From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 3 Nov 2014 09:32:35 -0500 Subject: [refpolicy] systemd In-Reply-To: <20141102134435.345e38f0@fornost.bigon.be> References: <54539DFD.6000408@tresys.com> <20141102134435.345e38f0@fornost.bigon.be> Message-ID: <54579203.5010902@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/2/2014 7:44 AM, Laurent Bigonville wrote: > Le Fri, 31 Oct 2014 10:34:37 -0400, > "Christopher J. PeBenito" a ?crit : > >> One big shortcoming that refpolicy has had lately is missing a >> complete systemd policy. Since no one has upstreamed the policy, >> I've decided to start writing one, as the Fedora version cannot be >> upstreamed with out significant refactoring. > > Thanks for working on this! > > Russel already made some patched for the refpolicy using the fedora one > as base for a systemd policy, see: > http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches > > The policy is not 100% complete, some new tools have been added in the > latest releases. > > But it could be maybe interesting to keep the same types name to > minimize the delta with the fedora policy? I'll try to keep as compatible of possible, but I can't guarantee it. > As Dominick already commented on github, the service security class > seems to have 2 AV that are not used (anymore?). > > The bus_unit_method_kill() function seem to use the "stop" AV instead > of a "kill" one. And the for the "load" one I'm not even sure to what > it is/was referring to. > > As said in one of my previous mail, by greping the source for the > "mac_selinux_unit_access_check()" function in git HEAD, I'm arriving > to the following list: > > +class service > +{ > + start > + stop > + status > + reload > + enable > + disable > +} Thanks for looking at the source to doublecheck the permissions. Are the extra (incorrect) permissions in the system object class still there? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com