Below is a patch that's been in my Debian tree for some time, I didn't write
it I took it from rawhide some years ago.
Is this the way we are going to do things? If so I can tidy it up and
submit it. If not I'll delete it and make the Debian policy work without it.
Note that I am not suggesting this patch for inclusion at the moment. I'm
just offering it for discussion.
Description: Add systemd unit types
Author: Russell Coker <[email protected]>
Last-Update: 2014-09-13
Index: refpolicy/policy/modules/contrib/alsa.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.fc
+++ refpolicy/policy/modules/contrib/alsa.fc
@@ -29,5 +29,6 @@ ifdef(`distro_debian',`
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/lib/systemd/system/alsa.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0)
Index: refpolicy/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.te
+++ refpolicy/policy/modules/contrib/alsa.te
@@ -33,6 +33,9 @@ files_lock_file(alsa_var_lock_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.fc
+++ refpolicy/policy/modules/contrib/apache.fc
@@ -28,6 +28,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/apache.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.te
+++ refpolicy/policy/modules/contrib/apache.te
@@ -289,6 +289,8 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+systemd_unit_file(httpd_unit_file_t)
type httpd_lock_t;
files_lock_file(httpd_lock_t)
Index: refpolicy/policy/modules/contrib/apcupsd.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apcupsd.fc
+++ refpolicy/policy/modules/contrib/apcupsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
Index: refpolicy/policy/modules/contrib/apcupsd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apcupsd.te
+++ refpolicy/policy/modules/contrib/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/apm.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apm.fc
+++ refpolicy/policy/modules/contrib/apm.fc
@@ -17,3 +17,5 @@
/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
+
+/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/apm.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apm.te
+++ refpolicy/policy/modules/contrib/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
# Client local policy
Index: refpolicy/policy/modules/contrib/arpwatch.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/arpwatch.fc
+++ refpolicy/policy/modules/contrib/arpwatch.fc
@@ -7,3 +7,5 @@
/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
/var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+
+/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/arpwatch.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/arpwatch.te
+++ refpolicy/policy/modules/contrib/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/automount.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/automount.fc
+++ refpolicy/policy/modules/contrib/automount.fc
@@ -6,3 +6,5 @@
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
+
+/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/automount.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/automount.te
+++ refpolicy/policy/modules/contrib/automount.te
@@ -25,6 +25,9 @@ files_mountpoint(automount_tmp_t)
type automount_var_run_t;
files_pid_file(automount_var_run_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/avahi.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/avahi.fc
+++ refpolicy/policy/modules/contrib/avahi.fc
@@ -7,3 +7,5 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+
+/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/avahi.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/avahi.te
+++ refpolicy/policy/modules/contrib/avahi.te
@@ -19,6 +19,9 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/bind.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.fc
+++ refpolicy/policy/modules/contrib/bind.fc
@@ -14,6 +14,9 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
Index: refpolicy/policy/modules/contrib/bind.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.te
+++ refpolicy/policy/modules/contrib/bind.te
@@ -47,6 +47,9 @@ init_script_file(named_initrc_exec_t)
type named_keytab_t;
files_type(named_keytab_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_log_t;
logging_log_file(named_log_t)
Index: refpolicy/policy/modules/contrib/bluetooth.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/bluetooth.fc
+++ refpolicy/policy/modules/contrib/bluetooth.fc
@@ -25,3 +25,5 @@
/var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+
+/lib/systemd/system/bluetooth.*\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/bluetooth.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bluetooth.te
+++ refpolicy/policy/modules/contrib/bluetooth.te
@@ -52,6 +52,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/clamav.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.fc
+++ refpolicy/policy/modules/contrib/clamav.fc
@@ -24,3 +24,5 @@
/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+
+/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.te
+++ refpolicy/policy/modules/contrib/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
Index: refpolicy/policy/modules/contrib/consolekit.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/consolekit.fc
+++ refpolicy/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
Index: refpolicy/policy/modules/contrib/consolekit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/consolekit.te
+++ refpolicy/policy/modules/contrib/consolekit.te
@@ -19,6 +19,9 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/cron.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.fc
+++ refpolicy/policy/modules/contrib/cron.fc
@@ -64,3 +64,6 @@ ifdef(`distro_suse',`
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
+
+/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
Index: refpolicy/policy/modules/contrib/cups.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/cups.fc
+++ refpolicy/policy/modules/contrib/cups.fc
@@ -75,3 +75,5 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/cups.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cups.te
+++ refpolicy/policy/modules/contrib/cups.te
@@ -63,6 +63,9 @@ files_pid_file(cupsd_var_run_t)
init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
mls_trusted_object(cupsd_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
+
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
Index: refpolicy/policy/modules/contrib/dhcp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dhcp.fc
+++ refpolicy/policy/modules/contrib/dhcp.fc
@@ -6,3 +6,4 @@
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/dhcp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dhcp.te
+++ refpolicy/policy/modules/contrib/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
Index: refpolicy/policy/modules/contrib/dnsmasq.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dnsmasq.fc
+++ refpolicy/policy/modules/contrib/dnsmasq.fc
@@ -15,3 +15,4 @@
/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/lib/systemd/system/dnsmasq.*\.service -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/dnsmasq.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dnsmasq.te
+++ refpolicy/policy/modules/contrib/dnsmasq.te
@@ -27,6 +27,9 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/ftp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ftp.fc
+++ refpolicy/policy/modules/contrib/ftp.fc
@@ -26,3 +26,6 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+
+/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/ftp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ftp.te
+++ refpolicy/policy/modules/contrib/ftp.te
@@ -127,6 +127,9 @@ init_script_file(ftpd_initrc_exec_t)
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
Index: refpolicy/policy/modules/contrib/kdump.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/kdump.fc
+++ refpolicy/policy/modules/contrib/kdump.fc
@@ -11,3 +11,5 @@
/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
+/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/kdump.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/kdump.te
+++ refpolicy/policy/modules/contrib/kdump.te
@@ -26,6 +26,9 @@ application_executable_file(kdumpctl_exe
type kdumpctl_tmp_t;
files_tmp_file(kdumpctl_tmp_t)
+type kdump_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
#####################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/ldap.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ldap.fc
+++ refpolicy/policy/modules/contrib/ldap.fc
@@ -27,3 +27,5 @@
/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+
+/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/ldap.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ldap.te
+++ refpolicy/policy/modules/contrib/ldap.te
@@ -24,6 +24,9 @@ init_script_file(slapd_initrc_exec_t)
type slapd_keytab_t;
files_type(slapd_keytab_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
Index: refpolicy/policy/modules/contrib/mysql.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.fc
+++ refpolicy/policy/modules/contrib/mysql.fc
@@ -25,3 +25,5 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+
+/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.te
+++ refpolicy/policy/modules/contrib/mysql.te
