ type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) +type rpcd_unit_file_t; +systemd_unit_file(rpcd_unit_file_t) + rpc_domain_template(nfsd) type nfsd_initrc_exec_t; init_script_file(nfsd_initrc_exec_t) +type nfsd_unit_file_t; +systemd_unit_file(nfsd_unit_file_t) + type nfsd_rw_t; files_type(nfsd_rw_t) --- a/policy/modules/contrib/samba.fc +++ b/policy/modules/contrib/samba.fc @@ -8,6 +8,8 @@ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) +/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_file_t,s0) + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -113,6 +113,9 @@ type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) +type samba_unit_file_t; +systemd_unit_file(samba_unit_file_t) + type samba_log_t; logging_log_file(samba_log_t) --- a/policy/modules/contrib/tor.fc +++ b/policy/modules/contrib/tor.fc @@ -5,6 +5,8 @@ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0) + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) --- a/policy/modules/contrib/tor.te +++ b/policy/modules/contrib/tor.te @@ -33,6 +33,9 @@ files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") +type tor_unit_file_t; +systemd_unit_file(tor_unit_file_t) + ######################################## # # Local policy --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -3,6 +3,9 @@ /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/lib/systemd/system/iptables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/lib/systemd/system/ip6tables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -25,6 +25,9 @@ type iptables_var_run_t; files_pid_file(iptables_var_run_t) +type iptables_unit_file_t; +systemd_unit_file(iptables_unit_file_t) + ######################################## # # Iptables local policy --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -6,6 +6,8 @@ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/lib/systemd/system/auditd.*\.service -- gen_context(system_u:object_r:auditd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) @@ -23,6 +25,7 @@ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_file_t,s0) /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -12,6 +12,9 @@ init_system_domain(auditctl_t, auditctl_exec_t) role system_r types auditctl_t; +type auditd_unit_file_t; +systemd_unit_file(auditd_unit_file_t) + type auditd_etc_t; files_security_file(auditd_etc_t) @@ -65,6 +68,9 @@ type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) +type syslogd_unit_file_t; +systemd_unit_file(syslogd_unit_file_t) + type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -389,10 +389,14 @@ class system { ipc_info - syslog_read + syslog_read syslog_mod syslog_console module_request + halt + reboot + status + undefined } # @@ -865,3 +869,20 @@ implement execute } + +class service +{ + start + stop + status + reload + kill + load + enable + disable +} + +class proxy +{ + read +} --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -131,4 +131,10 @@ class db_sequence # userspace class db_language # userspace +# systemd services +class service + +# gssd services +class proxy + # FLASK --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1844,3 +1844,17 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') + +####################################### +## <summary> +## Create a file type used for systemd unit files. +## </summary> +## <param name="script_file"> +## <summary> +## Type to be used for an unit file. +## </summary> +## </param> +# +interface(`systemd_unit_file',` + files_type($1) +') --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -36,6 +36,7 @@ /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) +/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_file_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -85,6 +85,9 @@ domain_obj_id_change_exemption(restorecond_t) role system_r types restorecond_t; +type restorecond_unit_file_t; +systemd_unit_file(restorecond_unit_file_t) + type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc @@ -1,5 +1,6 @@ /etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0) /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) +/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_file_t,s0) /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -13,6 +13,9 @@ type setrans_exec_t; init_daemon_domain(setrans_t, setrans_exec_t) +type setrans_unit_file_t; +systemd_unit_file(setrans_unit_file_t) + type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-27 6:56 ` Russell Coker @ 2014-02-06 14:40 ` Christopher J. PeBenito 0 siblings, 0 replies; 28+ messages in thread From: Christopher J. PeBenito @ 2014-02-06 14:40 UTC (permalink / raw) To: refpolicy On 01/27/14 01:56, Russell Coker wrote: > On Tue, 14 Jan 2014 10:46:23 Dominick Grift wrote: >>> I've attached a patch I'm using which defines some unit types and adds fc >>> entries. Some of them are missing fc entries, presumably because the >>> daemons in question didn't have unit files at the time (this policy was >>> taken from Fedora some time ago). >>> >>> I've also added a stub systemd_unit_file() in init.if. The full systemd >>> policy patch will have to remove that. I think this is OK to get the >>> uncontroversial stuff included in the tree sooner. >> >> Please send your patches in-line so that we can easily comment on them. >> >> Here is one thing that can be improved in your patch: >> >> This is how its supposed to be: >> >> /lib/systemd/system/alsa-.*\.service -- >> gen_context(system_u:object_r:alsa_unit_file_t,s0) >> >> These are not optimal and its inconsistent with above: >> >> /lib/systemd/system/named.service -- >> gen_context(system_u:object_r:named_unit_file_t,s0) >> >> You see: >> >> # grep system /etc/selinux/targeted/contexts/files/*.subs_dist >> /run/systemd/system /usr/lib/systemd/system >> /run/systemd/generator /usr/lib/systemd/system >> /etc/systemd/system /usr/lib/systemd/system >> >> So /etc/systemd/system is equivalent to /usr/lib/systemd/system >> >> Now consider me having a name daemon dns server on each of my two >> networks. Then i need a instance for each. So i create two "named" unit >> files in /etc/systemd/system/named_{network1,network2}.service >> >> So we can use the .