[refpolicy] systemd policy

Dominick Grift dominick.grift at gmail.com
Tue Jan 14 08:03:04 EST 2014


On Tue, 2014-01-14 at 13:35 +0100, Laurent Bigonville wrote:
> Le Tue, 14 Jan 2014 10:46:23 +0100,
> Dominick Grift <dominick.grift at gmail.com> a écrit :
> 
> > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote:
> > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote:
> > > > Having separate labels on the unit file is not just for "user"
> > > > domains.   It is also for system domains, for example
> > > > NetworkManager_t is allowed to start the following services.
> > > 
> > > OK.
> > > 
> > > I've attached a patch I'm using which defines some unit types and
> > > adds fc entries.  Some of them are missing fc entries, presumably
> > > because the daemons in question didn't have unit files at the time
> > > (this policy was taken from Fedora some time ago).
> > > 
> > > I've also added a stub systemd_unit_file() in init.if.  The full
> > > systemd policy patch will have to remove that.  I think this is OK
> > > to get the uncontroversial stuff included in the tree sooner.
> > 
> > Please send your patches in-line so that we can easily comment on
> > them.
> > 
> > Here is one thing that can be improved in your patch:
> > 
> > This is how its supposed to be:
> > 
> > /lib/systemd/system/alsa-.*\.service --
> > gen_context(system_u:object_r:alsa_unit_file_t,s0)
> > 
> > These are not optimal and its inconsistent with above:
> > 
> > /lib/systemd/system/named.service --
> > gen_context(system_u:object_r:named_unit_file_t,s0)
> > 
> > You see:
> > 
> > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist
> > /run/systemd/system /usr/lib/systemd/system
> > /run/systemd/generator /usr/lib/systemd/system
> > /etc/systemd/system /usr/lib/systemd/system
> > 
> > So /etc/systemd/system is equivalent to /usr/lib/systemd/system
> 
> Here come a question, are we using the Fedora or the Debian paths for
> systemd? In Fedora everything is in /usr/lib/systemd, in Debian
> it's /lib/systemd. This should be standardized, and then we can add an
> equivalence for the others. I personally don't care, as most of the
> patches will come from Fedora, I guess we could use the Fedora way.
> 

Good question. I think its probably easier to make /lib(64)? equivalent
to /usr/lib(64)?

E.g. use /usr/lib(64)?

and add:

/lib /usr/lib
/lib64 /usr/lib64

.. To file_contexts.subs_dist




More information about the refpolicy mailing list