From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 6 Feb 2014 09:40:51 -0500 Subject: [refpolicy] systemd policy In-Reply-To: <2057214.LVlr9fzTya@russell.coker.com.au> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <3417214.hAyNvCIVsu@russell.coker.com.au> <1389692783.28251.8.camel@x220.localdomain> <2057214.LVlr9fzTya@russell.coker.com.au> Message-ID: <52F39EF3.7000603@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/27/14 01:56, Russell Coker wrote: > On Tue, 14 Jan 2014 10:46:23 Dominick Grift wrote: >>> I've attached a patch I'm using which defines some unit types and adds fc >>> entries. Some of them are missing fc entries, presumably because the >>> daemons in question didn't have unit files at the time (this policy was >>> taken from Fedora some time ago). >>> >>> I've also added a stub systemd_unit_file() in init.if. The full systemd >>> policy patch will have to remove that. I think this is OK to get the >>> uncontroversial stuff included in the tree sooner. >> >> Please send your patches in-line so that we can easily comment on them. >> >> Here is one thing that can be improved in your patch: >> >> This is how its supposed to be: >> >> /lib/systemd/system/alsa-.*\.service -- >> gen_context(system_u:object_r:alsa_unit_file_t,s0) >> >> These are not optimal and its inconsistent with above: >> >> /lib/systemd/system/named.service -- >> gen_context(system_u:object_r:named_unit_file_t,s0) >> >> You see: >> >> # grep system /etc/selinux/targeted/contexts/files/*.subs_dist >> /run/systemd/system /usr/lib/systemd/system >> /run/systemd/generator /usr/lib/systemd/system >> /etc/systemd/system /usr/lib/systemd/system >> >> So /etc/systemd/system is equivalent to /usr/lib/systemd/system >> >> Now consider me having a name daemon dns server on each of my two >> networks. Then i need a instance for each. So i create two "named" unit >> files in /etc/systemd/system/named_{network1,network2}.service >> >> So we can use the .* wildcard to catch these? >> >> So i would suggest we create file contexts for unit files with .* >> consistently to catch prefixed service files > > How is this? The name of the interface would have to start with init. It makes me wonder if we should extend the init_service_domain()/init_daemon_domain() interfaces instead. The unit file is related to the domain starting up from init/systemd, so one might argue it goes with those interfaces. > Description: Add systemd unit types > Author: Russell Coker > Last-Update: 2014-01-12 > > --- a/policy/modules/contrib/alsa.fc > +++ b/policy/modules/contrib/alsa.fc > @@ -24,3 +24,4 @@ > /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > > /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) > +/lib/systemd/system/alsa.*\.service -- > gen_context(system_u:object_r:alsa_unit_file_t,s0) > --- a/policy/modules/contrib/alsa.te > +++ b/policy/modules/contrib/alsa.te > @@ -27,6 +27,9 @@ > type alsa_home_t; > userdom_user_home_content(alsa_home_t) > > +type alsa_unit_file_t; > +systemd_unit_file(alsa_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/apache.fc > +++ b/policy/modules/contrib/apache.fc > @@ -26,6 +26,9 @@ > /etc/WebCalendar(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/zabbix/web(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > > +/lib/systemd/system/httpd.*\.service -- > gen_context(system_u:object_r:httpd_unit_file_t,s0) > +/lib/systemd/system/jetty.*\.service -- > gen_context(system_u:object_r:httpd_unit_file_t,s0) > + > /opt/.*\.cgi -- > gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? > gen_context(system_u:object_r:httpd_var_run_t,s0) > > --- a/policy/modules/contrib/apache.te > +++ b/policy/modules/contrib/apache.te > @@ -286,6 +286,8 @@ > type httpd_keytab_t; > files_type(httpd_keytab_t) > > +type httpd_unit_file_t; > +systemd_unit_file(httpd_unit_file_t) > type httpd_lock_t; > files_lock_file(httpd_lock_t) > > --- a/policy/modules/contrib/apcupsd.fc > +++ b/policy/modules/contrib/apcupsd.fc > @@ -1,5 +1,7 @@ > /etc/rc\.d/init\.d/apcupsd -- > gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) > > +/lib/systemd/system/apcupsd.