From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 13 Jan 2014 10:10:11 -0500 Subject: [refpolicy] systemd policy In-Reply-To: <5347508.kSSh66cgIv@russell.coker.com.au> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <20140112131841.71f6da37@fornost.bigon.be> <5347508.kSSh66cgIv@russell.coker.com.au> Message-ID: <52D401D3.5040900@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2014 07:52 AM, Russell Coker wrote: > On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote: >> Daniel do you know when this will happen? Can I already propose some of >> these patches? > > One thing that would be good to propose first is the labelling of unit > files. > > Currently in Debian policy we have lots of patches to daemon policy like > the following. If we can agree that each daemon should have it's own unit > file type (which appears to me to have no benefit unless we make a > significant addition to the daemon management functionality) then we can > add the patch as- is. If we are going to add it as-is then the sooner the > better, as a patch that affects lots of files is annoying to maintain. > > type apcupsd_unit_file_t; systemd_unit_file(apcupsd_unit_file_t) > > /lib/systemd/system/apcupsd\.service -- > gen_context(system_u:object_r:apcupsd_unit_file_t,s0) > > It seems to me that the only benefit of per-daemon types is that we can > write policy allowing one user access to manage daemons with several > types. > > The other possible way of allowing per-user management of daemons managed > by the type of the unit file would be to have a default type for the unit > files (which is easier for .fc files and no change to most daemon policy). > Then whenever we need to delegate some sysadmin rights to a daemon we > create a new type as appropriate and a fcontext rule to label the unit > file. > > Regardless of when we merge the patches it would be good to get this design > issue sorted out soon. > Having separate labels on the unit file is not just for "user" domains. It is also for system domains, for example NetworkManager_t is allowed to start the following services. sesearch -A -s NetworkManager_t -p start Found 5 semantic av rules: allow NetworkManager_t nscd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t ntpd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t pppd_unit_file_t : service { start stop status reload } ; allow NetworkManager_t polipo_unit_file_t : service { start stop status reload } ; allow NetworkManager_t dnsmasq_unit_file_t : service { start stop status reload } ; I rely on Dominick and Miroslav to get Fedora changes/fixes upstream. Could you guys take care of getting systemd policy upstream. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLUAdMACgkQrlYvE4MpobN05gCeOxOi9JtmMoiCfovdC5np0ed8 1BkAnRzCRpGoIiHTY0E1D7OjHIFPHnp1 =wZz7 -----END PGP SIGNATURE-----