From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 4 Nov 2014 08:01:26 -0500
Subject: [refpolicy] systemd
In-Reply-To: <20141103225010.5096be3e@fornost.bigon.be>
References: <54539DFD.6000408@tresys.com>	<20141102134435.345e38f0@fornost.bigon.be>	<54579203.5010902@tresys.com>
	<20141103225010.5096be3e@fornost.bigon.be>
Message-ID: <5458CE26.4010104@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/3/2014 4:50 PM, Laurent Bigonville wrote:
> Le Mon, 3 Nov 2014 09:32:35 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> 
>> On 11/2/2014 7:44 AM, Laurent Bigonville wrote:
> [...]
>>
>>> As Dominick already commented on github, the service security class
>>> seems to have 2 AV that are not used (anymore?).
>>>
>>> The bus_unit_method_kill() function seem to use the "stop" AV
>>> instead of a "kill" one. And the for the "load" one I'm not even
>>> sure to what it is/was referring to.
>>>
>>> As said in one of my previous mail, by greping the source for the
>>> "mac_selinux_unit_access_check()" function in git HEAD, I'm arriving
>>> to the following list:
>>>
>>> +class service
>>> +{
>>> +	start
>>> +	stop
>>> +	status
>>> +	reload
>>> +	enable
>>> +	disable
>>> +}
>>
>> Thanks for looking at the source to doublecheck the permissions.  Are
>> the extra (incorrect) permissions in the system object class still
>> there?
>>
> 
> The "system" class is still used by systemd to add some of its own AV's
> if that's what you mean.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1132933
> https://bugs.freedesktop.org/show_bug.cgi?id=81105

Yes, that's what I meant, thanks.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com