@@ -38,6 +38,9 @@ files_config_file(mysqld_etc_t)
type mysqld_home_t;
userdom_user_home_content(mysqld_home_t)
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
Index: refpolicy/policy/modules/contrib/networkmanager.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/networkmanager.fc
+++ refpolicy/policy/modules/contrib/networkmanager.fc
@@ -1,3 +1,4 @@
+/lib/systemd/system/NetworkManager.*\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
Index: refpolicy/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy/policy/modules/contrib/networkmanager.te
@@ -18,6 +18,9 @@ files_config_file(NetworkManager_etc_rw_
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
Index: refpolicy/policy/modules/contrib/nis.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/nis.fc
+++ refpolicy/policy/modules/contrib/nis.fc
@@ -20,3 +20,8 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/nis.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nis.te
+++ refpolicy/policy/modules/contrib/nis.te
@@ -27,6 +27,9 @@ files_tmp_file(ypbind_tmp_t)
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
+
type yppasswdd_t;
type yppasswdd_exec_t;
init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
@@ -55,6 +58,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
########################################
#
# ypbind local policy
Index: refpolicy/policy/modules/contrib/nscd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nscd.te
+++ refpolicy/policy/modules/contrib/nscd.te
@@ -31,6 +31,9 @@ role nscd_roles types nscd_t;
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
Index: refpolicy/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.fc
+++ refpolicy/policy/modules/contrib/ntp.fc
@@ -27,3 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.te
+++ refpolicy/policy/modules/contrib/ntp.te
@@ -21,6 +21,9 @@ init_script_file(ntpd_initrc_exec_t)
type ntp_conf_t;
files_config_file(ntp_conf_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
type ntpd_key_t;
files_type(ntpd_key_t)
Index: refpolicy/policy/modules/contrib/ppp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ppp.fc
+++ refpolicy/policy/modules/contrib/ppp.fc
@@ -28,3 +28,5 @@ HOME_DIR/\.ppprc -- gen_context(system_u
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/ppp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ppp.te
+++ refpolicy/policy/modules/contrib/ppp.te
@@ -41,6 +41,9 @@ files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
type pppd_secret_t;
files_type(pppd_secret_t)
Index: refpolicy/policy/modules/contrib/rpc.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/rpc.fc
+++ refpolicy/policy/modules/contrib/rpc.fc
@@ -20,3 +20,6 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
Index: refpolicy/policy/modules/contrib/rpc.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/rpc.te
+++ refpolicy/policy/modules/contrib/rpc.te
@@ -52,11 +52,17 @@ rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
+
type nfsd_rw_t;
files_type(nfsd_rw_t)
Index: refpolicy/policy/modules/contrib/samba.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.fc
+++ refpolicy/policy/modules/contrib/samba.fc
@@ -8,6 +8,8 @@
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
Index: refpolicy/policy/modules/contrib/samba.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.te
+++ refpolicy/policy/modules/contrib/samba.te
@@ -113,6 +113,9 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
type samba_log_t;
logging_log_file(samba_log_t)
Index: refpolicy/policy/modules/contrib/tor.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.fc
+++ refpolicy/policy/modules/contrib/tor.fc
@@ -5,6 +5,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
Index: refpolicy/policy/modules/contrib/tor.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.te
+++ refpolicy/policy/modules/contrib/tor.te
@@ -33,6 +33,9 @@ type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_pid_file(tor_var_run_t, dir, "tor")
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/system/iptables.fc
===================================================================
--- refpolicy.orig/policy/modules/system/iptables.fc
+++ refpolicy/policy/modules/system/iptables.fc
@@ -3,6 +3,9 @@
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/lib/systemd/system/iptables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/ip6tables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
Index: refpolicy/policy/modules/system/iptables.te
===================================================================
--- refpolicy.orig/policy/modules/system/iptables.te
+++ refpolicy/policy/modules/system/iptables.te
@@ -28,6 +28,9 @@ init_unit_file(iptables_unit_t)
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
########################################
#
# Iptables local policy
Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc
+++ refpolicy/policy/modules/system/logging.fc
@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/lib/systemd/system/auditd.*\.service -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
+
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
@@ -27,6 +29,7 @@
/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te
+++ refpolicy/policy/modules/system/logging.te
@@ -12,6 +12,9 @@ type auditctl_exec_t;
init_system_domain(auditctl_t, auditctl_exec_t)
role system_r types auditctl_t;
+type auditd_unit_file_t;
+systemd_unit_file(auditd_unit_file_t)
+
type auditd_etc_t;
files_security_file(auditd_etc_t)
@@ -69,6 +72,9 @@ type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
init_named_socket_activation(syslogd_t, syslogd_var_run_t)
+type syslogd_unit_file_t;
+systemd_unit_file(syslogd_unit_file_t)
+
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy.orig/policy/flask/access_vectors
+++ refpolicy/policy/flask/access_vectors
@@ -931,3 +931,8 @@ class service
enable
disable
}
+
+class proxy
+{
+ read
+}
Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy.orig/policy/flask/security_classes
+++ refpolicy/policy/flask/security_classes
@@ -147,4 +147,7 @@ class db_language # userspace
class service # userspace
+# gssd services
+class proxy
+
# FLASK
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy.orig/policy/modules/system/init.if
+++ refpolicy/policy/modules/system/init.if
@@ -2504,3 +2504,17 @@ interface(`init_reload_all_units',`
allow $1 systemdunit:service reload;
')
+
+#######################################
+## <summary>
+## Create a file type used for systemd unit files.
+## </summary>
+## <param name="script_file">
+## <summary>
+## Type to be used for an unit file.
+## </summary>
+## </param>
+#
+interface(`systemd_unit_file',`
+ files_type($1)
+')
Index: refpolicy/policy/modules/system/selinuxutil.fc
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.fc
+++ refpolicy/policy/modules/system/selinuxutil.fc
@@ -36,6 +36,7 @@
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_file_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restor
domain_obj_id_change_exemption(restorecond_t)
role system_r types restorecond_t;
+type restorecond_unit_file_t;
+systemd_unit_file(restorecond_unit_file_t)
+
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
Index: refpolicy/policy/modules/system/setrans.fc
===================================================================
--- refpolicy.orig/policy/modules/system/setrans.fc
+++ refpolicy/policy/modules/system/setrans.fc
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_file_t,s0)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
Index: refpolicy/policy/modules/system/setrans.te
===================================================================
--- refpolicy.orig/policy/modules/system/setrans.te
+++ refpolicy/policy/modules/system/setrans.te
@@ -13,6 +13,9 @@ type setrans_t;
type setrans_exec_t;
init_daemon_domain(setrans_t, setrans_exec_t)
+type setrans_unit_file_t;
+systemd_unit_file(setrans_unit_file_t)
+
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
Index: refpolicy/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
@@ -135,7 +135,7 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/systemd/systemd-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy/policy/modules/system/systemd.te
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.te
+++ refpolicy/policy/modules/system/systemd.te
@@ -5,6 +5,13 @@ policy_module(systemd, 1.1.0)
# Declarations
#
+attribute systemd_unit_file_type;
+
+# type for systemd unit files
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
+allow init_t systemd_unit_file_t:service { stop start status reload };
+
## <desc>
## <p>
## Enable support for systemd-tmpfiles to manage all non-security files.
On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
> Below is a patch that's been in my Debian tree for some time, I didn't write
> it I took it from rawhide some years ago.
>
> Is this the way we are going to do things? If so I can tidy it up and
> submit it. If not I'll delete it and make the Debian policy work without it.
>
> Note that I am not suggesting this patch for inclusion at the moment. I'm
> just offering it for discussion.
We have unit files in refpol yeah, they are different from the stuff in
redhat tho i think.