* wildcard to catch these? >> >> So i would suggest we create file contexts for unit files with .* >> consistently to catch prefixed service files > > How is this? The name of the interface would have to start with init. It makes me wonder if we should extend the init_service_domain()/init_daemon_domain() interfaces instead. The unit file is related to the domain starting up from init/systemd, so one might argue it goes with those interfaces. > Description: Add systemd unit types > Author: Russell Coker <russell@coker.com.au> > Last-Update: 2014-01-12 > > --- a/policy/modules/contrib/alsa.fc > +++ b/policy/modules/contrib/alsa.fc > @@ -24,3 +24,4 @@ > /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > > /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) > +/lib/systemd/system/alsa.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > --- a/policy/modules/contrib/alsa.te > +++ b/policy/modules/contrib/alsa.te > @@ -27,6 +27,9 @@ > type alsa_home_t; > userdom_user_home_content(alsa_home_t) > > +type alsa_unit_file_t; > +systemd_unit_file(alsa_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/apache.fc > +++ b/policy/modules/contrib/apache.fc > @@ -26,6 +26,9 @@ > /etc/WebCalendar(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/zabbix/web(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > > +/lib/systemd/system/httpd.*\.service -- > gen_context(system_u:object_r:httpd_unit_file_t,s0) > +/lib/systemd/system/jetty.*\.service -- > gen_context(system_u:object_r:httpd_unit_file_t,s0) > + > /opt/.*\.cgi -- > gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? > gen_context(system_u:object_r:httpd_var_run_t,s0) > > --- a/policy/modules/contrib/apache.te > +++ b/policy/modules/contrib/apache.te > @@ -286,6 +286,8 @@ > type httpd_keytab_t; > files_type(httpd_keytab_t) > > +type httpd_unit_file_t; > +systemd_unit_file(httpd_unit_file_t) > type httpd_lock_t; > files_lock_file(httpd_lock_t) > > --- a/policy/modules/contrib/apcupsd.fc > +++ b/policy/modules/contrib/apcupsd.fc > @@ -1,5 +1,7 @@ > /etc/rc\.d/init\.d/apcupsd -- > gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) > > +/lib/systemd/system/apcupsd.*\.service -- > gen_context(system_u:object_r:apcupsd_unit_file_t,s0) > + > /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) > > /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) > --- a/policy/modules/contrib/apcupsd.te > +++ b/policy/modules/contrib/apcupsd.te > @@ -24,6 +24,9 @@ > type apcupsd_var_run_t; > files_pid_file(apcupsd_var_run_t) > > +type apcupsd_unit_file_t; > +systemd_unit_file(apcupsd_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/apm.fc > +++ b/policy/modules/contrib/apm.fc > @@ -17,3 +17,5 @@ > /var/run/powersave_socket -s > gen_context(system_u:object_r:apmd_var_run_t,s0) > > /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) > + > +/lib/systemd/system/apmd.*\.service -- > gen_context(system_u:object_r:apmd_unit_file_t,s0) > --- a/policy/modules/contrib/apm.te > +++ b/policy/modules/contrib/apm.te > @@ -35,6 +35,9 @@ > type apmd_var_run_t; > files_pid_file(apmd_var_run_t) > > +type apmd_unit_file_t; > +systemd_unit_file(apmd_unit_file_t) > + > ######################################## > # > # Client local policy > --- a/policy/modules/contrib/arpwatch.fc > +++ b/policy/modules/contrib/arpwatch.fc > @@ -7,3 +7,5 @@ > /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) > > /var/run/arpwatch.*\.pid -- > gen_context(system_u:object_r:arpwatch_var_run_t,s0) > + > +/lib/systemd/system/arpwatch.*\.service -- > gen_context(system_u:object_r:arpwatch_unit_file_t,s0) > --- a/policy/modules/contrib/arpwatch.te > +++ b/policy/modules/contrib/arpwatch.te > @@ -21,6 +21,9 @@ > type arpwatch_var_run_t; > files_pid_file(arpwatch_var_run_t) > > +type arpwatch_unit_file_t; > +systemd_unit_file(arpwatch_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/automount.fc > +++ b/policy/modules/contrib/automount.fc > @@ -6,3 +6,5 @@ > /var/lock/subsys/autofs -- > gen_context(system_u:object_r:automount_lock_t,s0) > > /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) > + > +/lib/systemd/system/autofs.*\.service -- > gen_context(system_u:object_r:automount_unit_file_t,s0) > --- a/policy/modules/contrib/automount.te > +++ b/policy/modules/contrib/automount.te > @@ -25,6 +25,9 @@ > type automount_var_run_t; > files_pid_file(automount_var_run_t) > > +type automount_unit_file_t; > +systemd_unit_file(automount_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/avahi.fc > +++ b/policy/modules/contrib/avahi.fc > @@ -7,3 +7,5 @@ > /var/run/avahi-daemon(/.*)? > gen_context(system_u:object_r:avahi_var_run_t,s0) > > /var/lib/avahi-autoipd(/.*)? > gen_context(system_u:object_r:avahi_var_lib_t,s0) > + > +/lib/systemd/system/avahi.*\.service -- > gen_context(system_u:object_r:avahi_unit_file_t,s0) > --- a/policy/modules/contrib/avahi.te > +++ b/policy/modules/contrib/avahi.te > @@ -18,6 +18,9 @@ > type avahi_var_run_t; > files_pid_file(avahi_var_run_t) > > +type avahi_unit_file_t; > +systemd_unit_file(avahi_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/bind.fc > +++ b/policy/modules/contrib/bind.fc > @@ -14,6 +14,9 @@ > /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) > /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) > > +/lib/systemd/system/unbound.*\.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > +/lib/systemd/system/named.*\.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > + > /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) > /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) > /usr/sbin/named-checkconf -- > gen_context(system_u:object_r:named_checkconf_exec_t,s0) > --- a/policy/modules/contrib/bind.te > +++ b/policy/modules/contrib/bind.te > @@ -47,6 +47,9 @@ > type named_keytab_t; > files_type(named_keytab_t) > > +type named_unit_file_t; > +systemd_unit_file(named_unit_file_t) > + > type named_log_t; > logging_log_file(named_log_t) > > --- a/policy/modules/contrib/bluetooth.fc > +++ b/policy/modules/contrib/bluetooth.fc > @@ -22,3 +22,5 @@ > > /var/run/bluetoothd_address -- > gen_context(system_u:object_r:bluetooth_var_run_t,s0) > /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) > + > +/lib/systemd/system/bluetooth.