From: bigon@debian.org (Laurent Bigonville) Date: Tue, 14 Jan 2014 13:22:05 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <3417214.hAyNvCIVsu@russell.coker.com.au> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <3417214.hAyNvCIVsu@russell.coker.com.au> Message-ID: <20140114132205.292bc540@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Tue, 14 Jan 2014 10:37:29 +1100, Russell Coker a ?crit : [...] > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -389,10 +389,14 @@ > class system > { > ipc_info > - syslog_read > + syslog_read > syslog_mod > syslog_console > module_request > + halt > + reboot > + status > + undefined > } I don't know from where this "undefined" is coming from. I looked sometimes ago in the systemd source code and undefined was not used. And it's missing "enable" and "disable". You can grep "SELINUX_ACCESS_CHECK" in the code. > > # > @@ -865,3 +869,20 @@ > implement > execute > } > + > +class service > +{ > + start > + stop > + status > + reload > + kill > + load > + enable > + disable > +} Here again, I don't think all these AV are in use. You can grep "SELINUX_UNIT_ACCESS_CHECK" in the code, only start, stop status and reload are used here I think. > +class proxy > +{ > + read > +} > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -131,4 +131,10 @@ > class db_sequence # userspace > class db_language # userspace > > +# systemd services > +class service > + > +# gssd services > +class proxy > + I'm not sure that the "proxy" class should be part of the same patch this is not needed for systemd. [...] Cheers, Laurent Bigonville