A whole bunch like this for example:
mandb.te:type mandb_unit_t;
mandb.te:init_unit_file(mandb_unit_t)
mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
-- Jason
> Description: Add systemd unit types
> Author: Russell Coker <[email protected]>
> Last-Update: 2014-09-13
>
> Index: refpolicy/policy/modules/contrib/alsa.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/alsa.fc
> +++ refpolicy/policy/modules/contrib/alsa.fc
> @@ -29,5 +29,6 @@ ifdef(`distro_debian',`
> /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>
> /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
> +/lib/systemd/system/alsa.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
>
> /var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0)
> Index: refpolicy/policy/modules/contrib/alsa.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/alsa.te
> +++ refpolicy/policy/modules/contrib/alsa.te
> @@ -33,6 +33,9 @@ files_lock_file(alsa_var_lock_t)
> type alsa_home_t;
> userdom_user_home_content(alsa_home_t)
>
> +type alsa_unit_file_t;
> +systemd_unit_file(alsa_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/apache.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apache.fc
> +++ refpolicy/policy/modules/contrib/apache.fc
> @@ -28,6 +28,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
> +/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
> +
> /opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
>
> Index: refpolicy/policy/modules/contrib/apache.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apache.te
> +++ refpolicy/policy/modules/contrib/apache.te
> @@ -289,6 +289,8 @@ init_script_file(httpd_initrc_exec_t)
> type httpd_keytab_t;
> files_type(httpd_keytab_t)
>
> +type httpd_unit_file_t;
> +systemd_unit_file(httpd_unit_file_t)
> type httpd_lock_t;
> files_lock_file(httpd_lock_t)
>
> Index: refpolicy/policy/modules/contrib/apcupsd.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apcupsd.fc
> +++ refpolicy/policy/modules/contrib/apcupsd.fc
> @@ -1,5 +1,7 @@
> /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
>
> +/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
> +
> /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
>
> /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
> Index: refpolicy/policy/modules/contrib/apcupsd.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apcupsd.te
> +++ refpolicy/policy/modules/contrib/apcupsd.te
> @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
> type apcupsd_var_run_t;
> files_pid_file(apcupsd_var_run_t)
>
> +type apcupsd_unit_file_t;
> +systemd_unit_file(apcupsd_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/apm.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apm.fc
> +++ refpolicy/policy/modules/contrib/apm.fc
> @@ -17,3 +17,5 @@
> /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
>
> /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
> +
> +/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/apm.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/apm.te
> +++ refpolicy/policy/modules/contrib/apm.te
> @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
> type apmd_var_run_t;
> files_pid_file(apmd_var_run_t)
>
> +type apmd_unit_file_t;
> +systemd_unit_file(apmd_unit_file_t)
> +
> ########################################
> #
> # Client local policy
> Index: refpolicy/policy/modules/contrib/arpwatch.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/arpwatch.fc
> +++ refpolicy/policy/modules/contrib/arpwatch.fc
> @@ -7,3 +7,5 @@
> /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> /var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
> +
> +/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/arpwatch.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/arpwatch.te
> +++ refpolicy/policy/modules/contrib/arpwatch.te
> @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
> type arpwatch_var_run_t;
> files_pid_file(arpwatch_var_run_t)
>
> +type arpwatch_unit_file_t;
> +systemd_unit_file(arpwatch_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/automount.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/automount.fc
> +++ refpolicy/policy/modules/contrib/automount.fc
> @@ -6,3 +6,5 @@
> /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
>
> /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
> +
> +/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/automount.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/automount.te
> +++ refpolicy/policy/modules/contrib/automount.te
> @@ -25,6 +25,9 @@ files_mountpoint(automount_tmp_t)
> type automount_var_run_t;
> files_pid_file(automount_var_run_t)
>
> +type automount_unit_file_t;
> +systemd_unit_file(automount_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/avahi.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/avahi.fc
> +++ refpolicy/policy/modules/contrib/avahi.fc
> @@ -7,3 +7,5 @@
> /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
>
> /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
> +
> +/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/avahi.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/avahi.te
> +++ refpolicy/policy/modules/contrib/avahi.te
> @@ -19,6 +19,9 @@ files_pid_file(avahi_var_lib_t)
> type avahi_var_run_t;
> files_pid_file(avahi_var_run_t)
>
> +type avahi_unit_file_t;
> +systemd_unit_file(avahi_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/bind.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/bind.fc
> +++ refpolicy/policy/modules/contrib/bind.fc
> @@ -14,6 +14,9 @@
> /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
> /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
>
> +/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
> +/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
> +
> /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
> /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
> /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
> Index: refpolicy/policy/modules/contrib/bind.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/bind.te
> +++ refpolicy/policy/modules/contrib/bind.te
> @@ -47,6 +47,9 @@ init_script_file(named_initrc_exec_t)
> type named_keytab_t;
> files_type(named_keytab_t)
>
> +type named_unit_file_t;
> +systemd_unit_file(named_unit_file_t)
> +
> type named_log_t;
> logging_log_file(named_log_t)
>
> Index: refpolicy/policy/modules/contrib/bluetooth.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/bluetooth.fc
> +++ refpolicy/policy/modules/contrib/bluetooth.fc
> @@ -25,3 +25,5 @@
>
> /var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0)
> /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
> +
> +/lib/systemd/system/bluetooth.*\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/bluetooth.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/bluetooth.te
> +++ refpolicy/policy/modules/contrib/bluetooth.te
> @@ -52,6 +52,9 @@ files_type(bluetooth_var_lib_t)
> type bluetooth_var_run_t;
> files_pid_file(bluetooth_var_run_t)
>
> +type bluetooth_unit_file_t;
> +systemd_unit_file(bluetooth_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/clamav.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/clamav.fc
> +++ refpolicy/policy/modules/contrib/clamav.fc
> @@ -24,3 +24,5 @@
> /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
>
> /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
> +
> +/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/clamav.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/clamav.te
> +++ refpolicy/policy/modules/contrib/clamav.te
> @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
> type clamd_initrc_exec_t;
> init_script_file(clamd_initrc_exec_t)
>
> +type clamd_unit_file_t;
> +systemd_unit_file(clamd_unit_file_t)
> +
> type clamd_tmp_t;
> files_tmp_file(clamd_tmp_t)
>
> Index: refpolicy/policy/modules/contrib/consolekit.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/consolekit.fc
> +++ refpolicy/policy/modules/contrib/consolekit.fc
> @@ -1,3 +1,5 @@
> +/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
> +
> /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
>
> /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
> Index: refpolicy/policy/modules/contrib/consolekit.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/consolekit.te