*\.service -- > gen_context(system_u:object_r:bluetooth_unit_file_t,s0) > --- a/policy/modules/contrib/bluetooth.te > +++ b/policy/modules/contrib/bluetooth.te > @@ -49,6 +49,9 @@ > type bluetooth_var_run_t; > files_pid_file(bluetooth_var_run_t) > > +type bluetooth_unit_file_t; > +systemd_unit_file(bluetooth_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/clamav.fc > +++ b/policy/modules/contrib/clamav.fc > @@ -24,3 +24,5 @@ > /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) > > /var/spool/amavisd/clamd\.sock -s > gen_context(system_u:object_r:clamd_var_run_t,s0) > + > +/lib/systemd/system/clamd.*\.service -- > gen_context(system_u:object_r:clamd_unit_file_t,s0) > --- a/policy/modules/contrib/clamav.te > +++ b/policy/modules/contrib/clamav.te > @@ -38,6 +38,9 @@ > type clamd_initrc_exec_t; > init_script_file(clamd_initrc_exec_t) > > +type clamd_unit_file_t; > +systemd_unit_file(clamd_unit_file_t) > + > type clamd_tmp_t; > files_tmp_file(clamd_tmp_t) > > --- a/policy/modules/contrib/consolekit.fc > +++ b/policy/modules/contrib/consolekit.fc > @@ -1,3 +1,5 @@ > +/lib/systemd/system/console-kit.*\.service -- > gen_context(system_u:object_r:consolekit_unit_file_t,s0) > + > /usr/sbin/console-kit-daemon -- > gen_context(system_u:object_r:consolekit_exec_t,s0) > > /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) > --- a/policy/modules/contrib/consolekit.te > +++ b/policy/modules/contrib/consolekit.te > @@ -19,6 +19,9 @@ > files_pid_file(consolekit_var_run_t) > init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") > > +type consolekit_unit_file_t; > +systemd_unit_file(consolekit_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/cron.fc > +++ b/policy/modules/contrib/cron.fc > @@ -64,3 +64,6 @@ > /var/spool/cron/lastrun/[^/]* -- <<none>> > /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) > ') > + > +/lib/systemd/system/atd.*\.service -- > gen_context(system_u:object_r:crond_unit_file_t,s0) > +/lib/systemd/system/crond.*\.service -- > gen_context(system_u:object_r:crond_unit_file_t,s0) > --- a/policy/modules/contrib/cron.te > +++ b/policy/modules/contrib/cron.te > @@ -71,6 +71,9 @@ > type crond_initrc_exec_t; > init_script_file(crond_initrc_exec_t) > > +type crond_unit_file_t; > +systemd_unit_file(crond_unit_file_t) > + > type crond_tmp_t; > files_tmp_file(crond_tmp_t) > files_poly_parent(crond_tmp_t) > --- a/policy/modules/contrib/cups.fc > +++ b/policy/modules/contrib/cups.fc > @@ -75,3 +75,5 @@ > /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) > /var/run/udev-configure-printer(/.*)? > gen_context(system_u:object_r:cupsd_config_var_run_t,s0) > /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) > + > +/lib/systemd/system/cups.*\.service -- > gen_context(system_u:object_r:cupsd_unit_file_t,s0) > --- a/policy/modules/contrib/cups.te > +++ b/policy/modules/contrib/cups.te > @@ -62,6 +62,9 @@ > init_daemon_run_dir(cupsd_var_run_t, "cups") > mls_trusted_object(cupsd_var_run_t) > > +type cupsd_unit_file_t; > +systemd_unit_file(cupsd_unit_file_t) > + > type hplip_t; > type hplip_exec_t; > init_daemon_domain(hplip_t, hplip_exec_t) > --- a/policy/modules/contrib/dhcp.fc > +++ b/policy/modules/contrib/dhcp.fc > @@ -6,3 +6,4 @@ > /var/lib/dhcp(3)?/dhcpd\.leases.* -- > gen_context(system_u:object_r:dhcpd_state_t,s0) > > /var/run/dhcpd(6)?\.pid -- > gen_context(system_u:object_r:dhcpd_var_run_t,s0) > +/lib/systemd/system/dhcpcd.*\.service -- > gen_context(system_u:object_r:dhcpd_unit_file_t,s0) > --- a/policy/modules/contrib/dhcp.te > +++ b/policy/modules/contrib/dhcp.te > @@ -20,6 +20,9 @@ > type dhcpd_initrc_exec_t; > init_script_file(dhcpd_initrc_exec_t) > > +type dhcpd_unit_file_t; > +systemd_unit_file(dhcpd_unit_file_t) > + > type dhcpd_state_t; > files_type(dhcpd_state_t) > > --- a/policy/modules/contrib/dnsmasq.fc > +++ b/policy/modules/contrib/dnsmasq.fc > @@ -12,3 +12,4 @@ > > /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) > /var/run/libvirt/network(/.*)? > gen_context(system_u:object_r:dnsmasq_var_run_t,s0) > +/lib/systemd/system/dnsmasq.*\.service -- > gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) > --- a/policy/modules/contrib/dnsmasq.te > +++ b/policy/modules/contrib/dnsmasq.te > @@ -24,6 +24,9 @@ > type dnsmasq_var_run_t; > files_pid_file(dnsmasq_var_run_t) > > +type dnsmasq_unit_file_t; > +systemd_unit_file(dnsmasq_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/ftp.fc > +++ b/policy/modules/contrib/ftp.fc > @@ -26,3 +26,6 @@ > /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) > /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) > /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) > + > +/lib/systemd/system/vsftpd.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > +/lib/systemd/system/proftpd.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > --- a/policy/modules/contrib/ftp.te > +++ b/policy/modules/contrib/ftp.te > @@ -127,6 +127,9 @@ > type ftpd_keytab_t; > files_type(ftpd_keytab_t) > > +type ftpd_unit_file_t; > +systemd_unit_file(ftpd_unit_file_t) > + > type ftpd_lock_t; > files_lock_file(ftpd_lock_t) > > --- a/policy/modules/contrib/kdump.fc > +++ b/policy/modules/contrib/kdump.fc > @@ -11,3 +11,5 @@ > > /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) > /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) > + > +/lib/systemd/system/kdump.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > --- a/policy/modules/contrib/kdump.te > +++ b/policy/modules/contrib/kdump.te > @@ -23,6 +23,9 @@ > type kdumpctl_tmp_t; > files_tmp_file(kdumpctl_tmp_t) > > +type kdump_unit_file_t; > +systemd_unit_file(kdump_unit_file_t) > + > ##################################### > # > # Local policy > --- a/policy/modules/contrib/ldap.fc > +++ b/policy/modules/contrib/ldap.fc > @@ -27,3 +27,5 @@ > /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) > /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) > /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) > + > +/lib/systemd/system/slapd.