*\.service -- > gen_context(system_u:object_r:apcupsd_unit_file_t,s0) > + > /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) > > /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) > --- a/policy/modules/contrib/apcupsd.te > +++ b/policy/modules/contrib/apcupsd.te > @@ -24,6 +24,9 @@ > type apcupsd_var_run_t; > files_pid_file(apcupsd_var_run_t) > > +type apcupsd_unit_file_t; > +systemd_unit_file(apcupsd_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/apm.fc > +++ b/policy/modules/contrib/apm.fc > @@ -17,3 +17,5 @@ > /var/run/powersave_socket -s > gen_context(system_u:object_r:apmd_var_run_t,s0) > > /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) > + > +/lib/systemd/system/apmd.*\.service -- > gen_context(system_u:object_r:apmd_unit_file_t,s0) > --- a/policy/modules/contrib/apm.te > +++ b/policy/modules/contrib/apm.te > @@ -35,6 +35,9 @@ > type apmd_var_run_t; > files_pid_file(apmd_var_run_t) > > +type apmd_unit_file_t; > +systemd_unit_file(apmd_unit_file_t) > + > ######################################## > # > # Client local policy > --- a/policy/modules/contrib/arpwatch.fc > +++ b/policy/modules/contrib/arpwatch.fc > @@ -7,3 +7,5 @@ > /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) > > /var/run/arpwatch.*\.pid -- > gen_context(system_u:object_r:arpwatch_var_run_t,s0) > + > +/lib/systemd/system/arpwatch.*\.service -- > gen_context(system_u:object_r:arpwatch_unit_file_t,s0) > --- a/policy/modules/contrib/arpwatch.te > +++ b/policy/modules/contrib/arpwatch.te > @@ -21,6 +21,9 @@ > type arpwatch_var_run_t; > files_pid_file(arpwatch_var_run_t) > > +type arpwatch_unit_file_t; > +systemd_unit_file(arpwatch_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/automount.fc > +++ b/policy/modules/contrib/automount.fc > @@ -6,3 +6,5 @@ > /var/lock/subsys/autofs -- > gen_context(system_u:object_r:automount_lock_t,s0) > > /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) > + > +/lib/systemd/system/autofs.*\.service -- > gen_context(system_u:object_r:automount_unit_file_t,s0) > --- a/policy/modules/contrib/automount.te > +++ b/policy/modules/contrib/automount.te > @@ -25,6 +25,9 @@ > type automount_var_run_t; > files_pid_file(automount_var_run_t) > > +type automount_unit_file_t; > +systemd_unit_file(automount_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/avahi.fc > +++ b/policy/modules/contrib/avahi.fc > @@ -7,3 +7,5 @@ > /var/run/avahi-daemon(/.*)? > gen_context(system_u:object_r:avahi_var_run_t,s0) > > /var/lib/avahi-autoipd(/.*)? > gen_context(system_u:object_r:avahi_var_lib_t,s0) > + > +/lib/systemd/system/avahi.*\.service -- > gen_context(system_u:object_r:avahi_unit_file_t,s0) > --- a/policy/modules/contrib/avahi.te > +++ b/policy/modules/contrib/avahi.te > @@ -18,6 +18,9 @@ > type avahi_var_run_t; > files_pid_file(avahi_var_run_t) > > +type avahi_unit_file_t; > +systemd_unit_file(avahi_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/bind.fc > +++ b/policy/modules/contrib/bind.fc > @@ -14,6 +14,9 @@ > /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) > /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) > > +/lib/systemd/system/unbound.*\.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > +/lib/systemd/system/named.