> +++ refpolicy/policy/modules/contrib/consolekit.te
> @@ -19,6 +19,9 @@ type consolekit_var_run_t;
> files_pid_file(consolekit_var_run_t)
> init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
>
> +type consolekit_unit_file_t;
> +systemd_unit_file(consolekit_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/cron.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/cron.fc
> +++ refpolicy/policy/modules/contrib/cron.fc
> @@ -64,3 +64,6 @@ ifdef(`distro_suse',`
> /var/spool/cron/lastrun/[^/]* -- <<none>>
> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
> ')
> +
> +/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
> +/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/cron.te
> +++ refpolicy/policy/modules/contrib/cron.te
> @@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
> type crond_initrc_exec_t;
> init_script_file(crond_initrc_exec_t)
>
> +type crond_unit_file_t;
> +systemd_unit_file(crond_unit_file_t)
> +
> type crond_tmp_t;
> files_tmp_file(crond_tmp_t)
> files_poly_parent(crond_tmp_t)
> Index: refpolicy/policy/modules/contrib/cups.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/cups.fc
> +++ refpolicy/policy/modules/contrib/cups.fc
> @@ -75,3 +75,5 @@
> /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
> /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
> /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
> +
> +/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/cups.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/cups.te
> +++ refpolicy/policy/modules/contrib/cups.te
> @@ -63,6 +63,9 @@ files_pid_file(cupsd_var_run_t)
> init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
> mls_trusted_object(cupsd_var_run_t)
>
> +type cupsd_unit_file_t;
> +systemd_unit_file(cupsd_unit_file_t)
> +
> type hplip_t;
> type hplip_exec_t;
> init_daemon_domain(hplip_t, hplip_exec_t)
> Index: refpolicy/policy/modules/contrib/dhcp.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/dhcp.fc
> +++ refpolicy/policy/modules/contrib/dhcp.fc
> @@ -6,3 +6,4 @@
> /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
>
> /var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
> +/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/dhcp.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/dhcp.te
> +++ refpolicy/policy/modules/contrib/dhcp.te
> @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t
> type dhcpd_initrc_exec_t;
> init_script_file(dhcpd_initrc_exec_t)
>
> +type dhcpd_unit_file_t;
> +systemd_unit_file(dhcpd_unit_file_t)
> +
> type dhcpd_state_t;
> files_type(dhcpd_state_t)
>
> Index: refpolicy/policy/modules/contrib/dnsmasq.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/dnsmasq.fc
> +++ refpolicy/policy/modules/contrib/dnsmasq.fc
> @@ -15,3 +15,4 @@
>
> /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/lib/systemd/system/dnsmasq.*\.service -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/dnsmasq.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/dnsmasq.te
> +++ refpolicy/policy/modules/contrib/dnsmasq.te
> @@ -27,6 +27,9 @@ logging_log_file(dnsmasq_var_log_t)
> type dnsmasq_var_run_t;
> files_pid_file(dnsmasq_var_run_t)
>
> +type dnsmasq_unit_file_t;
> +systemd_unit_file(dnsmasq_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/ftp.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ftp.fc
> +++ refpolicy/policy/modules/contrib/ftp.fc
> @@ -26,3 +26,6 @@
> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
> +
> +/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/ftp.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ftp.te
> +++ refpolicy/policy/modules/contrib/ftp.te
> @@ -127,6 +127,9 @@ init_script_file(ftpd_initrc_exec_t)
> type ftpd_keytab_t;
> files_type(ftpd_keytab_t)
>
> +type ftpd_unit_file_t;
> +systemd_unit_file(ftpd_unit_file_t)
> +
> type ftpd_lock_t;
> files_lock_file(ftpd_lock_t)
>
> Index: refpolicy/policy/modules/contrib/kdump.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/kdump.fc
> +++ refpolicy/policy/modules/contrib/kdump.fc
> @@ -11,3 +11,5 @@
>
> /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
> /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
> +
> +/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/kdump.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/kdump.te
> +++ refpolicy/policy/modules/contrib/kdump.te
> @@ -26,6 +26,9 @@ application_executable_file(kdumpctl_exe
> type kdumpctl_tmp_t;
> files_tmp_file(kdumpctl_tmp_t)
>
> +type kdump_unit_file_t;
> +systemd_unit_file(kdump_unit_file_t)
> +
> #####################################
> #
> # Local policy
> Index: refpolicy/policy/modules/contrib/ldap.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ldap.fc
> +++ refpolicy/policy/modules/contrib/ldap.fc
> @@ -27,3 +27,5 @@
> /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
> /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
> /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
> +
> +/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/ldap.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ldap.te
> +++ refpolicy/policy/modules/contrib/ldap.te
> @@ -24,6 +24,9 @@ init_script_file(slapd_initrc_exec_t)
> type slapd_keytab_t;
> files_type(slapd_keytab_t)
>
> +type slapd_unit_file_t;
> +systemd_unit_file(slapd_unit_file_t)
> +
> type slapd_lock_t;
> files_lock_file(slapd_lock_t)
>
> Index: refpolicy/policy/modules/contrib/mysql.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/mysql.fc
> +++ refpolicy/policy/modules/contrib/mysql.fc
> @@ -25,3 +25,5 @@ HOME_DIR/\.my\.cnf -- gen_context(system
> /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
> /var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
> /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
> +
> +/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/mysql.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/mysql.te
> +++ refpolicy/policy/modules/contrib/mysql.te
> @@ -38,6 +38,9 @@ files_config_file(mysqld_etc_t)
> type mysqld_home_t;
> userdom_user_home_content(mysqld_home_t)
>
> +type mysqld_unit_file_t;
> +systemd_unit_file(mysqld_unit_file_t)
> +
> type mysqld_initrc_exec_t;
> init_script_file(mysqld_initrc_exec_t)
>
> Index: refpolicy/policy/modules/contrib/networkmanager.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/networkmanager.fc
> +++ refpolicy/policy/modules/contrib/networkmanager.fc
> @@ -1,3 +1,4 @@
> +/lib/systemd/system/NetworkManager.*\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
> /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>
> /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
> Index: refpolicy/policy/modules/contrib/networkmanager.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/networkmanager.te
> +++ refpolicy/policy/modules/contrib/networkmanager.te
> @@ -18,6 +18,9 @@ files_config_file(NetworkManager_etc_rw_
> type NetworkManager_initrc_exec_t;
> init_script_file(NetworkManager_initrc_exec_t)
>
> +type NetworkManager_unit_file_t;
> +systemd_unit_file(NetworkManager_unit_file_t)
> +
> type NetworkManager_log_t;
> logging_log_file(NetworkManager_log_t)
>
> Index: refpolicy/policy/modules/contrib/nis.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/nis.fc
> +++ refpolicy/policy/modules/contrib/nis.fc
> @@ -20,3 +20,8 @@
> /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
> /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
> /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
> +
> +/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
> +/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
> +/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
> +/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/nis.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/nis.te
> +++ refpolicy/policy/modules/contrib/nis.te
> @@ -27,6 +27,9 @@ files_tmp_file(ypbind_tmp_t)
> type ypbind_var_run_t;
> files_pid_file(ypbind_var_run_t)
>
> +type ypbind_unit_file_t;
> +systemd_unit_file(ypbind_unit_file_t)
> +
> type yppasswdd_t;
> type yppasswdd_exec_t;
> init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
> @@ -55,6 +58,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t
> type ypxfr_var_run_t;