*\.service -- > gen_context(system_u:object_r:slapd_unit_file_t,s0) > --- a/policy/modules/contrib/ldap.te > +++ b/policy/modules/contrib/ldap.te > @@ -24,6 +24,9 @@ > type slapd_keytab_t; > files_type(slapd_keytab_t) > > +type slapd_unit_file_t; > +systemd_unit_file(slapd_unit_file_t) > + > type slapd_lock_t; > files_lock_file(slapd_lock_t) > > --- a/policy/modules/contrib/mysql.fc > +++ b/policy/modules/contrib/mysql.fc > @@ -25,3 +25,5 @@ > /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) > /var/run/mysqlmanager.* -- > gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > /var/run/mysqld/mysqlmanager.* -- > gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > + > +/lib/systemd/system/mysqld.*\.service -- > gen_context(system_u:object_r:mysqld_unit_file_t,s0) > --- a/policy/modules/contrib/mysql.te > +++ b/policy/modules/contrib/mysql.te > @@ -38,6 +38,9 @@ > type mysqld_home_t; > userdom_user_home_content(mysqld_home_t) > > +type mysqld_unit_file_t; > +systemd_unit_file(mysqld_unit_file_t) > + > type mysqld_initrc_exec_t; > init_script_file(mysqld_initrc_exec_t) > > --- a/policy/modules/contrib/networkmanager.fc > +++ b/policy/modules/contrib/networkmanager.fc > @@ -1,3 +1,4 @@ > +/lib/systemd/system/NetworkManager.*\.service -- > gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) > /etc/rc\.d/init\.d/wicd -- > gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) > > /etc/NetworkManager(/.*)? > gen_context(system_u:object_r:NetworkManager_etc_t,s0) > --- a/policy/modules/contrib/networkmanager.te > +++ b/policy/modules/contrib/networkmanager.te > @@ -18,6 +18,9 @@ > type NetworkManager_initrc_exec_t; > init_script_file(NetworkManager_initrc_exec_t) > > +type NetworkManager_unit_file_t; > +systemd_unit_file(NetworkManager_unit_file_t) > + > type NetworkManager_log_t; > logging_log_file(NetworkManager_log_t) > > --- a/policy/modules/contrib/nis.fc > +++ b/policy/modules/contrib/nis.fc > @@ -20,3 +20,8 @@ > /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) > /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) > /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) > + > +/lib/systemd/system/ypbind.*\.service -- > gen_context(system_u:object_r:ypbind_unit_file_t,s0) > +/lib/systemd/system/ypserv.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > +/lib/systemd/system/yppasswdd.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > +/lib/systemd/system/ypxfrd.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > --- a/policy/modules/contrib/nis.te > +++ b/policy/modules/contrib/nis.te > @@ -27,6 +27,9 @@ > type ypbind_var_run_t; > files_pid_file(ypbind_var_run_t) > > +type ypbind_unit_file_t; > +systemd_unit_file(ypbind_unit_file_t) > + > type yppasswdd_t; > type yppasswdd_exec_t; > init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) > @@ -55,6 +58,9 @@ > type ypxfr_var_run_t; > files_pid_file(ypxfr_var_run_t) > > +type nis_unit_file_t; > +systemd_unit_file(nis_unit_file_t) > + > ######################################## > # > # ypbind local policy > --- a/policy/modules/contrib/nscd.te > +++ b/policy/modules/contrib/nscd.te > @@ -31,6 +31,9 @@ > type nscd_initrc_exec_t; > init_script_file(nscd_initrc_exec_t) > > +type nscd_unit_file_t; > +systemd_unit_file(nscd_unit_file_t) > + > type nscd_log_t; > logging_log_file(nscd_log_t) > > --- a/policy/modules/contrib/ntp.fc > +++ b/policy/modules/contrib/ntp.fc > @@ -21,3 +21,7 @@ > /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) > > /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) > + > +/lib/systemd/system/ntpd.*\.service -- > gen_context(system_u:object_r:ntpd_unit_file_t,s0) > + > +/usr/lib/systemd/system/ntpd.*\.service -- > gen_context(system_u:object_r:ntpd_unit_file_t,s0) > --- a/policy/modules/contrib/ntp.te > +++ b/policy/modules/contrib/ntp.te > @@ -21,6 +21,9 @@ > type ntp_conf_t; > files_config_file(ntp_conf_t) > > +type ntpd_unit_file_t; > +systemd_unit_file(ntpd_unit_file_t) > + > type ntpd_key_t; > files_type(ntpd_key_t) > > --- a/policy/modules/contrib/ppp.fc > +++ b/policy/modules/contrib/ppp.fc > @@ -28,3 +28,5 @@ > /var/run/pppd[0-9]*\.tdb -- > gen_context(system_u:object_r:pppd_var_run_t,s0) > /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) > /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) > + > +/lib/systemd/system/ppp.*\.service -- > gen_context(system_u:object_r:pppd_unit_file_t,s0) > --- a/policy/modules/contrib/ppp.te > +++ b/policy/modules/contrib/ppp.te > @@ -41,6 +41,9 @@ > type pppd_initrc_exec_t alias pppd_script_exec_t; > init_script_file(pppd_initrc_exec_t) > > +type pppd_unit_file_t; > +systemd_unit_file(pppd_unit_file_t) > + > type pppd_secret_t; > files_type(pppd_secret_t) > > --- a/policy/modules/contrib/rpc.fc > +++ b/policy/modules/contrib/rpc.fc > @@ -20,3 +20,6 @@ > > /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) > /var/run/rpc\.statd\.pid -- > gen_context(system_u:object_r:rpcd_var_run_t,s0) > + > +/lib/systemd/system/nfs.*\.service -- > gen_context(system_u:object_r:nfsd_unit_file_t,s0) > +/lib/systemd/system/rpc.*\.service -- > gen_context(system_u:object_r:rpcd_unit_file_t,s0) > --- a/policy/modules/contrib/rpc.te > +++ b/policy/modules/contrib/rpc.te > @@ -44,11 +44,17 @@ > type rpcd_initrc_exec_t; > init_script_file(rpcd_initrc_exec_t) > > +type rpcd_unit_file_t; > +systemd_unit_file(rpcd_unit_file_t) > + > rpc_domain_template(nfsd) > > type nfsd_initrc_exec_t; > init_script_file(nfsd_initrc_exec_t) > > +type nfsd_unit_file_t; > +systemd_unit_file(nfsd_unit_file_t) > + > type nfsd_rw_t; > files_type(nfsd_rw_t) > > --- a/policy/modules/contrib/samba.fc > +++ b/policy/modules/contrib/samba.fc > @@ -8,6 +8,8 @@ > /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) > /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) > > +/lib/systemd/system/smb.