From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 25 Jul 2011 10:51:15 -0400 Subject: [refpolicy] new refpolicy release In-Reply-To: <1311600665.7563.18.camel@localhost.localdomain> References: <201107241559.02111.russell@coker.com.au> <4E2D5DA9.7060901@tresys.com> <1311596233.7563.7.camel@localhost.localdomain> <201107252239.27504.russell@coker.com.au> <1311600665.7563.18.camel@localhost.localdomain> Message-ID: <4E2D82E3.5020906@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/25/2011 09:31 AM, Dominick Grift wrote: > > > On Mon, 2011-07-25 at 22:39 +1000, Russell Coker wrote: >> On Mon, 25 Jul 2011, Dominick Grift wrote: >>>>> As an aside, what's the status of systemd policy? >>>> >>>> There isn't one upstream. The last time it was discussed, I >>>> suggested that it was so different and did so many more things >>>> that it should probably be its own module. I haven't heard or >>>> seen anything since then. >>> >>> I started working on it and gotten pretty far until i tried >>> shutdown. That is when i hit issues. >>> >>> Kernel logging is stopped pretty early and so i could not >>> determine what all systemd needs to shutdown properly. Spend >>> about a week just trying various things but could not get it to >>> work. Gave up. >> >> Could you please post what you did to the list so others can work >> on it without reinventing any wheels? > > Enclosed you will find what i ended up with. Keep in mind though > that this is dated by now (was done months ago) > > Also note that i pretty much gave each executable file a private > type and each process a private domain which is overkill but it was > my intention at that time to just figure out what each process > separately needs and then later consider merging domain that have > similar properties. The idea was to first just map systemd and then > clean it up. > > Also there may be things i would do different now that we have the > named file transitions in Fedora 16. > > Also note that this policy is made in a modified refpolicy so not > all interface calls may be available to you (but similar ones should > be) > > > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Systemd is changing so fast and adding so many new features that we have not looked at this. We are currently trying to make sure launching apps is working correctly we have a systemd policy for some of the helper apps at this point. I think it would make sense to revisit the separation at a point when the systemd stabilized. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4tguIACgkQrlYvE4MpobOblACfSGvzmuzDo1vXuKsgLBGyDoyN rTUAn3ep1Zi9z1if1zlJU2A2FRwElRGg =MRP3 -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: systemd.te Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: systemd.if Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0001.pl -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: systemd.fc Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0002.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: systemd.te.sig Type: application/pgp-signature Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: systemd.if.sig Type: application/pgp-signature Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0001.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: systemd.fc.sig Type: application/pgp-signature Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0002.bin