[refpolicy] systemd policy

Dominick Grift dominick.grift at gmail.com
Tue Jan 14 04:46:23 EST 2014


On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote:
> On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote:
> > Having separate labels on the unit file is not just for "user" domains.   It
> > is also for system domains, for example NetworkManager_t is allowed to
> > start the following services.
> 
> OK.
> 
> I've attached a patch I'm using which defines some unit types and adds fc 
> entries.  Some of them are missing fc entries, presumably because the daemons 
> in question didn't have unit files at the time (this policy was taken from 
> Fedora some time ago).
> 
> I've also added a stub systemd_unit_file() in init.if.  The full systemd policy 
> patch will have to remove that.  I think this is OK to get the uncontroversial 
> stuff included in the tree sooner.

Please send your patches in-line so that we can easily comment on them.

Here is one thing that can be improved in your patch:

This is how its supposed to be:

/lib/systemd/system/alsa-.*\.service --
gen_context(system_u:object_r:alsa_unit_file_t,s0)

These are not optimal and its inconsistent with above:

/lib/systemd/system/named.service --
gen_context(system_u:object_r:named_unit_file_t,s0)

You see:

# grep system /etc/selinux/targeted/contexts/files/*.subs_dist
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/etc/systemd/system /usr/lib/systemd/system

So /etc/systemd/system is equivalent to /usr/lib/systemd/system

Now consider me having a name daemon dns server on each of my two
networks. Then i need a instance for each. So i create two "named" unit
files in /etc/systemd/system/named_{network1,network2}.service 

So we can use the .* wildcard to catch these?

So i would suggest we create file contexts for unit files with .*
consistently to catch prefixed service files




More information about the refpolicy mailing list