*\.service -- > gen_context(system_u:object_r:named_unit_file_t,s0) > + > /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) > /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) > /usr/sbin/named-checkconf -- > gen_context(system_u:object_r:named_checkconf_exec_t,s0) > --- a/policy/modules/contrib/bind.te > +++ b/policy/modules/contrib/bind.te > @@ -47,6 +47,9 @@ > type named_keytab_t; > files_type(named_keytab_t) > > +type named_unit_file_t; > +systemd_unit_file(named_unit_file_t) > + > type named_log_t; > logging_log_file(named_log_t) > > --- a/policy/modules/contrib/bluetooth.fc > +++ b/policy/modules/contrib/bluetooth.fc > @@ -22,3 +22,5 @@ > > /var/run/bluetoothd_address -- > gen_context(system_u:object_r:bluetooth_var_run_t,s0) > /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) > + > +/lib/systemd/system/bluetooth.*\.service -- > gen_context(system_u:object_r:bluetooth_unit_file_t,s0) > --- a/policy/modules/contrib/bluetooth.te > +++ b/policy/modules/contrib/bluetooth.te > @@ -49,6 +49,9 @@ > type bluetooth_var_run_t; > files_pid_file(bluetooth_var_run_t) > > +type bluetooth_unit_file_t; > +systemd_unit_file(bluetooth_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/clamav.fc > +++ b/policy/modules/contrib/clamav.fc > @@ -24,3 +24,5 @@ > /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) > > /var/spool/amavisd/clamd\.sock -s > gen_context(system_u:object_r:clamd_var_run_t,s0) > + > +/lib/systemd/system/clamd.*\.service -- > gen_context(system_u:object_r:clamd_unit_file_t,s0) > --- a/policy/modules/contrib/clamav.te > +++ b/policy/modules/contrib/clamav.te > @@ -38,6 +38,9 @@ > type clamd_initrc_exec_t; > init_script_file(clamd_initrc_exec_t) > > +type clamd_unit_file_t; > +systemd_unit_file(clamd_unit_file_t) > + > type clamd_tmp_t; > files_tmp_file(clamd_tmp_t) > > --- a/policy/modules/contrib/consolekit.fc > +++ b/policy/modules/contrib/consolekit.fc > @@ -1,3 +1,5 @@ > +/lib/systemd/system/console-kit.*\.service -- > gen_context(system_u:object_r:consolekit_unit_file_t,s0) > + > /usr/sbin/console-kit-daemon -- > gen_context(system_u:object_r:consolekit_exec_t,s0) > > /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) > --- a/policy/modules/contrib/consolekit.te > +++ b/policy/modules/contrib/consolekit.te > @@ -19,6 +19,9 @@ > files_pid_file(consolekit_var_run_t) > init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") > > +type consolekit_unit_file_t; > +systemd_unit_file(consolekit_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/cron.fc > +++ b/policy/modules/contrib/cron.fc > @@ -64,3 +64,6 @@ > /var/spool/cron/lastrun/[^/]* -- <> > /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) > ') > + > +/lib/systemd/system/atd.*\.service -- > gen_context(system_u:object_r:crond_unit_file_t,s0) > +/lib/systemd/system/crond.*\.service -- > gen_context(system_u:object_r:crond_unit_file_t,s0) > --- a/policy/modules/contrib/cron.te > +++ b/policy/modules/contrib/cron.te > @@ -71,6 +71,9 @@ > type crond_initrc_exec_t; > init_script_file(crond_initrc_exec_t) > > +type crond_unit_file_t; > +systemd_unit_file(crond_unit_file_t) > + > type crond_tmp_t; > files_tmp_file(crond_tmp_t) > files_poly_parent(crond_tmp_t) > --- a/policy/modules/contrib/cups.fc > +++ b/policy/modules/contrib/cups.fc > @@ -75,3 +75,5 @@ > /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) > /var/run/udev-configure-printer(/.*)? > gen_context(system_u:object_r:cupsd_config_var_run_t,s0) > /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) > + > +/lib/systemd/system/cups.*\.service -- > gen_context(system_u:object_r:cupsd_unit_file_t,s0) > --- a/policy/modules/contrib/cups.te > +++ b/policy/modules/contrib/cups.te > @@ -62,6 +62,9 @@ > init_daemon_run_dir(cupsd_var_run_t, "cups") > mls_trusted_object(cupsd_var_run_t) > > +type cupsd_unit_file_t; > +systemd_unit_file(cupsd_unit_file_t) > + > type hplip_t; > type hplip_exec_t; > init_daemon_domain(hplip_t, hplip_exec_t) > --- a/policy/modules/contrib/dhcp.fc > +++ b/policy/modules/contrib/dhcp.fc > @@ -6,3 +6,4 @@ > /var/lib/dhcp(3)?