*\.service -- > gen_context(system_u:object_r:samba_unit_file_t,s0) > + > /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) > /usr/bin/ntlm_auth -- > gen_context(system_u:object_r:winbind_helper_exec_t,s0) > /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) > --- a/policy/modules/contrib/samba.te > +++ b/policy/modules/contrib/samba.te > @@ -113,6 +113,9 @@ > type samba_initrc_exec_t; > init_script_file(samba_initrc_exec_t) > > +type samba_unit_file_t; > +systemd_unit_file(samba_unit_file_t) > + > type samba_log_t; > logging_log_file(samba_log_t) > > --- a/policy/modules/contrib/tor.fc > +++ b/policy/modules/contrib/tor.fc > @@ -5,6 +5,8 @@ > /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) > /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) > > +/lib/systemd/system/tor.*\.service -- > gen_context(system_u:object_r:tor_unit_file_t,s0) > + > /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) > /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) > > --- a/policy/modules/contrib/tor.te > +++ b/policy/modules/contrib/tor.te > @@ -33,6 +33,9 @@ > files_pid_file(tor_var_run_t) > init_daemon_run_dir(tor_var_run_t, "tor") > > +type tor_unit_file_t; > +systemd_unit_file(tor_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/system/iptables.fc > +++ b/policy/modules/system/iptables.fc > @@ -3,6 +3,9 @@ > /etc/sysconfig/ip6?tables.* -- > gen_context(system_u:object_r:iptables_conf_t,s0) > /etc/sysconfig/system-config-firewall.* -- > gen_context(system_u:object_r:iptables_conf_t,s0) > > +/lib/systemd/system/iptables.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > +/lib/systemd/system/ip6tables.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > + > /sbin/ebtables -- > gen_context(system_u:object_r:iptables_exec_t,s0) > /sbin/ebtables-restore -- > gen_context(system_u:object_r:iptables_exec_t,s0) > /sbin/ipchains.* -- > gen_context(system_u:object_r:iptables_exec_t,s0) > --- a/policy/modules/system/iptables.te > +++ b/policy/modules/system/iptables.te > @@ -25,6 +25,9 @@ > type iptables_var_run_t; > files_pid_file(iptables_var_run_t) > > +type iptables_unit_file_t; > +systemd_unit_file(iptables_unit_file_t) > + > ######################################## > # > # Iptables local policy > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -6,6 +6,8 @@ > /etc/rc\.d/init\.d/auditd -- > gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > /etc/rc\.d/init\.d/rsyslog -- > gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > > +/lib/systemd/system/auditd.*\.service -- > gen_context(system_u:object_r:auditd_unit_file_t,s0) > + > /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) > /sbin/audisp-remote -- > gen_context(system_u:object_r:audisp_remote_exec_t,s0) > /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) > @@ -23,6 +25,7 @@ > /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) > /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) > /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) > +/lib/systemd/system/rsyslog.*\.service -- > gen_context(system_u:object_r:syslogd_unit_file_t,s0) > > /var/lib/misc/syslog-ng.persist-? -- > gen_context(system_u:object_r:syslogd_var_lib_t,s0) > /var/lib/syslog-ng(/.*)? > gen_context(system_u:object_r:syslogd_var_lib_t,s0) > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -12,6 +12,9 @@ > init_system_domain(auditctl_t, auditctl_exec_t) > role system_r types auditctl_t; > > +type auditd_unit_file_t; > +systemd_unit_file(auditd_unit_file_t) > + > type auditd_etc_t; > files_security_file(auditd_etc_t) > > @@ -65,6 +68,9 @@ > type syslogd_exec_t; > init_daemon_domain(syslogd_t, syslogd_exec_t) > > +type syslogd_unit_file_t; > +systemd_unit_file(syslogd_unit_file_t) > + > type syslogd_initrc_exec_t; > init_script_file(syslogd_initrc_exec_t) > > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -389,10 +389,14 @@ > class system > { > ipc_info > - syslog_read > + syslog_read > syslog_mod > syslog_console > module_request > + halt > + reboot > + status > + undefined > } > > # > @@ -865,3 +869,20 @@ > implement > execute > } > + > +class service > +{ > + start > + stop > + status > + reload > + kill > + load > + enable > + disable > +} > + > +class proxy > +{ > + read > +} > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -131,4 +131,10 @@ > class db_sequence # userspace > class db_language # userspace > > +# systemd services > +class service > + > +# gssd services > +class proxy > + > # FLASK > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -1844,3 +1844,17 @@ > ') > corenet_udp_recvfrom_labeled($1, daemon) > ') > + > +####################################### > +## <summary> > +## Create a file type used for systemd unit files. > +## </summary> > +## <param name="script_file"> > +## <summary> > +## Type to be used for an unit file. > +## </summary> > +## </param> > +# > +interface(`systemd_unit_file',` > + files_type($1) > +') > --- a/policy/modules/system/selinuxutil.fc > +++ b/policy/modules/system/selinuxutil.fc > @@ -36,6 +36,7 @@ > > /usr/sbin/load_policy -- > gen_context(system_u:object_r:load_policy_exec_t,s0) > /usr/sbin/restorecond -- > gen_context(system_u:object_r:restorecond_exec_t,s0) > +/lib/systemd/system/restorecond.*\.service -- > gen_context(system_u:object_r:restorecond_unit_file_t,s0) > /usr/sbin/run_init -- > gen_context(system_u:object_r:run_init_exec_t,s0) > /usr/sbin/setfiles.* -- > gen_context(system_u:object_r:setfiles_exec_t,s0) > /usr/sbin/setsebool -- > gen_context(system_u:object_r:semanage_exec_t,s0) > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -85,6 +85,9 @@ > domain_obj_id_change_exemption(restorecond_t) > role system_r types restorecond_t; > > +type restorecond_unit_file_t; > +systemd_unit_file(restorecond_unit_file_t) > + > type restorecond_var_run_t; > files_pid_file(restorecond_var_run_t) > > --- a/policy/modules/system/setrans.fc > +++ b/policy/modules/system/setrans.fc > @@ -1,5 +1,6 @@ > /etc/rc\.d/init\.d/mcstrans -- > gen_context(system_u:object_r:setrans_initrc_exec_t,s0) > > /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) > +/lib/systemd/system/mcstrans.