From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 8 Jul 2014 08:30:32 -0400
Subject: [refpolicy] [RFC] Add the security class and AV's needed for
 systemd
In-Reply-To: <1404568795-13434-2-git-send-email-bigon@debian.org>
References: <1404568795-13434-1-git-send-email-bigon@debian.org>
	<1404568795-13434-2-git-send-email-bigon@debian.org>
Message-ID: <53BBE468.8080901@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 7/5/2014 9:59 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> The list of AV's has been built by grepping the systemd code for the
> calls to selinux_unit_access_check() and selinux_access_check() macro.
> ---
>  policy/flask/access_vectors      | 18 ++++++++++++++++++
>  policy/flask/security_classes    |  3 +++
>  policy/support/obj_perm_sets.spt |  5 +++++
>  3 files changed, 26 insertions(+)
> 
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index a94b169..e0d3768 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -393,6 +393,14 @@ class system
>  	syslog_mod
>  	syslog_console
>  	module_request
> +	halt
> +	reboot
> +	status
> +	start
> +	stop
> +	enable
> +	disable
> +	reload

This doesn't look right.  There shouldn't be userspace permissions mixed
in with a kernel object class.  Are these really used or are they
compatibility for old versions of systemd?


> @@ -865,3 +873,13 @@ inherits database
>  	implement
>  	execute
>  }
> +
> +class service
> +{
> +	start
> +	stop
> +	status
> +	reload
> +	enable
> +	disable
> +}

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com