From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 14 Jan 2014 14:03:04 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <20140114133512.31b6436e@soldur.bigon.be> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <3417214.hAyNvCIVsu@russell.coker.com.au> <1389692783.28251.8.camel@x220.localdomain> <20140114133512.31b6436e@soldur.bigon.be> Message-ID: <1389704584.28251.45.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2014-01-14 at 13:35 +0100, Laurent Bigonville wrote: > Le Tue, 14 Jan 2014 10:46:23 +0100, > Dominick Grift a ?crit : > > > On Tue, 2014-01-14 at 10:37 +1100, Russell Coker wrote: > > > On Mon, 13 Jan 2014 10:10:11 Daniel J Walsh wrote: > > > > Having separate labels on the unit file is not just for "user" > > > > domains. It is also for system domains, for example > > > > NetworkManager_t is allowed to start the following services. > > > > > > OK. > > > > > > I've attached a patch I'm using which defines some unit types and > > > adds fc entries. Some of them are missing fc entries, presumably > > > because the daemons in question didn't have unit files at the time > > > (this policy was taken from Fedora some time ago). > > > > > > I've also added a stub systemd_unit_file() in init.if. The full > > > systemd policy patch will have to remove that. I think this is OK > > > to get the uncontroversial stuff included in the tree sooner. > > > > Please send your patches in-line so that we can easily comment on > > them. > > > > Here is one thing that can be improved in your patch: > > > > This is how its supposed to be: > > > > /lib/systemd/system/alsa-.*\.service -- > > gen_context(system_u:object_r:alsa_unit_file_t,s0) > > > > These are not optimal and its inconsistent with above: > > > > /lib/systemd/system/named.service -- > > gen_context(system_u:object_r:named_unit_file_t,s0) > > > > You see: > > > > # grep system /etc/selinux/targeted/contexts/files/*.subs_dist > > /run/systemd/system /usr/lib/systemd/system > > /run/systemd/generator /usr/lib/systemd/system > > /etc/systemd/system /usr/lib/systemd/system > > > > So /etc/systemd/system is equivalent to /usr/lib/systemd/system > > Here come a question, are we using the Fedora or the Debian paths for > systemd? In Fedora everything is in /usr/lib/systemd, in Debian > it's /lib/systemd. This should be standardized, and then we can add an > equivalence for the others. I personally don't care, as most of the > patches will come from Fedora, I guess we could use the Fedora way. > Good question. I think its probably easier to make /lib(64)? equivalent to /usr/lib(64)? E.g. use /usr/lib(64)? and add: /lib /usr/lib /lib64 /usr/lib64 .. To file_contexts.subs_dist