From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 9 Jul 2014 15:39:12 +0200
Subject: [refpolicy] [RFC] Add the security class and AV's needed for
 systemd
In-Reply-To: <53BBE468.8080901@tresys.com>
References: <1404568795-13434-1-git-send-email-bigon@debian.org>
	<1404568795-13434-2-git-send-email-bigon@debian.org>
	<53BBE468.8080901@tresys.com>
Message-ID: <20140709153912.678bf07d@soldur.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Tue, 8 Jul 2014 08:30:32 -0400,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 7/5/2014 9:59 AM, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> > 
> > The list of AV's has been built by grepping the systemd code for the
> > calls to selinux_unit_access_check() and selinux_access_check()
> > macro. ---
> >  policy/flask/access_vectors      | 18 ++++++++++++++++++
> >  policy/flask/security_classes    |  3 +++
> >  policy/support/obj_perm_sets.spt |  5 +++++
> >  3 files changed, 26 insertions(+)
> > 
> > diff --git a/policy/flask/access_vectors
> > b/policy/flask/access_vectors index a94b169..e0d3768 100644
> > --- a/policy/flask/access_vectors
> > +++ b/policy/flask/access_vectors
> > @@ -393,6 +393,14 @@ class system
> >  	syslog_mod
> >  	syslog_console
> >  	module_request
> > +	halt
> > +	reboot
> > +	status
> > +	start
> > +	stop
> > +	enable
> > +	disable
> > +	reload
> 
> This doesn't look right.  There shouldn't be userspace permissions
> mixed in with a kernel object class.  Are these really used or are
> they compatibility for old versions of systemd?

I've opened a bug about this:
https://bugs.freedesktop.org/show_bug.cgi?id=81105