From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 7 Mar 2016 09:56:31 -0500
Subject: [refpolicy] [PATCH] system/init: move systemd_ interfaces into
 optional_policy
In-Reply-To: <1457340336-4516-1-git-send-email-jason@perfinion.com>
References: <1457340336-4516-1-git-send-email-jason@perfinion.com>
Message-ID: <56DD969F.4000701@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/7/2016 3:45 AM, Jason Zaman wrote:
> When ifdef systemd is enabled, some interfaces from systemd are called
> unconditionally. This makes migrating from non-systemd to systemd
> complicated since init is part of base and systemd is not so loading
> fails. Moving them into optional_policy fixes this.
> ---
>  policy/modules/system/init.te | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index c9e1532..fb7aafc 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -280,13 +280,15 @@ ifdef(`init_systemd',`
>  
>  	seutil_read_file_contexts(init_t)
>  
> -	systemd_relabelto_kmod_files(init_t)
> -	systemd_dbus_chat_logind(init_t)
> -
>  	# udevd is a "systemd kobject uevent socket activated daemon"
>  	udev_create_kobject_uevent_sockets(init_t)
>  
>  	optional_policy(`
> +		systemd_relabelto_kmod_files(init_t)
> +		systemd_dbus_chat_logind(init_t)
> +	')
> +
> +	optional_policy(`
>  		dbus_system_bus_client(init_t)
>  		dbus_connect_system_bus(init_t)
>  	')

I don't think I follow.  The lines are already in the init_systemd
block, so it doesn't make sense for them to be optional.  Why wouldn't
systemd be in base, in this situation?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com