[refpolicy] systemd policy

Dominick Grift dominick.grift at gmail.com
Tue Jan 14 04:58:44 EST 2014


On Tue, 2014-01-14 at 10:46 +0100, Dominick Grift wrote:
> On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote:
> > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote:
> > > Having separate labels on the unit file is not just for "user" domains.   It
> > > is also for system domains, for example NetworkManager_t is allowed to
> > > start the following services.
> > 
> > OK.
> > 
> > I've attached a patch I'm using which defines some unit types and adds fc 
> > entries.  Some of them are missing fc entries, presumably because the daemons 
> > in question didn't have unit files at the time (this policy was taken from 
> > Fedora some time ago).
> > 
> > I've also added a stub systemd_unit_file() in init.if.  The full systemd policy 
> > patch will have to remove that.  I think this is OK to get the uncontroversial 
> > stuff included in the tree sooner.
> 
> Please send your patches in-line so that we can easily comment on them.
> 
> Here is one thing that can be improved in your patch:
> 
> This is how its supposed to be:
> 
> /lib/systemd/system/alsa-.*\.service --
> gen_context(system_u:object_r:alsa_unit_file_t,s0)
> 
> These are not optimal and its inconsistent with above:
> 
> /lib/systemd/system/named.service --
> gen_context(system_u:object_r:named_unit_file_t,s0)
> 
> You see:
> 
> # grep system /etc/selinux/targeted/contexts/files/*.subs_dist
> /run/systemd/system /usr/lib/systemd/system
> /run/systemd/generator /usr/lib/systemd/system
> /etc/systemd/system /usr/lib/systemd/system
> 
> So /etc/systemd/system is equivalent to /usr/lib/systemd/system
> 
> Now consider me having a name daemon dns server on each of my two
> networks. Then i need a instance for each. So i create two "named" unit
> files in /etc/systemd/system/named_{network1,network2}.service 
> 
> So we can use the .* wildcard to catch these?
> 
> So i would suggest we create file contexts for unit files with .*
> consistently to catch prefixed service files
> 
> 

Maybe not the  best example but what i am saying is that i think for
example this:

/lib/systemd/system/named.service --
gen_context(system_u:object_r:named_unit_file_t,s0)

should be:

/lib/systemd/system/named.*\.service --
gen_context(system_u:object_r:named_unit_file_t,s0)

and that this should be implemented consistently for all unit file
context specifications where possible

even that may not be optimal but i think it makes more sense




More information about the refpolicy mailing list