From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 12 Sep 2014 11:31:47 -0400 Subject: [refpolicy] [PATCH v2 1/7] Label systemd files in init module In-Reply-To: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> References: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <541311E3.2020608@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 9/7/2014 5:28 PM, Nicolas Iooss wrote: > --- > policy/modules/system/init.fc | 6 ++++++ > policy/modules/system/init.te | 8 +++++++- > 2 files changed, 13 insertions(+), 1 deletion(-) This set is merged, though I made a few slight tweaks. > diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc > index bc0ffc84ed07..417d3580b3a7 100644 > --- a/policy/modules/system/init.fc > +++ b/policy/modules/system/init.fc > @@ -25,6 +25,7 @@ ifdef(`distro_gentoo',` > ifdef(`distro_gentoo', ` > /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) > ') > +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > > # > # /sbin > @@ -42,6 +43,8 @@ ifdef(`distro_gentoo', ` > # > /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) > > +/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > + > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > > @@ -51,11 +54,14 @@ ifdef(`distro_gentoo', ` > # > # /var > # > +/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) > + > /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0) > /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) > /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) > /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) > /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) > > ifdef(`distro_debian',` > /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 29256b862a64..b57637504939 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t) > role system_r types init_t; > > # > -# init_var_run_t is the type for /var/run/shutdown.pid. > +# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd. > # > type init_var_run_t; > files_pid_file(init_var_run_t) > > # > +# init_var_lib_t is the type for /var/lib/systemd. > +# > +type init_var_lib_t; > +files_type(init_var_lib_t) > + > +# > # initctl_t is the type of the named pipe created > # by init during initialization. This pipe is used > # to communicate with init. > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com