[refpolicy] systemd policy

Laurent Bigonville bigon at debian.org
Tue Jan 14 07:22:05 EST 2014


Le Tue, 14 Jan 2014 10:37:29 +1100,
Russell Coker <russell at coker.com.au> a écrit :

[...]
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -389,10 +389,14 @@
>  class system
>  {
>  	ipc_info
> -	syslog_read  
> +	syslog_read
>  	syslog_mod
>  	syslog_console
>  	module_request
> +	halt
> +	reboot
> +	status
> +	undefined
>  }

I don't know from where this "undefined" is coming from. I looked
sometimes ago in the systemd source code and undefined was not used.

And it's missing "enable" and "disable".

You can grep "SELINUX_ACCESS_CHECK" in the code.

>  
>  #
> @@ -865,3 +869,20 @@
>  	implement
>  	execute
>  }
> +
> +class service
> +{
> +	start
> +	stop
> +	status
> +	reload
> +	kill
> +	load
> +	enable
> +	disable
> +}

Here again, I don't think all these AV are in use.

You can grep "SELINUX_UNIT_ACCESS_CHECK" in the code, only start, stop
status and reload are used here I think.

> +class proxy
> +{
> +	read
> +}
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -131,4 +131,10 @@
>  class db_sequence		# userspace
>  class db_language		# userspace
>  
> +# systemd services
> +class service
> +
> +# gssd services
> +class proxy
> +

I'm not sure that the "proxy" class should be part of the same patch
this is not needed for systemd.

[...]


Cheers,

Laurent Bigonville


More information about the refpolicy mailing list