*\.service -- > gen_context(system_u:object_r:setrans_unit_file_t,s0) > > /var/run/setrans(/.*)? > gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) > --- a/policy/modules/system/setrans.te > +++ b/policy/modules/system/setrans.te > @@ -13,6 +13,9 @@ > type setrans_exec_t; > init_daemon_domain(setrans_t, setrans_exec_t) > > +type setrans_unit_file_t; > +systemd_unit_file(setrans_unit_file_t) > + > type setrans_initrc_exec_t; > init_script_file(setrans_initrc_exec_t) > > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 23:37 ` Russell Coker 2014-01-14 9:46 ` Dominick Grift @ 2014-01-14 10:12 ` Dominick Grift 2014-01-14 12:22 ` Laurent Bigonville 2014-01-14 13:34 ` Christopher J. PeBenito 3 siblings, 0 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 10:12 UTC (permalink / raw) To: refpolicy On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -389,10 +389,14 @@ > class system > { > ipc_info > - syslog_read > + syslog_read > syslog_mod > syslog_console > module_request > + halt > + reboot > + status > + undefined > } > I am not sure if these should be added but i might be wrong These seem like systemd OM av permissions system is kernel OM security class Not sure whether, if my assumptions are correct, it makes sense to add user space av permissions to kernel security classes ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 23:37 ` Russell Coker 2014-01-14 9:46 ` Dominick Grift 2014-01-14 10:12 ` Dominick Grift @ 2014-01-14 12:22 ` Laurent Bigonville 2014-01-14 13:34 ` Christopher J. PeBenito 3 siblings, 0 replies; 28+ messages in thread From: Laurent Bigonville @ 2014-01-14 12:22 UTC (permalink / raw) To: refpolicy Le Tue, 14 Jan 2014 10:37:29 +1100, Russell Coker <russell@coker.com.au> a ?crit : [...] > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -389,10 +389,14 @@ > class system > { > ipc_info > - syslog_read > + syslog_read > syslog_mod > syslog_console > module_request > + halt > + reboot > + status > + undefined > } I don't know from where this "undefined" is coming from. I looked sometimes ago in the systemd source code and undefined was not used. And it's missing "enable" and "disable". You can grep "SELINUX_ACCESS_CHECK" in the code. > > # > @@ -865,3 +869,20 @@ > implement > execute > } > + > +class service > +{ > + start > + stop > + status > + reload > + kill > + load > + enable > + disable > +} Here again, I don't think all these AV are in use. You can grep "SELINUX_UNIT_ACCESS_CHECK" in the code, only start, stop status and reload are used here I think. > +class proxy > +{ > + read > +} > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -131,4 +131,10 @@ > class db_sequence # userspace > class db_language # userspace > > +# systemd services > +class service > + > +# gssd services > +class proxy > + I'm not sure that the "proxy" class should be part of the same patch this is not needed for systemd. [...] Cheers, Laurent Bigonville ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-13 23:37 ` Russell Coker ` (2 preceding siblings ...) 2014-01-14 12:22 ` Laurent Bigonville @ 2014-01-14 13:34 ` Christopher J. PeBenito 2014-01-14 13:54 ` Dominick Grift ` (2 more replies) 3 siblings, 3 replies; 28+ messages in thread From: Christopher J. PeBenito @ 2014-01-14 13:34 UTC (permalink / raw) To: refpolicy On 01/13/14 18:37, Russell Coker wrote: > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: >> Having separate labels on the unit file is not just for "user" domains. It >> is also for system domains, for example NetworkManager_t is allowed to >> start the following services. > > OK. > > I've attached a patch I'm using which defines some unit types and adds fc > entries. Some of them are missing fc entries, presumably because the daemons > in question didn't have unit files at the time (this policy was taken from > Fedora some time ago). > > I've also added a stub systemd_unit_file() in init.if. The full systemd policy > patch will have to remove that. I think this is OK to get the uncontroversial > stuff included in the tree sooner. I don't have a problem with something like this. The big thing that concerns me about integrating systemd policy is it's structure. My big question is can we add it onto the init module and toggle rules (similar to init_upstart tunable) reasonably? Or does is it so different than sysvinit/upstart that it deserves to be implemented as a replacement module for init? If that's the case, that would surely have some interesting issues (e.g. what to do about initrc_t etc.) There's also questions about the socket activation and how that fits in. I've been dragging my feet on integrating systemd stuff since I don't have such a good sense of the answers to these questions (and systemd functions were in flux for a long time.) A couple months ago I tried setting up systemd on one of my Gentoo systems, but that didn't go well, since its not well supported (a lot of Gentoo devs reject it's use). I haven't had a chance to retry on a Fedora system. That being said, I do want to get support in by the time RHEL7 final goes out. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 13:34 ` Christopher J. PeBenito @ 2014-01-14 13:54 ` Dominick Grift 2014-01-14 14:41 ` Laurent Bigonville 2014-01-27 14:17 ` Miroslav Grepl 2 siblings, 0 replies; 28+ messages in thread From: Dominick Grift @ 2014-01-14 13:54 UTC (permalink / raw) To: refpolicy On Tue, 2014-01-14 at 08:34 -0500, Christopher J. PeBenito wrote: > There's also questions about the socket activation and how that fits in. I think Fedoras' policy also does not deal elegantly with socket activation. I would like to see a separate interface with all the relevant socket activation rules in there. ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 13:34 ` Christopher J. PeBenito 2014-01-14 13:54 ` Dominick Grift @ 2014-01-14 14:41 ` Laurent Bigonville 2014-01-14 14:55 ` Daniel J Walsh 2014-01-27 14:17 ` Miroslav Grepl 2 siblings, 1 reply; 28+ messages in thread From: Laurent Bigonville @ 2014-01-14 14:41 UTC (permalink / raw) To: refpolicy Le Tue, 14 Jan 2014 08:34:49 -0500, "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit : > On 01/13/14 18:37, Russell Coker wrote: > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > >> Having separate labels on the unit file is not just for "user" > >> domains. It is also for system domains, for example > >> NetworkManager_t is allowed to start the following services. > > > > OK. > > > > I've attached a patch I'm using which defines some unit types and > > adds fc entries. Some of them are missing fc entries, presumably > > because the daemons in question didn't have unit files at the time > > (this policy was taken from Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full > > systemd policy patch will have to remove that. I think this is OK > > to get the uncontroversial stuff included in the tree sooner. > > I don't have a problem with something like this. The big thing that > concerns me about integrating systemd policy is it's structure. My > big question is can we add it onto the init module and toggle rules > (similar to init_upstart tunable) reasonably? Or does is it so > different than sysvinit/upstart that it deserves to be implemented as > a replacement module for init? If that's the case, that would surely > have some interesting issues (e.g. what to do about initrc_t etc.) > There's also questions about the socket activation and how that fits > in. Well if I'm not wrong, the Fedora policy has added a systemd.pp modules that deals with all the non-PID1 stuffs from systemd (like journald, logind,...). The PID1 related stuffs are still in init module. > > I've been dragging my feet on integrating systemd stuff since I don't > have such a good sense of the answers to these questions (and systemd > functions were in flux for a long time.) A couple months ago I tried > setting up systemd on one of my Gentoo systems, but that didn't go > well, since its not well supported (a lot of Gentoo devs reject it's > use). I haven't had a chance to retry on a Fedora system. > > That being said, I do want to get support in by the time RHEL7 final > goes out. Debian is also currently debating about the use of systemd or upstart as default init in its next releases. ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 14:41 ` Laurent Bigonville @ 2014-01-14 14:55 ` Daniel J Walsh 0 siblings, 0 replies; 28+ messages in thread From: Daniel J Walsh @ 2014-01-14 14:55 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2014 09:41 AM, Laurent Bigonville wrote: > Le Tue, 14 Jan 2014 08:34:49 -0500, "Christopher J. PeBenito" > <cpebenito@tresys.com> a ?crit : > >> On 01/13/14 18:37, Russell Coker wrote: >>> On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: >>>> Having separate labels on the unit file is not just for "user" >>>> domains. It is also for system domains, for example >>>> NetworkManager_t is allowed to start the following services. >>> >>> OK. >>> >>> I've attached a patch I'm using which defines some unit types and adds >>> fc entries. Some of them are missing fc entries, presumably because >>> the daemons in question didn't have unit files at the time (this policy >>> was taken from Fedora some time ago). >>> >>> I've also added a stub systemd_unit_file() in init.if. The full >>> systemd policy patch will have to remove that. I think this is OK to >>> get the uncontroversial stuff included in the tree sooner. >> >> I don't have a problem with something like this. The big thing that >> concerns me about integrating systemd policy is it's structure. My big >> question is can we add it onto the init module and toggle rules (similar >> to init_upstart tunable) reasonably? Or does is it so different than >> sysvinit/upstart that it deserves to be implemented as a replacement >> module for init? If that's the case, that would surely have some >> interesting issues (e.g. what to do about initrc_t etc.) There's also >> questions about the socket activation and how that fits in. > > Well if I'm not wrong, the Fedora policy has added a systemd.pp modules > that deals with all the non-PID1 stuffs from systemd (like journald, > logind,...). The PID1 related stuffs are still in init module. > >> >> I've been dragging my feet on integrating systemd stuff since I don't >> have such a good sense of the answers to these questions (and systemd >> functions were in flux for a long time.) A couple months ago I tried >> setting up systemd on one of my Gentoo systems, but that didn't go well, >> since its not well supported (a lot of Gentoo devs reject it's use). I >> haven't had a chance to retry on a Fedora system. >> >> That being said, I do want to get support in by the time RHEL7 final goes >> out. > > Debian is also currently debating about the use of systemd or upstart as > default init in its next releases. > Most of what is in systemd.te is not related to pid 1. It is covering all of the other systemd daemons. /bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) /bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) /bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) /bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) /usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) /usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) /usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) /usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) /usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) /usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) /usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) /usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) /usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) As well as the unit files, which could be argued do not belong in the init.fc since they are service specific and systemd specific. