From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 14 Jan 2014 10:58:44 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <1389692783.28251.8.camel@x220.localdomain> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <3417214.hAyNvCIVsu@russell.coker.com.au> <1389692783.28251.8.camel@x220.localdomain> Message-ID: <1389693524.28251.13.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2014-01-14 at 10:46 +0100, Dominick Grift wrote: > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > Having separate labels on the unit file is not just for "user" domains. It > > > is also for system domains, for example NetworkManager_t is allowed to > > > start the following services. > > > > OK. > > > > I've attached a patch I'm using which defines some unit types and adds fc > > entries. Some of them are missing fc entries, presumably because the daemons > > in question didn't have unit files at the time (this policy was taken from > > Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full systemd policy > > patch will have to remove that. I think this is OK to get the uncontroversial > > stuff included in the tree sooner. > > Please send your patches in-line so that we can easily comment on them. > > Here is one thing that can be improved in your patch: > > This is how its supposed to be: > > /lib/systemd/system/alsa-.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > These are not optimal and its inconsistent with above: > > /lib/systemd/system/named.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > > You see: > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > /run/systemd/system /usr/lib/systemd/system > /run/systemd/generator /usr/lib/systemd/system > /etc/systemd/system /usr/lib/systemd/system > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system > > Now consider me having a name daemon dns server on each of my two > networks. Then i need a instance for each. So i create two "named" unit > files in /etc/systemd/system/named_{network1,network2}.service > > So we can use the .* wildcard to catch these? > > So i would suggest we create file contexts for unit files with .* > consistently to catch prefixed service files > > Maybe not the best example but what i am saying is that i think for example this: /lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) should be: /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0) and that this should be implemented consistently for all unit file context specifications where possible even that may not be optimal but i think it makes more sense