> files_pid_file(ypxfr_var_run_t)
>
> +type nis_unit_file_t;
> +systemd_unit_file(nis_unit_file_t)
> +
> ########################################
> #
> # ypbind local policy
> Index: refpolicy/policy/modules/contrib/nscd.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/nscd.te
> +++ refpolicy/policy/modules/contrib/nscd.te
> @@ -31,6 +31,9 @@ role nscd_roles types nscd_t;
> type nscd_initrc_exec_t;
> init_script_file(nscd_initrc_exec_t)
>
> +type nscd_unit_file_t;
> +systemd_unit_file(nscd_unit_file_t)
> +
> type nscd_log_t;
> logging_log_file(nscd_log_t)
>
> Index: refpolicy/policy/modules/contrib/ntp.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ntp.fc
> +++ refpolicy/policy/modules/contrib/ntp.fc
> @@ -27,3 +27,7 @@
> /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
>
> /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
> +
> +/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
> +
> +/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ntp.te
> +++ refpolicy/policy/modules/contrib/ntp.te
> @@ -21,6 +21,9 @@ init_script_file(ntpd_initrc_exec_t)
> type ntp_conf_t;
> files_config_file(ntp_conf_t)
>
> +type ntpd_unit_file_t;
> +systemd_unit_file(ntpd_unit_file_t)
> +
> type ntpd_key_t;
> files_type(ntpd_key_t)
>
> Index: refpolicy/policy/modules/contrib/ppp.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ppp.fc
> +++ refpolicy/policy/modules/contrib/ppp.fc
> @@ -28,3 +28,5 @@ HOME_DIR/\.ppprc -- gen_context(system_u
> /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
> /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
> /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
> +
> +/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/ppp.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/ppp.te
> +++ refpolicy/policy/modules/contrib/ppp.te
> @@ -41,6 +41,9 @@ files_type(pppd_etc_rw_t)
> type pppd_initrc_exec_t alias pppd_script_exec_t;
> init_script_file(pppd_initrc_exec_t)
>
> +type pppd_unit_file_t;
> +systemd_unit_file(pppd_unit_file_t)
> +
> type pppd_secret_t;
> files_type(pppd_secret_t)
>
> Index: refpolicy/policy/modules/contrib/rpc.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/rpc.fc
> +++ refpolicy/policy/modules/contrib/rpc.fc
> @@ -20,3 +20,6 @@
>
> /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
> /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
> +
> +/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
> +/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
> Index: refpolicy/policy/modules/contrib/rpc.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/rpc.te
> +++ refpolicy/policy/modules/contrib/rpc.te
> @@ -52,11 +52,17 @@ rpc_domain_template(rpcd)
> type rpcd_initrc_exec_t;
> init_script_file(rpcd_initrc_exec_t)
>
> +type rpcd_unit_file_t;
> +systemd_unit_file(rpcd_unit_file_t)
> +
> rpc_domain_template(nfsd)
>
> type nfsd_initrc_exec_t;
> init_script_file(nfsd_initrc_exec_t)
>
> +type nfsd_unit_file_t;
> +systemd_unit_file(nfsd_unit_file_t)
> +
> type nfsd_rw_t;
> files_type(nfsd_rw_t)
>
> Index: refpolicy/policy/modules/contrib/samba.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/samba.fc
> +++ refpolicy/policy/modules/contrib/samba.fc
> @@ -8,6 +8,8 @@
> /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
> /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
>
> +/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
> +
> /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
> /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
> /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
> Index: refpolicy/policy/modules/contrib/samba.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/samba.te
> +++ refpolicy/policy/modules/contrib/samba.te
> @@ -113,6 +113,9 @@ files_config_file(samba_etc_t)
> type samba_initrc_exec_t;
> init_script_file(samba_initrc_exec_t)
>
> +type samba_unit_file_t;
> +systemd_unit_file(samba_unit_file_t)
> +
> type samba_log_t;
> logging_log_file(samba_log_t)
>
> Index: refpolicy/policy/modules/contrib/tor.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/tor.fc
> +++ refpolicy/policy/modules/contrib/tor.fc
> @@ -5,6 +5,8 @@
> /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
> /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
>
> +/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0)
> +
> /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
> /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
>
> Index: refpolicy/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy.orig/policy/modules/contrib/tor.te
> +++ refpolicy/policy/modules/contrib/tor.te
> @@ -33,6 +33,9 @@ type tor_var_run_t;
> files_pid_file(tor_var_run_t)
> init_daemon_pid_file(tor_var_run_t, dir, "tor")
>
> +type tor_unit_file_t;
> +systemd_unit_file(tor_unit_file_t)
> +
> ########################################
> #
> # Local policy
> Index: refpolicy/policy/modules/system/iptables.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/iptables.fc
> +++ refpolicy/policy/modules/system/iptables.fc
> @@ -3,6 +3,9 @@
> /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
> +/lib/systemd/system/iptables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +/lib/systemd/system/ip6tables.*\.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
> +
> /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> Index: refpolicy/policy/modules/system/iptables.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/iptables.te
> +++ refpolicy/policy/modules/system/iptables.te
> @@ -28,6 +28,9 @@ init_unit_file(iptables_unit_t)
> type iptables_var_run_t;
> files_pid_file(iptables_var_run_t)
>
> +type iptables_unit_file_t;
> +systemd_unit_file(iptables_unit_file_t)
> +
> ########################################
> #
> # Iptables local policy
> Index: refpolicy/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/logging.fc
> +++ refpolicy/policy/modules/system/logging.fc
> @@ -6,6 +6,8 @@
> /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>
> +/lib/systemd/system/auditd.*\.service -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
> +
> /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
> /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
> /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
> @@ -27,6 +29,7 @@
> /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> +/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
>
> /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
> /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
> Index: refpolicy/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/logging.te
> +++ refpolicy/policy/modules/system/logging.te
> @@ -12,6 +12,9 @@ type auditctl_exec_t;
> init_system_domain(auditctl_t, auditctl_exec_t)
> role system_r types auditctl_t;
>
> +type auditd_unit_file_t;
> +systemd_unit_file(auditd_unit_file_t)
> +
> type auditd_etc_t;
> files_security_file(auditd_etc_t)
>
> @@ -69,6 +72,9 @@ type syslogd_exec_t;
> init_daemon_domain(syslogd_t, syslogd_exec_t)
> init_named_socket_activation(syslogd_t, syslogd_var_run_t)
>
> +type syslogd_unit_file_t;
> +systemd_unit_file(syslogd_unit_file_t)
> +
> type syslogd_initrc_exec_t;
> init_script_file(syslogd_initrc_exec_t)
>
> Index: refpolicy/policy/flask/access_vectors
> ===================================================================
> --- refpolicy.orig/policy/flask/access_vectors
> +++ refpolicy/policy/flask/access_vectors
> @@ -931,3 +931,8 @@ class service
> enable
> disable
> }
> +
> +class proxy
> +{
> + read
> +}
> Index: refpolicy/policy/flask/security_classes
> ===================================================================
> --- refpolicy.orig/policy/flask/security_classes
> +++ refpolicy/policy/flask/security_classes
> @@ -147,4 +147,7 @@ class db_language # userspace
>
> class service # userspace
>
> +# gssd services
> +class proxy
> +
> # FLASK
> Index: refpolicy/policy/modules/system/init.if
> ===================================================================
> --- refpolicy.orig/policy/modules/system/init.if
> +++ refpolicy/policy/modules/system/init.if
> @@ -2504,3 +2504,17 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +#######################################
> +## <summary>
> +## Create a file type used for systemd unit files.
