From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 23 Aug 2014 15:59:35 +0200 Subject: [refpolicy] [PATCH 1/8] Label systemd files in init module In-Reply-To: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org> References: <1408802382-10212-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1408802382-10212-2-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- policy/modules/system/init.fc | 6 ++++++ policy/modules/system/init.te | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index bc0ffc84ed07..417d3580b3a7 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -25,6 +25,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_gentoo', ` /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) ') +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) # # /sbin @@ -42,6 +43,8 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -51,11 +54,14 @@ ifdef(`distro_gentoo', ` # # /var # +/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) + /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0) /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) ifdef(`distro_debian',` /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 29256b862a64..b57637504939 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; # -# init_var_run_t is the type for /var/run/shutdown.pid. +# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd. # type init_var_run_t; files_pid_file(init_var_run_t) # +# init_var_lib_t is the type for /var/lib/systemd. +# +type init_var_lib_t; +files_type(init_var_lib_t) + +# # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -- 2.0.4