From: russell@coker.com.au (Russell Coker)
Date: Mon, 13 Jan 2014 23:52:56 +1100
Subject: [refpolicy] systemd policy
In-Reply-To: <20140112131841.71f6da37@fornost.bigon.be>
References: <5992094.YlEUt0BCZP@russell.coker.com.au>
	<20140112131841.71f6da37@fornost.bigon.be>
Message-ID: <5347508.kSSh66cgIv@russell.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote:
> Daniel do you know when this will happen? Can I already propose some of
> these patches?

One thing that would be good to propose first is the labelling of unit files.

Currently in Debian policy we have lots of patches to daemon policy like the 
following.  If we can agree that each daemon should have it's own unit file 
type (which appears to me to have no benefit unless we make a significant 
addition to the daemon management functionality) then we can add the patch as-
is.  If we are going to add it as-is then the sooner the better, as a patch 
that affects lots of files is annoying to maintain.

type apcupsd_unit_file_t;
systemd_unit_file(apcupsd_unit_file_t)

/lib/systemd/system/apcupsd\.service -- 
gen_context(system_u:object_r:apcupsd_unit_file_t,s0)

It seems to me that the only benefit of per-daemon types is that we can write 
policy allowing one user access to manage daemons with several types.

The other possible way of allowing per-user management of daemons managed by 
the type of the unit file would be to have a default type for the unit files 
(which is easier for .fc files and no change to most daemon policy).  Then 
whenever we need to delegate some sysadmin rights to a daemon we create a new 
type as appropriate and a fcontext rule to label the unit file.

Regardless of when we merge the patches it would be good to get this design 
issue sorted out soon.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/