From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 23 Aug 2014 15:59:34 +0200 Subject: [refpolicy] [PATCH 0/8] Incomplete systemd-journald policy Message-ID: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patchset is the result of "cleaning up" the journald part of Debian systemd patch and some research about why new allow rules were needed. It introduces some file labels and basic rules to enable applications to log to journald. Please note that this patchset does NOT include: * complete systemd-as-init support, * file contexts and policy for systemd units, * journalctl policy (to query logs from journald). Moreover my system uses "volatile storage" for journald (and log-forwarding to syslog-ng). That's why there is nothing explicitly related to files in /var/log/journal in this patchset. The last patch is a small clean-up in a Gentoo-specific part of logging.te. This patch may require attention from Gentoo developers before being accepted. Last but not the least, the second patch introduces an interface to search init_var_run_t directories (such as /run/systemd). This interface is named init_search_pid_dirs in Fedora policy [1], which seems too restrictive for the purpose of the directory. If you have a better name for this interface, suggestion are welcome. [1] https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/init.if?h=rawhide-base&id=092bb77a046cf29d5361bc95a74ce13e22e23100#n2202 Nicolas Iooss (8): Label systemd files in init module Introduce init_search_run interface Label systemd-journald files and directories Support logging with /run/systemd/journal/dev-log Label /dev/log symlink at boot time with systemd Allow journald to read the kernel ring buffer and to use /dev/kmsg Allow journald to access to the state of all processes Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t) policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/system/init.fc | 6 ++++++ policy/modules/system/init.if | 19 +++++++++++++++++++ policy/modules/system/init.te | 11 ++++++++++- policy/modules/system/logging.fc | 8 ++++++++ policy/modules/system/logging.if | 25 ++++++++++++++++++++++++- policy/modules/system/logging.te | 7 ++++++- 7 files changed, 91 insertions(+), 3 deletions(-) -- 2.0.4