From: bigon@debian.org (Laurent Bigonville) Date: Tue, 14 Jan 2014 13:35:12 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <1389692783.28251.8.camel@x220.localdomain> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <3417214.hAyNvCIVsu@russell.coker.com.au> <1389692783.28251.8.camel@x220.localdomain> Message-ID: <20140114133512.31b6436e@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Tue, 14 Jan 2014 10:46:23 +0100, Dominick Grift a ?crit : > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > Having separate labels on the unit file is not just for "user" > > > domains. It is also for system domains, for example > > > NetworkManager_t is allowed to start the following services. > > > > OK. > > > > I've attached a patch I'm using which defines some unit types and > > adds fc entries. Some of them are missing fc entries, presumably > > because the daemons in question didn't have unit files at the time > > (this policy was taken from Fedora some time ago). > > > > I've also added a stub systemd_unit_file() in init.if. The full > > systemd policy patch will have to remove that. I think this is OK > > to get the uncontroversial stuff included in the tree sooner. > > Please send your patches in-line so that we can easily comment on > them. > > Here is one thing that can be improved in your patch: > > This is how its supposed to be: > > /lib/systemd/system/alsa-.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > These are not optimal and its inconsistent with above: > > /lib/systemd/system/named.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > > You see: > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > /run/systemd/system /usr/lib/systemd/system > /run/systemd/generator /usr/lib/systemd/system > /etc/systemd/system /usr/lib/systemd/system > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system Here come a question, are we using the Fedora or the Debian paths for systemd? In Fedora everything is in /usr/lib/systemd, in Debian it's /lib/systemd. This should be standardized, and then we can add an equivalence for the others. I personally don't care, as most of the patches will come from Fedora, I guess we could use the Fedora way.