[refpolicy] systemd policy

Daniel J Walsh dwalsh at redhat.com
Mon Jan 13 10:10:11 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2014 07:52 AM, Russell Coker wrote:
> On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote:
>> Daniel do you know when this will happen? Can I already propose some of 
>> these patches?
> 
> One thing that would be good to propose first is the labelling of unit
> files.
> 
> Currently in Debian policy we have lots of patches to daemon policy like
> the following.  If we can agree that each daemon should have it's own unit
> file type (which appears to me to have no benefit unless we make a
> significant addition to the daemon management functionality) then we can
> add the patch as- is.  If we are going to add it as-is then the sooner the
> better, as a patch that affects lots of files is annoying to maintain.
> 
> type apcupsd_unit_file_t; systemd_unit_file(apcupsd_unit_file_t)
> 
> /lib/systemd/system/apcupsd\.service -- 
> gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
> 
> It seems to me that the only benefit of per-daemon types is that we can
> write policy allowing one user access to manage daemons with several
> types.
> 
> The other possible way of allowing per-user management of daemons managed
> by the type of the unit file would be to have a default type for the unit
> files (which is easier for .fc files and no change to most daemon policy).
> Then whenever we need to delegate some sysadmin rights to a daemon we
> create a new type as appropriate and a fcontext rule to label the unit
> file.
> 
> Regardless of when we merge the patches it would be good to get this design
>  issue sorted out soon.
> 

Having separate labels on the unit file is not just for "user" domains.   It
is also for system domains, for example NetworkManager_t is allowed to start
the following services.

 sesearch -A -s NetworkManager_t -p start
Found 5 semantic av rules:
   allow NetworkManager_t nscd_unit_file_t : service { start stop status
reload } ;
   allow NetworkManager_t ntpd_unit_file_t : service { start stop status
reload } ;
   allow NetworkManager_t pppd_unit_file_t : service { start stop status
reload } ;
   allow NetworkManager_t polipo_unit_file_t : service { start stop status
reload } ;
   allow NetworkManager_t dnsmasq_unit_file_t : service { start stop status
reload } ;

I rely on Dominick and Miroslav to get Fedora changes/fixes upstream.

Could you guys take care of getting systemd policy upstream.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLUAdMACgkQrlYvE4MpobN05gCeOxOi9JtmMoiCfovdC5np0ed8
1BkAnRzCRpGoIiHTY0E1D7OjHIFPHnp1
=wZz7
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list