/dhcpd\.leases.* -- > gen_context(system_u:object_r:dhcpd_state_t,s0) > > /var/run/dhcpd(6)?\.pid -- > gen_context(system_u:object_r:dhcpd_var_run_t,s0) > +/lib/systemd/system/dhcpcd.*\.service -- > gen_context(system_u:object_r:dhcpd_unit_file_t,s0) > --- a/policy/modules/contrib/dhcp.te > +++ b/policy/modules/contrib/dhcp.te > @@ -20,6 +20,9 @@ > type dhcpd_initrc_exec_t; > init_script_file(dhcpd_initrc_exec_t) > > +type dhcpd_unit_file_t; > +systemd_unit_file(dhcpd_unit_file_t) > + > type dhcpd_state_t; > files_type(dhcpd_state_t) > > --- a/policy/modules/contrib/dnsmasq.fc > +++ b/policy/modules/contrib/dnsmasq.fc > @@ -12,3 +12,4 @@ > > /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) > /var/run/libvirt/network(/.*)? > gen_context(system_u:object_r:dnsmasq_var_run_t,s0) > +/lib/systemd/system/dnsmasq.*\.service -- > gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) > --- a/policy/modules/contrib/dnsmasq.te > +++ b/policy/modules/contrib/dnsmasq.te > @@ -24,6 +24,9 @@ > type dnsmasq_var_run_t; > files_pid_file(dnsmasq_var_run_t) > > +type dnsmasq_unit_file_t; > +systemd_unit_file(dnsmasq_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/contrib/ftp.fc > +++ b/policy/modules/contrib/ftp.fc > @@ -26,3 +26,6 @@ > /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) > /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) > /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) > + > +/lib/systemd/system/vsftpd.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > +/lib/systemd/system/proftpd.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > --- a/policy/modules/contrib/ftp.te > +++ b/policy/modules/contrib/ftp.te > @@ -127,6 +127,9 @@ > type ftpd_keytab_t; > files_type(ftpd_keytab_t) > > +type ftpd_unit_file_t; > +systemd_unit_file(ftpd_unit_file_t) > + > type ftpd_lock_t; > files_lock_file(ftpd_lock_t) > > --- a/policy/modules/contrib/kdump.fc > +++ b/policy/modules/contrib/kdump.fc > @@ -11,3 +11,5 @@ > > /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) > /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) > + > +/lib/systemd/system/kdump.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > --- a/policy/modules/contrib/kdump.te > +++ b/policy/modules/contrib/kdump.te > @@ -23,6 +23,9 @@ > type kdumpctl_tmp_t; > files_tmp_file(kdumpctl_tmp_t) > > +type kdump_unit_file_t; > +systemd_unit_file(kdump_unit_file_t) > + > ##################################### > # > # Local policy > --- a/policy/modules/contrib/ldap.fc > +++ b/policy/modules/contrib/ldap.fc > @@ -27,3 +27,5 @@ > /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) > /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) > /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) > + > +/lib/systemd/system/slapd.*\.service -- > gen_context(system_u:object_r:slapd_unit_file_t,s0) > --- a/policy/modules/contrib/ldap.te > +++ b/policy/modules/contrib/ldap.te > @@ -24,6 +24,9 @@ > type slapd_keytab_t; > files_type(slapd_keytab_t) > > +type slapd_unit_file_t; > +systemd_unit_file(slapd_unit_file_t) > + > type slapd_lock_t; > files_lock_file(slapd_lock_t) > > --- a/policy/modules/contrib/mysql.fc > +++ b/policy/modules/contrib/mysql.fc > @@ -25,3 +25,5 @@ > /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) > /var/run/mysqlmanager.* -- > gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > /var/run/mysqld/mysqlmanager.* -- > gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > + > +/lib/systemd/system/mysqld.*\.service -- > gen_context(system_u:object_r:mysqld_unit_file_t,s0) > --- a/policy/modules/contrib/mysql.te > +++ b/policy/modules/contrib/mysql.te > @@ -38,6 +38,9 @@ > type mysqld_home_t; > userdom_user_home_content(mysqld_home_t) > > +type mysqld_unit_file_t; > +systemd_unit_file(mysqld_unit_file_t) > + > type mysqld_initrc_exec_t; > init_script_file(mysqld_initrc_exec_t) > > --- a/policy/modules/contrib/networkmanager.fc > +++ b/policy/modules/contrib/networkmanager.fc > @@ -1,3 +1,4 @@ > +/lib/systemd/system/NetworkManager.