From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 23 Aug 2014 15:59:34 +0200
Subject: [refpolicy] [PATCH 0/8] Incomplete systemd-journald policy
Message-ID: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patchset is the result of "cleaning up" the journald part of Debian
systemd patch and some research about why new allow rules were needed.
It introduces some file labels and basic rules to enable applications to
log to journald.

Please note that this patchset does NOT include:

* complete systemd-as-init support,
* file contexts and policy for systemd units,
* journalctl policy (to query logs from journald).

Moreover my system uses "volatile storage" for journald (and
log-forwarding to syslog-ng).  That's why there is nothing explicitly
related to files in /var/log/journal in this patchset.

The last patch is a small clean-up in a Gentoo-specific part of
logging.te.  This patch may require attention from Gentoo developers
before being accepted.

Last but not the least, the second patch introduces an interface to
search init_var_run_t directories (such as /run/systemd).  This
interface is named init_search_pid_dirs in Fedora policy [1], which
seems too restrictive for the purpose of the directory.  If you have
a better name for this interface, suggestion are welcome.


[1] https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/init.if?h=rawhide-base&id=092bb77a046cf29d5361bc95a74ce13e22e23100#n2202


Nicolas Iooss (8):
  Label systemd files in init module
  Introduce init_search_run interface
  Label systemd-journald files and directories
  Support logging with /run/systemd/journal/dev-log
  Label /dev/log symlink at boot time with systemd
  Allow journald to read the kernel ring buffer and to use /dev/kmsg
  Allow journald to access to the state of all processes
  Remove redundant Gentoo-specific
    term_append_unallocated_ttys(syslogd_t)

 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/init.fc    |  6 ++++++
 policy/modules/system/init.if    | 19 +++++++++++++++++++
 policy/modules/system/init.te    | 11 ++++++++++-
 policy/modules/system/logging.fc |  8 ++++++++
 policy/modules/system/logging.if | 25 ++++++++++++++++++++++++-
 policy/modules/system/logging.te |  7 ++++++-
 7 files changed, 91 insertions(+), 3 deletions(-)

-- 
2.0.4