> +## </summary>
> +## <param name="script_file">
> +## <summary>
> +## Type to be used for an unit file.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_unit_file',`
> + files_type($1)
> +')
> Index: refpolicy/policy/modules/system/selinuxutil.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/selinuxutil.fc
> +++ refpolicy/policy/modules/system/selinuxutil.fc
> @@ -36,6 +36,7 @@
>
> /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
> /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
> +/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_file_t,s0)
> /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
> /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
> /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
> Index: refpolicy/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy/policy/modules/system/selinuxutil.te
> @@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restor
> domain_obj_id_change_exemption(restorecond_t)
> role system_r types restorecond_t;
>
> +type restorecond_unit_file_t;
> +systemd_unit_file(restorecond_unit_file_t)
> +
> type restorecond_var_run_t;
> files_pid_file(restorecond_var_run_t)
>
> Index: refpolicy/policy/modules/system/setrans.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/setrans.fc
> +++ refpolicy/policy/modules/system/setrans.fc
> @@ -1,5 +1,6 @@
> /etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
>
> /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
> +/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_file_t,s0)
>
> /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
> Index: refpolicy/policy/modules/system/setrans.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/setrans.te
> +++ refpolicy/policy/modules/system/setrans.te
> @@ -13,6 +13,9 @@ type setrans_t;
> type setrans_exec_t;
> init_daemon_domain(setrans_t, setrans_exec_t)
>
> +type setrans_unit_file_t;
> +systemd_unit_file(setrans_unit_file_t)
> +
> type setrans_initrc_exec_t;
> init_script_file(setrans_initrc_exec_t)
>
> Index: refpolicy/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy/policy/modules/kernel/corecommands.fc
> @@ -135,7 +135,7 @@ ifdef(`distro_debian',`
> /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
> /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
> +/lib/systemd/systemd-.* -- gen_context(system_u:object_r:bin_t,s0)
> /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
> /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
> /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/systemd.te
> +++ refpolicy/policy/modules/system/systemd.te
> @@ -5,6 +5,13 @@ policy_module(systemd, 1.1.0)
> # Declarations
> #
>
> +attribute systemd_unit_file_type;
> +
> +# type for systemd unit files
> +type systemd_unit_file_t;
> +systemd_unit_file(systemd_unit_file_t)
> +allow init_t systemd_unit_file_t:service { stop start status reload };
> +
> ## <desc>
> ## <p>
> ## Enable support for systemd-tmpfiles to manage all non-security files.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
> > Below is a patch that's been in my Debian tree for some time, I didn't
> > write it I took it from rawhide some years ago.
> >
> >
> >
> > Is this the way we are going to do things? If so I can tidy it up and
> > submit it. If not I'll delete it and make the Debian policy work without
> > it.
> >
> >
> >
> > Note that I am not suggesting this patch for inclusion at the
> > moment. I'm just offering it for discussion.
>
> We have unit files in refpol yeah, they are different from the stuff in
> redhat tho i think.
>
> A whole bunch like this for example:
> mandb.te:type mandb_unit_t;
> mandb.te:init_unit_file(mandb_unit_t)
> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_
> u:object_r:mandb_unit_t,s0)
Thanks for the pointer.
Is the plan that every daemon domain will get a _unit_t type? I've revised
the patch in my tree to use the same naming convention as is now used upstream
and removed duplicate policy.
The attached patch is what I'm working with now, it has init_unit_file()
entries for many policy modules that lack it in the 2.20151208 refpolicy
release. I haven't yet tried applying this to the latest Git policy and aside
from that it's not ready for upstream inclusion. This is just to share what
I'm working on and to take comments about where I should go with this.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
Description: Add systemd unit types
Author: Russell Coker <[email protected]>
Last-Update: 2014-09-13
Index: refpolicy/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.fc
+++ refpolicy/policy/modules/contrib/apache.fc
@@ -28,6 +28,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+
/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/apache.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.te
+++ refpolicy/policy/modules/contrib/apache.te
@@ -289,6 +289,8 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
+type httpd_unit_t;
+init_unit_file(httpd_unit_t)
type httpd_lock_t;
files_lock_file(httpd_lock_t)
Index: refpolicy/policy/modules/contrib/apcupsd.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apcupsd.fc
+++ refpolicy/policy/modules/contrib/apcupsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
Index: refpolicy/policy/modules/contrib/apcupsd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apcupsd.te
+++ refpolicy/policy/modules/contrib/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_unit_t;
+init_unit_file(apcupsd_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/apm.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apm.fc
+++ refpolicy/policy/modules/contrib/apm.fc
@@ -17,3 +17,5 @@
/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/apm.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apm.te
+++ refpolicy/policy/modules/contrib/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_t;
+init_unit_file(apmd_unit_t)
+
########################################
#
# Client local policy
Index: refpolicy/policy/modules/contrib/arpwatch.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/arpwatch.fc
+++ refpolicy/policy/modules/contrib/arpwatch.fc
@@ -7,3 +7,5 @@
/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
/var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+
+/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
Index: refpolicy/policy/modules/contrib/arpwatch.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/arpwatch.te
+++ refpolicy/policy/modules/contrib/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_t;
+init_unit_file(arpwatch_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/automount.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/automount.fc
+++ refpolicy/policy/modules/contrib/automount.fc
@@ -6,3 +6,5 @@
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
+
+/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
Index: refpolicy/policy/modules/contrib/automount.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/automount.te
+++ refpolicy/policy/modules/contrib/automount.te
@@ -25,6 +25,9 @@ files_mountpoint(automount_tmp_t)
type automount_var_run_t;
files_pid_file(automount_var_run_t)
+type automount_unit_t;
+init_unit_file(automount_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/avahi.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/avahi.fc
+++ refpolicy/policy/modules/contrib/avahi.fc
@@ -7,3 +7,5 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+
+/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
Index: refpolicy/policy/modules/contrib/avahi.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/avahi.te
+++ refpolicy/policy/modules/contrib/avahi.te
@@ -19,6 +19,9 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+type avahi_unit_t;
+init_unit_file(avahi_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/bind.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.fc
+++ refpolicy/policy/modules/contrib/bind.fc
@@ -14,6 +14,9 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
Index: refpolicy/policy/modules/contrib/bind.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.te
+++ refpolicy/policy/modules/contrib/bind.te
@@ -47,6 +47,9 @@ init_script_file(named_initrc_exec_t)
type named_keytab_t;
files_type(named_keytab_t)
+type named_unit_t;
+init_unit_file(named_unit_t)
+
type named_log_t;
logging_log_file(named_log_t)
Index: refpolicy/policy/modules/contrib/clamav.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.fc
+++ refpolicy/policy/modules/contrib/clamav.fc
@@ -24,3 +24,5 @@
/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+
+/usr/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.te
+++ refpolicy/policy/modules/contrib/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_t;
+init_unit_file(clamd_unit_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
Index: refpolicy/policy/modules/contrib/consolekit.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/consolekit.fc
+++ refpolicy/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
Index: refpolicy/policy/modules/contrib/consolekit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/consolekit.te
+++ refpolicy/policy/modules/contrib/consolekit.te
@@ -19,6 +19,9 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
+type consolekit_unit_t;
+init_unit_file(consolekit_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/contrib/cron.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.fc
+++ refpolicy/policy/modules/contrib/cron.fc
@@ -64,3 +64,6 @@ ifdef(`distro_suse',`
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
+
+/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
