From: jason@perfinion.com (Jason Zaman) Date: Mon, 7 Mar 2016 23:33:43 +0800 Subject: [refpolicy] [PATCH] system/init: move systemd_ interfaces into optional_policy In-Reply-To: <56DD969F.4000701@tresys.com> References: <1457340336-4516-1-git-send-email-jason@perfinion.com> <56DD969F.4000701@tresys.com> Message-ID: <20160307153343.GA21355@meriadoc> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Mar 07, 2016 at 09:56:31AM -0500, Christopher J. PeBenito wrote: > On 3/7/2016 3:45 AM, Jason Zaman wrote: > > When ifdef systemd is enabled, some interfaces from systemd are called > > unconditionally. This makes migrating from non-systemd to systemd > > complicated since init is part of base and systemd is not so loading > > fails. Moving them into optional_policy fixes this. > > --- > > policy/modules/system/init.te | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > > index c9e1532..fb7aafc 100644 > > --- a/policy/modules/system/init.te > > +++ b/policy/modules/system/init.te > > @@ -280,13 +280,15 @@ ifdef(`init_systemd',` > > > > seutil_read_file_contexts(init_t) > > > > - systemd_relabelto_kmod_files(init_t) > > - systemd_dbus_chat_logind(init_t) > > - > > # udevd is a "systemd kobject uevent socket activated daemon" > > udev_create_kobject_uevent_sockets(init_t) > > > > optional_policy(` > > + systemd_relabelto_kmod_files(init_t) > > + systemd_dbus_chat_logind(init_t) > > + ') > > + > > + optional_policy(` > > dbus_system_bus_client(init_t) > > dbus_connect_system_bus(init_t) > > ') > > I don't think I follow. The lines are already in the init_systemd > block, so it doesn't make sense for them to be optional. Why wouldn't > systemd be in base, in this situation? It comes from here: https://bugs.gentoo.org/568754 The problem is does not exist once you are in either init_systemd = true/false. It is only a problem during the rebuild/reload when transitioning from false->true. The problem is init.pp is rebuilt with init_systemd enabled in the base package. systemd.pp will be built later in sec-policy/selinux-systemd (just like sec-policy/selinux-openrc) which systemd will depend on. Having selinux-base provide systemd.pp seems a bit strange since then even non-systemd people need the module loaded. Once everything is loaded there are no problems anymore. The only problem is migrating or during a first install when there is no policy yet. -- Jason