From: bigon@debian.org (Laurent Bigonville)
Date: Mon, 3 Nov 2014 22:50:10 +0100
Subject: [refpolicy] systemd
In-Reply-To: <54579203.5010902@tresys.com>
References: <54539DFD.6000408@tresys.com>
	<20141102134435.345e38f0@fornost.bigon.be>
	<54579203.5010902@tresys.com>
Message-ID: <20141103225010.5096be3e@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Mon, 3 Nov 2014 09:32:35 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 11/2/2014 7:44 AM, Laurent Bigonville wrote:
[...]
> 
> > As Dominick already commented on github, the service security class
> > seems to have 2 AV that are not used (anymore?).
> > 
> > The bus_unit_method_kill() function seem to use the "stop" AV
> > instead of a "kill" one. And the for the "load" one I'm not even
> > sure to what it is/was referring to.
> > 
> > As said in one of my previous mail, by greping the source for the
> > "mac_selinux_unit_access_check()" function in git HEAD, I'm arriving
> > to the following list:
> > 
> > +class service
> > +{
> > +	start
> > +	stop
> > +	status
> > +	reload
> > +	enable
> > +	disable
> > +}
> 
> Thanks for looking at the source to doublecheck the permissions.  Are
> the extra (incorrect) permissions in the system object class still
> there?
> 

The "system" class is still used by systemd to add some of its own AV's
if that's what you mean.

https://bugzilla.redhat.com/show_bug.cgi?id=1132933
https://bugs.freedesktop.org/show_bug.cgi?id=81105