*\.service -- > gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) > /etc/rc\.d/init\.d/wicd -- > gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) > > /etc/NetworkManager(/.*)? > gen_context(system_u:object_r:NetworkManager_etc_t,s0) > --- a/policy/modules/contrib/networkmanager.te > +++ b/policy/modules/contrib/networkmanager.te > @@ -18,6 +18,9 @@ > type NetworkManager_initrc_exec_t; > init_script_file(NetworkManager_initrc_exec_t) > > +type NetworkManager_unit_file_t; > +systemd_unit_file(NetworkManager_unit_file_t) > + > type NetworkManager_log_t; > logging_log_file(NetworkManager_log_t) > > --- a/policy/modules/contrib/nis.fc > +++ b/policy/modules/contrib/nis.fc > @@ -20,3 +20,8 @@ > /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) > /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) > /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) > + > +/lib/systemd/system/ypbind.*\.service -- > gen_context(system_u:object_r:ypbind_unit_file_t,s0) > +/lib/systemd/system/ypserv.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > +/lib/systemd/system/yppasswdd.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > +/lib/systemd/system/ypxfrd.*\.service -- > gen_context(system_u:object_r:nis_unit_file_t,s0) > --- a/policy/modules/contrib/nis.te > +++ b/policy/modules/contrib/nis.te > @@ -27,6 +27,9 @@ > type ypbind_var_run_t; > files_pid_file(ypbind_var_run_t) > > +type ypbind_unit_file_t; > +systemd_unit_file(ypbind_unit_file_t) > + > type yppasswdd_t; > type yppasswdd_exec_t; > init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) > @@ -55,6 +58,9 @@ > type ypxfr_var_run_t; > files_pid_file(ypxfr_var_run_t) > > +type nis_unit_file_t; > +systemd_unit_file(nis_unit_file_t) > + > ######################################## > # > # ypbind local policy > --- a/policy/modules/contrib/nscd.te > +++ b/policy/modules/contrib/nscd.te > @@ -31,6 +31,9 @@ > type nscd_initrc_exec_t; > init_script_file(nscd_initrc_exec_t) > > +type nscd_unit_file_t; > +systemd_unit_file(nscd_unit_file_t) > + > type nscd_log_t; > logging_log_file(nscd_log_t) > > --- a/policy/modules/contrib/ntp.fc > +++ b/policy/modules/contrib/ntp.fc > @@ -21,3 +21,7 @@ > /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) > > /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) > + > +/lib/systemd/system/ntpd.*\.service -- > gen_context(system_u:object_r:ntpd_unit_file_t,s0) > + > +/usr/lib/systemd/system/ntpd.*\.service -- > gen_context(system_u:object_r:ntpd_unit_file_t,s0) > --- a/policy/modules/contrib/ntp.te > +++ b/policy/modules/contrib/ntp.te > @@ -21,6 +21,9 @@ > type ntp_conf_t; > files_config_file(ntp_conf_t) > > +type ntpd_unit_file_t; > +systemd_unit_file(ntpd_unit_file_t) > + > type ntpd_key_t; > files_type(ntpd_key_t) > > --- a/policy/modules/contrib/ppp.fc > +++ b/policy/modules/contrib/ppp.fc > @@ -28,3 +28,5 @@ > /var/run/pppd[0-9]*\.tdb -- > gen_context(system_u:object_r:pppd_var_run_t,s0) > /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) > /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) > + > +/lib/systemd/system/ppp.*\.service -- > gen_context(system_u:object_r:pppd_unit_file_t,s0) > --- a/policy/modules/contrib/ppp.te > +++ b/policy/modules/contrib/ppp.te > @@ -41,6 +41,9 @@ > type pppd_initrc_exec_t alias pppd_script_exec_t; > init_script_file(pppd_initrc_exec_t) > > +type pppd_unit_file_t; > +systemd_unit_file(pppd_unit_file_t) > + > type pppd_secret_t; > files_type(pppd_secret_t) > > --- a/policy/modules/contrib/rpc.fc > +++ b/policy/modules/contrib/rpc.fc > @@ -20,3 +20,6 @@ > > /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) > /var/run/rpc\.statd\.pid -- > gen_context(system_u:object_r:rpcd_var_run_t,s0) > + > +/lib/systemd/system/nfs.