[refpolicy] systemd policy

Laurent Bigonville bigon at debian.org
Tue Jan 14 07:35:12 EST 2014


Le Tue, 14 Jan 2014 10:46:23 +0100,
Dominick Grift <dominick.grift at gmail.com> a écrit :

> On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote:
> > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote:
> > > Having separate labels on the unit file is not just for "user"
> > > domains.   It is also for system domains, for example
> > > NetworkManager_t is allowed to start the following services.
> > 
> > OK.
> > 
> > I've attached a patch I'm using which defines some unit types and
> > adds fc entries.  Some of them are missing fc entries, presumably
> > because the daemons in question didn't have unit files at the time
> > (this policy was taken from Fedora some time ago).
> > 
> > I've also added a stub systemd_unit_file() in init.if.  The full
> > systemd policy patch will have to remove that.  I think this is OK
> > to get the uncontroversial stuff included in the tree sooner.
> 
> Please send your patches in-line so that we can easily comment on
> them.
> 
> Here is one thing that can be improved in your patch:
> 
> This is how its supposed to be:
> 
> /lib/systemd/system/alsa-.*\.service --
> gen_context(system_u:object_r:alsa_unit_file_t,s0)
> 
> These are not optimal and its inconsistent with above:
> 
> /lib/systemd/system/named.service --
> gen_context(system_u:object_r:named_unit_file_t,s0)
> 
> You see:
> 
> # grep system /etc/selinux/targeted/contexts/files/*.subs_dist
> /run/systemd/system /usr/lib/systemd/system
> /run/systemd/generator /usr/lib/systemd/system
> /etc/systemd/system /usr/lib/systemd/system
> 
> So /etc/systemd/system is equivalent to /usr/lib/systemd/system

Here come a question, are we using the Fedora or the Debian paths for
systemd? In Fedora everything is in /usr/lib/systemd, in Debian
it's /lib/systemd. This should be standardized, and then we can add an
equivalence for the others. I personally don't care, as most of the
patches will come from Fedora, I guess we could use the Fedora way.



More information about the refpolicy mailing list