From: bigon@debian.org (Laurent Bigonville)
Date: Sat,  5 Jul 2014 15:59:55 +0200
Subject: [refpolicy] [RFC] Add the security class and AV's needed for systemd
In-Reply-To: <1404568795-13434-1-git-send-email-bigon@debian.org>
References: <1404568795-13434-1-git-send-email-bigon@debian.org>
Message-ID: <1404568795-13434-2-git-send-email-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Laurent Bigonville <bigon@bigon.be>

The list of AV's has been built by grepping the systemd code for the
calls to selinux_unit_access_check() and selinux_access_check() macro.
---
 policy/flask/access_vectors      | 18 ++++++++++++++++++
 policy/flask/security_classes    |  3 +++
 policy/support/obj_perm_sets.spt |  5 +++++
 3 files changed, 26 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..e0d3768 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,14 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+	halt
+	reboot
+	status
+	start
+	stop
+	enable
+	disable
+	reload
 }
 
 #
@@ -865,3 +873,13 @@ inherits database
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..fdd6307 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -131,4 +131,7 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
 
+# systemd services
+class service
+
 # FLASK
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..38ae511 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -271,3 +271,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
 # Keys
 #
 define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# Service
+#
+define(`manage_service_perms', `{ start stop status reload enable disable } ')
-- 
2.0.1