*\.service -- > gen_context(system_u:object_r:nfsd_unit_file_t,s0) > +/lib/systemd/system/rpc.*\.service -- > gen_context(system_u:object_r:rpcd_unit_file_t,s0) > --- a/policy/modules/contrib/rpc.te > +++ b/policy/modules/contrib/rpc.te > @@ -44,11 +44,17 @@ > type rpcd_initrc_exec_t; > init_script_file(rpcd_initrc_exec_t) > > +type rpcd_unit_file_t; > +systemd_unit_file(rpcd_unit_file_t) > + > rpc_domain_template(nfsd) > > type nfsd_initrc_exec_t; > init_script_file(nfsd_initrc_exec_t) > > +type nfsd_unit_file_t; > +systemd_unit_file(nfsd_unit_file_t) > + > type nfsd_rw_t; > files_type(nfsd_rw_t) > > --- a/policy/modules/contrib/samba.fc > +++ b/policy/modules/contrib/samba.fc > @@ -8,6 +8,8 @@ > /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) > /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) > > +/lib/systemd/system/smb.*\.service -- > gen_context(system_u:object_r:samba_unit_file_t,s0) > + > /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) > /usr/bin/ntlm_auth -- > gen_context(system_u:object_r:winbind_helper_exec_t,s0) > /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) > --- a/policy/modules/contrib/samba.te > +++ b/policy/modules/contrib/samba.te > @@ -113,6 +113,9 @@ > type samba_initrc_exec_t; > init_script_file(samba_initrc_exec_t) > > +type samba_unit_file_t; > +systemd_unit_file(samba_unit_file_t) > + > type samba_log_t; > logging_log_file(samba_log_t) > > --- a/policy/modules/contrib/tor.fc > +++ b/policy/modules/contrib/tor.fc > @@ -5,6 +5,8 @@ > /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) > /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) > > +/lib/systemd/system/tor.*\.service -- > gen_context(system_u:object_r:tor_unit_file_t,s0) > + > /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) > /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) > > --- a/policy/modules/contrib/tor.te > +++ b/policy/modules/contrib/tor.te > @@ -33,6 +33,9 @@ > files_pid_file(tor_var_run_t) > init_daemon_run_dir(tor_var_run_t, "tor") > > +type tor_unit_file_t; > +systemd_unit_file(tor_unit_file_t) > + > ######################################## > # > # Local policy > --- a/policy/modules/system/iptables.fc > +++ b/policy/modules/system/iptables.fc > @@ -3,6 +3,9 @@ > /etc/sysconfig/ip6?tables.* -- > gen_context(system_u:object_r:iptables_conf_t,s0) > /etc/sysconfig/system-config-firewall.* -- > gen_context(system_u:object_r:iptables_conf_t,s0) > > +/lib/systemd/system/iptables.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > +/lib/systemd/system/ip6tables.*\.service -- > gen_context(system_u:object_r:iptables_unit_file_t,s0) > + > /sbin/ebtables -- > gen_context(system_u:object_r:iptables_exec_t,s0) > /sbin/ebtables-restore -- > gen_context(system_u:object_r:iptables_exec_t,s0) > /sbin/ipchains.* -- > gen_context(system_u:object_r:iptables_exec_t,s0) > --- a/policy/modules/system/iptables.te > +++ b/policy/modules/system/iptables.te > @@ -25,6 +25,9 @@ > type iptables_var_run_t; > files_pid_file(iptables_var_run_t) > > +type iptables_unit_file_t; > +systemd_unit_file(iptables_unit_file_t) > + > ######################################## > # > # Iptables local policy > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -6,6 +6,8 @@ > /etc/rc\.d/init\.d/auditd -- > gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > /etc/rc\.d/init\.d/rsyslog -- > gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > > +/lib/systemd/system/auditd.