+/usr/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_t;
+init_unit_file(crond_unit_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
Index: refpolicy/policy/modules/contrib/cups.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/cups.fc
+++ refpolicy/policy/modules/contrib/cups.fc
@@ -75,3 +75,5 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/cups.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cups.te
+++ refpolicy/policy/modules/contrib/cups.te
@@ -63,6 +63,9 @@ files_pid_file(cupsd_var_run_t)
init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
mls_trusted_object(cupsd_var_run_t)
+type cupsd_unit_t;
+init_unit_file(cupsd_unit_t)
+
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
Index: refpolicy/policy/modules/contrib/dhcp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dhcp.fc
+++ refpolicy/policy/modules/contrib/dhcp.fc
@@ -6,3 +6,4 @@
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/dhcp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dhcp.te
+++ refpolicy/policy/modules/contrib/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
+type dhcpd_unit_t;
+init_unit_file(dhcpd_unit_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
Index: refpolicy/policy/modules/contrib/ftp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ftp.te
+++ refpolicy/policy/modules/contrib/ftp.te
@@ -127,6 +127,9 @@ init_script_file(ftpd_initrc_exec_t)
type ftpd_keytab_t;
files_type(ftpd_keytab_t)
+type ftpd_unit_t;
+init_unit_file(ftpd_unit_t)
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
Index: refpolicy/policy/modules/contrib/kdump.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/kdump.fc
+++ refpolicy/policy/modules/contrib/kdump.fc
@@ -11,3 +11,5 @@
/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
+/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
Index: refpolicy/policy/modules/contrib/ldap.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ldap.fc
+++ refpolicy/policy/modules/contrib/ldap.fc
@@ -27,3 +27,5 @@
/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+
+/usr/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/ldap.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ldap.te
+++ refpolicy/policy/modules/contrib/ldap.te
@@ -24,6 +24,9 @@ init_script_file(slapd_initrc_exec_t)
type slapd_keytab_t;
files_type(slapd_keytab_t)
+type slapd_unit_t;
+init_unit_file(slapd_unit_t)
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
Index: refpolicy/policy/modules/contrib/mysql.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.fc
+++ refpolicy/policy/modules/contrib/mysql.fc
@@ -25,3 +25,5 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+
+/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
Index: refpolicy/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.te
+++ refpolicy/policy/modules/contrib/mysql.te
@@ -38,6 +38,9 @@ files_config_file(mysqld_etc_t)
type mysqld_home_t;
userdom_user_home_content(mysqld_home_t)
+type mysqld_unit_t;
+init_unit_file(mysqld_unit_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
Index: refpolicy/policy/modules/contrib/nis.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/nis.fc
+++ refpolicy/policy/modules/contrib/nis.fc
@@ -20,3 +20,8 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
+/usr/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
Index: refpolicy/policy/modules/contrib/nis.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nis.te
+++ refpolicy/policy/modules/contrib/nis.te
@@ -27,6 +27,9 @@ files_tmp_file(ypbind_tmp_t)
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
+type ypbind_unit_t;
+init_unit_file(ypbind_unit_t)
+
type yppasswdd_t;
type yppasswdd_exec_t;
init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
@@ -55,6 +58,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
+type nis_unit_t;
+init_unit_file(nis_unit_t)
+
########################################
#
# ypbind local policy
Index: refpolicy/policy/modules/contrib/nscd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nscd.te
+++ refpolicy/policy/modules/contrib/nscd.te
@@ -31,6 +31,9 @@ role nscd_roles types nscd_t;
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
+type nscd_unit_t;
+init_unit_file(nscd_unit_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
Index: refpolicy/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.fc
+++ refpolicy/policy/modules/contrib/ntp.fc
@@ -27,3 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
+/usr/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/ppp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ppp.fc
+++ refpolicy/policy/modules/contrib/ppp.fc
@@ -28,3 +28,5 @@ HOME_DIR/\.ppprc -- gen_context(system_u
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/ppp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ppp.te
+++ refpolicy/policy/modules/contrib/ppp.te
@@ -41,6 +41,9 @@ files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_t;
+init_unit_file(pppd_unit_t)
+
type pppd_secret_t;
files_type(pppd_secret_t)
Index: refpolicy/policy/modules/contrib/rpc.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/rpc.fc
+++ refpolicy/policy/modules/contrib/rpc.fc
@@ -20,3 +20,6 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
+/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
Index: refpolicy/policy/modules/contrib/rpc.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/rpc.te
+++ refpolicy/policy/modules/contrib/rpc.te
@@ -52,11 +52,17 @@ rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_t;
+init_unit_file(rpcd_unit_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
+type nfsd_unit_t;
+init_unit_file(nfsd_unit_t)
+
type nfsd_rw_t;
files_type(nfsd_rw_t)
Index: refpolicy/policy/modules/contrib/samba.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.fc
+++ refpolicy/policy/modules/contrib/samba.fc
@@ -8,6 +8,8 @@
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
Index: refpolicy/policy/modules/contrib/samba.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.te
+++ refpolicy/policy/modules/contrib/samba.te
@@ -113,6 +113,9 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
+type samba_unit_t;
+init_unit_file(samba_unit_t)
+
type samba_log_t;
logging_log_file(samba_log_t)
Index: refpolicy/policy/modules/contrib/tor.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.fc
+++ refpolicy/policy/modules/contrib/tor.fc
@@ -5,6 +5,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
Index: refpolicy/policy/modules/contrib/tor.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.te
+++ refpolicy/policy/modules/contrib/tor.te
@@ -33,6 +33,9 @@ type tor_var_run_t;
files_pid_file(tor_var_run_t)
init_daemon_pid_file(tor_var_run_t, dir, "tor")
+type tor_unit_t;
+init_unit_file(tor_unit_t)
+
########################################
#
# Local policy
Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc
+++ refpolicy/policy/modules/system/logging.fc
@@ -27,6 +27,7 @@
/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy.orig/policy/flask/access_vectors
+++ refpolicy/policy/flask/access_vectors
@@ -931,3 +931,8 @@ class service
enable
disable
}
+
+class proxy
+{
+ read
+}
Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy.orig/policy/flask/security_classes
+++ refpolicy/policy/flask/security_classes
@@ -147,4 +147,7 @@ class db_language # userspace
class service # userspace
+# gssd services
+class proxy
+
# FLASK
Index: refpolicy/policy/modules/system/selinuxutil.fc
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.fc
+++ refpolicy/policy/modules/system/selinuxutil.fc
@@ -36,6 +36,7 @@
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restor
domain_obj_id_change_exemption(restorecond_t)
role system_r types restorecond_t;
+type restorecond_unit_t;
+init_unit_file(restorecond_unit_t)
+
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
Index: refpolicy/policy/modules/system/setrans.fc
===================================================================
--- refpolicy.orig/policy/modules/system/setrans.fc
+++ refpolicy/policy/modules/system/setrans.fc
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+/usr/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_t,s0)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
Index: refpolicy/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
@@ -135,7 +135,7 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/systemd-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy/policy/modules/contrib/ftp.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/ftp.fc
+++ refpolicy/policy/modules/contrib/ftp.fc
@@ -26,3 +26,6 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+
+/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
On 08/02/16 08:16, Russell Coker wrote:
> On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
>> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
>>> Below is a patch that's been in my Debian tree for some time, I didn't
>>> write it I took it from rawhide some years ago.
>>>
>>>
>>>
>>> Is this the way we are going to do things? If so I can tidy it up and
>>> submit it. If not I'll delete it and make the Debian policy work without
>>> it.
>>>
>>>
>>>
>>> Note that I am not suggesting this patch for inclusion at the
>>> moment. I'm just offering it for discussion.
>>
>> We have unit files in refpol yeah, they are different from the stuff in
>> redhat tho i think.
>>
>> A whole bunch like this for example:
>> mandb.te:type mandb_unit_t;
>> mandb.te:init_unit_file(mandb_unit_t)
>> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_
>> u:object_r:mandb_unit_t,s0)
>
> Thanks for the pointer.
