From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 14 Jan 2014 10:46:23 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <3417214.hAyNvCIVsu@russell.coker.com.au> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <3417214.hAyNvCIVsu@russell.coker.com.au> Message-ID: <1389692783.28251.8.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > Having separate labels on the unit file is not just for "user" domains. It > > is also for system domains, for example NetworkManager_t is allowed to > > start the following services. > > OK. > > I've attached a patch I'm using which defines some unit types and adds fc > entries. Some of them are missing fc entries, presumably because the daemons > in question didn't have unit files at the time (this policy was taken from > Fedora some time ago). > > I've also added a stub systemd_unit_file() in init.if. The full systemd policy > patch will have to remove that. I think this is OK to get the uncontroversial > stuff included in the tree sooner. Please send your patches in-line so that we can easily comment on them. Here is one thing that can be improved in your patch: This is how its supposed to be: /lib/systemd/system/alsa-.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0) These are not optimal and its inconsistent with above: /lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) You see: # grep system /etc/selinux/targeted/contexts/files/*.subs_dist /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system /etc/systemd/system /usr/lib/systemd/system So /etc/systemd/system is equivalent to /usr/lib/systemd/system Now consider me having a name daemon dns server on each of my two networks. Then i need a instance for each. So i create two "named" unit files in /etc/systemd/system/named_{network1,network2}.service So we can use the .* wildcard to catch these? So i would suggest we create file contexts for unit files with .* consistently to catch prefixed service files