From: bigon@debian.org (Laurent Bigonville) Date: Sun, 2 Nov 2014 13:44:35 +0100 Subject: [refpolicy] systemd In-Reply-To: <54539DFD.6000408@tresys.com> References: <54539DFD.6000408@tresys.com> Message-ID: <20141102134435.345e38f0@fornost.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Fri, 31 Oct 2014 10:34:37 -0400, "Christopher J. PeBenito" a ?crit : > One big shortcoming that refpolicy has had lately is missing a > complete systemd policy. Since no one has upstreamed the policy, > I've decided to start writing one, as the Fedora version cannot be > upstreamed with out significant refactoring. Thanks for working on this! Russel already made some patched for the refpolicy using the fedora one as base for a systemd policy, see: http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches The policy is not 100% complete, some new tools have been added in the latest releases. But it could be maybe interesting to keep the same types name to minimize the delta with the fedora policy? > I am developing/staging this change in my personal fork of the > repository: > > https://github.com/pebenito/refpolicy > > If you would like to contribute to this work, please use pull > requests. > > When the policy is complete, there will be a period for comments > on-list before it is merged to the main refpolicy tree. > As Dominick already commented on github, the service security class seems to have 2 AV that are not used (anymore?). The bus_unit_method_kill() function seem to use the "stop" AV instead of a "kill" one. And the for the "load" one I'm not even sure to what it is/was referring to. As said in one of my previous mail, by greping the source for the "mac_selinux_unit_access_check()" function in git HEAD, I'm arriving to the following list: +class service +{ + start + stop + status + reload + enable + disable +}