>
> Is the plan that every daemon domain will get a _unit_t type? I've revised
There weren't any specific plans to ensure all daemons have a unit, but
I'm open to that.
> the patch in my tree to use the same naming convention as is now used upstream
> and removed duplicate policy.
>
> The attached patch is what I'm working with now, it has init_unit_file()
> entries for many policy modules that lack it in the 2.20151208 refpolicy
> release. I haven't yet tried applying this to the latest Git policy and aside
> from that it's not ready for upstream inclusion. This is just to share what
> I'm working on and to take comments about where I should go with this.
Seems to be the right direction, to me.
--
Chris PeBenito
On Tue, Aug 02, 2016 at 07:26:23PM -0400, Chris PeBenito wrote:
> On 08/02/16 08:16, Russell Coker wrote:
> > On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
> >> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
> >>> Below is a patch that's been in my Debian tree for some time, I didn't
> >>> write it I took it from rawhide some years ago.
> >>>
> >>>
> >>>
> >>> Is this the way we are going to do things? If so I can tidy it up and
> >>> submit it. If not I'll delete it and make the Debian policy work without
> >>> it.
> >>>
> >>>
> >>>
> >>> Note that I am not suggesting this patch for inclusion at the
> >>> moment. I'm just offering it for discussion.
> >>
> >> We have unit files in refpol yeah, they are different from the stuff in
> >> redhat tho i think.
> >>
> >> A whole bunch like this for example:
> >> mandb.te:type mandb_unit_t;
> >> mandb.te:init_unit_file(mandb_unit_t)
> >> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_
> >> u:object_r:mandb_unit_t,s0)
> >
> > Thanks for the pointer.
> >
> > Is the plan that every daemon domain will get a _unit_t type? I've revised
>
> There weren't any specific plans to ensure all daemons have a unit, but
> I'm open to that.
There somewhat were. At least cases where there was a foo_initrc_exec_t
should probably also have a _unit_t. I added init_startstop_service() to
a ton of things a while back. The intention was that it takes pretty
much everything needed for all the different types of init daemons
(sysvinit, openrc, upstart, systemd) and gives the perms for it in
tunables/booleans. The unit param is optional still tho cuz not all
domains have it yet I think.
I also just realized that all the fcontexts in the policy are only for
/usr/lib/systemd/system/ but units can also be in /etc/ or /run. Do we
need to add a subs_dist for this?
-- Jason
On 08/02/16 23:08, Jason Zaman wrote:
> On Tue, Aug 02, 2016 at 07:26:23PM -0400, Chris PeBenito wrote:
>> On 08/02/16 08:16, Russell Coker wrote:
>>> On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
>>>> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
>>>>> Below is a patch that's been in my Debian tree for some time, I didn't
>>>>> write it I took it from rawhide some years ago.
>>>>>
>>>>>
>>>>>
>>>>> Is this the way we are going to do things? If so I can tidy it up and
>>>>> submit it. If not I'll delete it and make the Debian policy work without
>>>>> it.
>>>>>
>>>>>
>>>>>
>>>>> Note that I am not suggesting this patch for inclusion at the
>>>>> moment. I'm just offering it for discussion.
>>>>
>>>> We have unit files in refpol yeah, they are different from the stuff in
>>>> redhat tho i think.
>>>>
>>>> A whole bunch like this for example:
>>>> mandb.te:type mandb_unit_t;
>>>> mandb.te:init_unit_file(mandb_unit_t)
>>>> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_
>>>> u:object_r:mandb_unit_t,s0)
>>>
>>> Thanks for the pointer.
>>>
>>> Is the plan that every daemon domain will get a _unit_t type? I've revised
>>
>> There weren't any specific plans to ensure all daemons have a unit, but
>> I'm open to that.
>
> There somewhat were. At least cases where there was a foo_initrc_exec_t
> should probably also have a _unit_t. I added init_startstop_service() to
> a ton of things a while back. The intention was that it takes pretty
> much everything needed for all the different types of init daemons
> (sysvinit, openrc, upstart, systemd) and gives the perms for it in
> tunables/booleans. The unit param is optional still tho cuz not all
> domains have it yet I think.
>
> I also just realized that all the fcontexts in the policy are only for
> /usr/lib/systemd/system/ but units can also be in /etc/ or /run. Do we
> need to add a subs_dist for this?
I don't think so. The /etc ones are considered local configuration, so
that probably needs something like local_unit_t. The /run ones don't
either as those are runtime units. There is a github issue I opened for
it forever ago:
[1] https://github.com/TresysTechnology/refpolicy/issues/12
--
Chris PeBenito
On 08/06/2016 10:05 PM, Chris PeBenito wrote:
> On 08/02/16 23:08, Jason Zaman wrote:
>> On Tue, Aug 02, 2016 at 07:26:23PM -0400, Chris PeBenito wrote:
>>> On 08/02/16 08:16, Russell Coker wrote:
>>>> On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
>>>>> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
>>>>>> Below is a patch that's been in my Debian tree for some time, I didn't
>>>>>> write it I took it from rawhide some years ago.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Is this the way we are going to do things? If so I can tidy it up and
>>>>>> submit it. If not I'll delete it and make the Debian policy work without
>>>>>> it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Note that I am not suggesting this patch for inclusion at the
>>>>>> moment. I'm just offering it for discussion.
>>>>>
>>>>> We have unit files in refpol yeah, they are different from the stuff in
>>>>> redhat tho i think.
>>>>>
>>>>> A whole bunch like this for example:
>>>>> mandb.te:type mandb_unit_t;
>>>>> mandb.te:init_unit_file(mandb_unit_t)
>>>>> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_
>>>>> u:object_r:mandb_unit_t,s0)
>>>>
>>>> Thanks for the pointer.
>>>>
>>>> Is the plan that every daemon domain will get a _unit_t type? I've revised
>>>
>>> There weren't any specific plans to ensure all daemons have a unit, but
>>> I'm open to that.
>>
>> There somewhat were. At least cases where there was a foo_initrc_exec_t
>> should probably also have a _unit_t. I added init_startstop_service() to
>> a ton of things a while back. The intention was that it takes pretty
>> much everything needed for all the different types of init daemons
>> (sysvinit, openrc, upstart, systemd) and gives the perms for it in
>> tunables/booleans. The unit param is optional still tho cuz not all
>> domains have it yet I think.
>>
>> I also just realized that all the fcontexts in the policy are only for
>> /usr/lib/systemd/system/ but units can also be in /etc/ or /run. Do we
>> need to add a subs_dist for this?
>
> I don't think so. The /etc ones are considered local configuration, so
> that probably needs something like local_unit_t. The /run ones don't
> either as those are runtime units. There is a github issue I opened for
> it forever ago:
>
> [1] https://github.com/TresysTechnology/refpolicy/issues/12
>
I am still hoping that systemctl will add setfscreatecon functionality
so that systemd edit (--force) $UNIT will create units and unit drop-ins
with the specified context.
That would be nice for confined administration. So in DSSP i currently
have a equivalence for /usr/lib/systemd/{system,user}
/etc/systemd/{system,user}
Runtime units have random names and are managed on runtime so you can't
associate private labels with individual runtime units. I basically only
differentiate between system and user runtime units
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160807/206a3253/attachment.bin