*\.service -- > gen_context(system_u:object_r:auditd_unit_file_t,s0) > + > /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) > /sbin/audisp-remote -- > gen_context(system_u:object_r:audisp_remote_exec_t,s0) > /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) > @@ -23,6 +25,7 @@ > /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) > /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) > /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) > +/lib/systemd/system/rsyslog.*\.service -- > gen_context(system_u:object_r:syslogd_unit_file_t,s0) > > /var/lib/misc/syslog-ng.persist-? -- > gen_context(system_u:object_r:syslogd_var_lib_t,s0) > /var/lib/syslog-ng(/.*)? > gen_context(system_u:object_r:syslogd_var_lib_t,s0) > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -12,6 +12,9 @@ > init_system_domain(auditctl_t, auditctl_exec_t) > role system_r types auditctl_t; > > +type auditd_unit_file_t; > +systemd_unit_file(auditd_unit_file_t) > + > type auditd_etc_t; > files_security_file(auditd_etc_t) > > @@ -65,6 +68,9 @@ > type syslogd_exec_t; > init_daemon_domain(syslogd_t, syslogd_exec_t) > > +type syslogd_unit_file_t; > +systemd_unit_file(syslogd_unit_file_t) > + > type syslogd_initrc_exec_t; > init_script_file(syslogd_initrc_exec_t) > > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -389,10 +389,14 @@ > class system > { > ipc_info > - syslog_read > + syslog_read > syslog_mod > syslog_console > module_request > + halt > + reboot > + status > + undefined > } > > # > @@ -865,3 +869,20 @@ > implement > execute > } > + > +class service > +{ > + start > + stop > + status > + reload > + kill > + load > + enable > + disable > +} > + > +class proxy > +{ > + read > +} > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -131,4 +131,10 @@ > class db_sequence # userspace > class db_language # userspace > > +# systemd services > +class service > + > +# gssd services > +class proxy > + > # FLASK > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -1844,3 +1844,17 @@ > ') > corenet_udp_recvfrom_labeled($1, daemon) > ') > + > +####################################### > +## > +## Create a file type used for systemd unit files. > +## > +## > +## > +## Type to be used for an unit file. > +## > +## > +# > +interface(`systemd_unit_file',` > + files_type($1) > +') > --- a/policy/modules/system/selinuxutil.fc > +++ b/policy/modules/system/selinuxutil.fc > @@ -36,6 +36,7 @@ > > /usr/sbin/load_policy -- > gen_context(system_u:object_r:load_policy_exec_t,s0) > /usr/sbin/restorecond -- > gen_context(system_u:object_r:restorecond_exec_t,s0) > +/lib/systemd/system/restorecond.*\.service -- > gen_context(system_u:object_r:restorecond_unit_file_t,s0) > /usr/sbin/run_init -- > gen_context(system_u:object_r:run_init_exec_t,s0) > /usr/sbin/setfiles.* -- > gen_context(system_u:object_r:setfiles_exec_t,s0) > /usr/sbin/setsebool -- > gen_context(system_u:object_r:semanage_exec_t,s0) > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -85,6 +85,9 @@ > domain_obj_id_change_exemption(restorecond_t) > role system_r types restorecond_t; > > +type restorecond_unit_file_t; > +systemd_unit_file(restorecond_unit_file_t) > + > type restorecond_var_run_t; > files_pid_file(restorecond_var_run_t) > > --- a/policy/modules/system/setrans.fc > +++ b/policy/modules/system/setrans.fc > @@ -1,5 +1,6 @@ > /etc/rc\.d/init\.d/mcstrans -- > gen_context(system_u:object_r:setrans_initrc_exec_t,s0) > > /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) > +/lib/systemd/system/mcstrans.*\.service -- > gen_context(system_u:object_r:setrans_unit_file_t,s0) > > /var/run/setrans(/.*)? > gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) > --- a/policy/modules/system/setrans.te > +++ b/policy/modules/system/setrans.te > @@ -13,6 +13,9 @@ > type setrans_exec_t; > init_daemon_domain(setrans_t, setrans_exec_t) > > +type setrans_unit_file_t; > +systemd_unit_file(setrans_unit_file_t) > + > type setrans_initrc_exec_t; > init_script_file(setrans_initrc_exec_t) > > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com