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLVT+sACgkQrlYvE4MpobONkQCZAVtUabaN97Mt3iiv0MLv9OMt nnQAn1jfeihWt5S14V7pbigXKFMyoLws =0sjs -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-14 13:34 ` Christopher J. PeBenito 2014-01-14 13:54 ` Dominick Grift 2014-01-14 14:41 ` Laurent Bigonville @ 2014-01-27 14:17 ` Miroslav Grepl 2014-02-06 16:32 ` Christopher J. PeBenito 2 siblings, 1 reply; 28+ messages in thread From: Miroslav Grepl @ 2014-01-27 14:17 UTC (permalink / raw) To: refpolicy On 01/14/2014 02:34 PM, Christopher J. PeBenito wrote: > On 01/13/14 18:37, Russell Coker wrote: >> On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: >>> Having separate labels on the unit file is not just for "user" domains. It >>> is also for system domains, for example NetworkManager_t is allowed to >>> start the following services. >> OK. >> >> I've attached a patch I'm using which defines some unit types and adds fc >> entries. Some of them are missing fc entries, presumably because the daemons >> in question didn't have unit files at the time (this policy was taken from >> Fedora some time ago). >> >> I've also added a stub systemd_unit_file() in init.if. The full systemd policy >> patch will have to remove that. I think this is OK to get the uncontroversial >> stuff included in the tree sooner. > I don't have a problem with something like this. The big thing that concerns me about integrating systemd policy is it's structure. My big question is can we add it onto the init module and toggle rules (similar to init_upstart tunable) reasonably? Or does is it so different than sysvinit/upstart that it deserves to be implemented as a replacement module for init? If that's the case, that would surely have some interesting issues (e.g. what to do about initrc_t etc.) There's also questions about the socket activation and how that fits in. How is it complicated? It shows us policy-f20-base.patch which we have in Fedora. And yes, initrc_t "goes away" how we know it without systemd. > > I've been dragging my feet on integrating systemd stuff since I don't have such a good sense of the answers to these questions (and systemd functions were in flux for a long time.) A couple months ago I tried setting up systemd on one of my Gentoo systems, but that didn't go well, since its not well supported (a lot of Gentoo devs reject it's use). I haven't had a chance to retry on a Fedora system. > > That being said, I do want to get support in by the time RHEL7 final goes out. > ^ permalink raw reply [flat|nested] 28+ messages in thread
* [refpolicy] systemd policy 2014-01-27 14:17 ` Miroslav Grepl @ 2014-02-06 16:32 ` Christopher J. PeBenito 0 siblings, 0 replies; 28+ messages in thread From: Christopher J. PeBenito @ 2014-02-06 16:32 UTC (permalink / raw) To: refpolicy On 01/27/14 09:17, Miroslav Grepl wrote: > On 01/14/2014 02:34 PM, Christopher J. PeBenito wrote: >> On 01/13/14 18:37, Russell Coker wrote: >>> On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: >>>> Having separate labels on the unit file is not just for "user" domains. It >>>> is also for system domains, for example NetworkManager_t is allowed to >>>> start the following services. >>> OK. >>> >>> I've attached a patch I'm using which defines some unit types and adds fc >>> entries. Some of them are missing fc entries, presumably because the daemons >>> in question didn't have unit files at the time (this policy was taken from >>> Fedora some time ago). >>> >>> I've also added a stub systemd_unit_file() in init.if. The full systemd policy >>> patch will have to remove that. I think this is OK to get the uncontroversial >>> stuff included in the tree sooner. >> I don't have a problem with something like this. The big thing that concerns me about integrating systemd policy is it's structure. My big question is can we add it onto the init module and toggle rules (similar to init_upstart tunable) reasonably? Or does is it so different than sysvinit/upstart that it deserves to be implemented as a replacement module for init? If that's the case, that would surely have some interesting issues (e.g. what to do about initrc_t etc.) There's also questions about the socket activation and how that fits in. > How is it complicated? It shows us I'm not saying the policy is necessarily complicated, but systemd itself is certainly more complicated sysvinit or upstart. > policy-f20-base.patch > > which we have in Fedora. And yes, initrc_t "goes away" how we know it without systemd. I'm looking more into this patch, but I have a few initial questions: * For the huge block of additions at the end of the init_t policy section, are those all related to systemd? * Would you explain the purpose of each of the added attributes? * Why does the machine id file need its own type? On first glance, it seems like we might be able to put all this into an init_systemd tunable, but I'm still looking. I haven't looked into the separate systemd module that was created. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 28+ messages in thread
end of thread, other threads:[~2015-10-23 19:23 UTC | newest] Thread overview: 28+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-10-19 18:17 [refpolicy] Systemd policy Christopher J. PeBenito 2015-10-20 11:35 ` Dominick Grift 2015-10-23 19:23 ` Christopher J. PeBenito -- strict thread matches above, loose matches on Subject: below -- 2014-01-12 7:06 [refpolicy] systemd policy Russell Coker 2014-01-12 12:18 ` Laurent Bigonville 2014-01-13 12:52 ` Russell Coker 2014-01-13 15:10 ` Daniel J Walsh 2014-01-13 19:02 ` Dominick Grift 2014-01-13 20:16 ` Daniel J Walsh 2014-01-13 20:22 ` Dominick Grift 2014-01-13 21:07 ` Dominick Grift 2014-01-14 14:49 ` Daniel J Walsh 2014-01-14 11:24 ` Dominick Grift 2014-01-13 23:37 ` Russell Coker 2014-01-14 9:46 ` Dominick Grift 2014-01-14 9:58 ` Dominick Grift 2014-01-14 12:35 ` Laurent Bigonville 2014-01-14 13:03 ` Dominick Grift 2014-01-27 6:56 ` Russell Coker 2014-02-06 14:40 ` Christopher J. PeBenito 2014-01-14 10:12 ` Dominick Grift 2014-01-14 12:22 ` Laurent Bigonville 2014-01-14 13:34 ` Christopher J. PeBenito 2014-01-14 13:54 ` Dominick Grift 2014-01-14 14:41 ` Laurent Bigonville 2014-01-14 14:55 ` Daniel J Walsh 2014-01-27 14:17 ` Miroslav Grepl 2014-02-06 16:32 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.