From: dac.override@gmail.com (Dominick Grift) Date: Mon, 3 Nov 2014 16:42:54 +0100 Subject: [refpolicy] systemd In-Reply-To: <20141103151643.GA7676@e145.network2> References: <54539DFD.6000408@tresys.com> <20141031160000.GA4928@e145.network2> <545795A7.9020705@tresys.com> <20141103151643.GA7676@e145.network2> Message-ID: <20141103154253.GB7676@e145.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Nov 03, 2014 at 04:16:44PM +0100, Dominick Grift wrote: > > I was not accurate: > > (allow common_subject systemd_daemon_subject_type (process (signull))) > (call systemd_rw_unix_stream_sockets (systemd_daemon_subject_type)) > (call systemd_read_state (systemd_daemon_subject_type)) > > 1. systemd needs to send null signal to all daemons Looks like systemd needs to send null signals to all processes period, but you can ignore that probably anyways since i suppose init_t is already allowed to send all signals to all processes So yes its actually only all daemon reading/writing systemd unix stream sockets and reading systemd state That applies to all daemons then for socket activated daemons systemd needs to be able to create the sockets (its using setsockcreate() for that i think) if the daemon maintains a pid file then systemd needs to read and delete that pid file i basically created type attribute for the objects (common_subject == init_t) This for socket activation: (allow common_subject systemd_socket_activated_subject_type create_unix_dgram_stream_socket_perms) (allow common_subject systemd_socket_activated_subject_type create_unix_stream_stream_socket_perms) (allow common_subject systemd_socket_activated_object_type manage_dir_perms) (allow common_subject systemd_socket_activated_object_type relabel_dir_perms) (allow common_subject systemd_socket_activated_object_type manage_fifo_file_perms) (allow common_subject systemd_socket_activated_object_type relabel_fifo_file_perms) (allow common_subject systemd_socket_activated_object_type manage_sock_file_perms) (allow common_subject systemd_socket_activated_object_type relabel_sock_file_perms) This for pid files (call file_del_entry_generic_run (common_subject)) (call read_files_pattern (common_subject systemd_pid_object_type systemd_pid_object_type)) (call delete_files_pattern (common_subject systemd_pid_object_type systemd_pid_object_type)) -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141103/b1e27191/attachment.bin