From: russell@coker.com.au (Russell Coker) Date: Tue, 2 Aug 2016 22:16:06 +1000 Subject: [refpolicy] are we going to have unit file types? In-Reply-To: <20160731143556.GC8181@meriadoc> References: <20160731124041.fxzedsuloxfbgnz2@athena.coker.com.au> <20160731143556.GC8181@meriadoc> Message-ID: <201608022216.06786.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote: > On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote: > > Below is a patch that's been in my Debian tree for some time, I didn't > > write it I took it from rawhide some years ago. > > > > > > > > Is this the way we are going to do things? If so I can tidy it up and > > submit it. If not I'll delete it and make the Debian policy work without > > it. > > > > > > > > Note that I am not suggesting this patch for inclusion at the > > moment. I'm just offering it for discussion. > > We have unit files in refpol yeah, they are different from the stuff in > redhat tho i think. > > A whole bunch like this for example: > mandb.te:type mandb_unit_t; > mandb.te:init_unit_file(mandb_unit_t) > mandb.fc:/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_ > u:object_r:mandb_unit_t,s0) Thanks for the pointer. Is the plan that every daemon domain will get a _unit_t type? I've revised the patch in my tree to use the same naming convention as is now used upstream and removed duplicate policy. The attached patch is what I'm working with now, it has init_unit_file() entries for many policy modules that lack it in the 2.20151208 refpolicy release. I haven't yet tried applying this to the latest Git policy and aside from that it's not ready for upstream inclusion. This is just to share what I'm working on and to take comments about where I should go with this. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -------------- next part -------------- Description: Add systemd unit types Author: Russell Coker Last-Update: 2014-09-13 Index: refpolicy/policy/modules/contrib/apache.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/apache.fc +++ refpolicy/policy/modules/contrib/apache.fc @@ -28,6 +28,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.* /etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) +/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) + /opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) Index: refpolicy/policy/modules/contrib/apache.te =================================================================== --- refpolicy.orig/policy/modules/contrib/apache.te +++ refpolicy/policy/modules/contrib/apache.te @@ -289,6 +289,8 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) +type httpd_unit_t; +init_unit_file(httpd_unit_t) type httpd_lock_t; files_lock_file(httpd_lock_t) Index: refpolicy/policy/modules/contrib/apcupsd.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/apcupsd.fc +++ refpolicy/policy/modules/contrib/apcupsd.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0) + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) Index: refpolicy/policy/modules/contrib/apcupsd.te =================================================================== --- refpolicy.orig/policy/modules/contrib/apcupsd.te +++ refpolicy/policy/modules/contrib/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) +type apcupsd_unit_t; +init_unit_file(apcupsd_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/contrib/apm.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/apm.fc +++ refpolicy/policy/modules/contrib/apm.fc @@ -17,3 +17,5 @@ /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) + +/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0) Index: refpolicy/policy/modules/contrib/apm.te =================================================================== --- refpolicy.orig/policy/modules/contrib/apm.te +++ refpolicy/policy/modules/contrib/apm.te @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) type apmd_var_run_t; files_pid_file(apmd_var_run_t) +type apmd_unit_t; +init_unit_file(apmd_unit_t) + ######################################## # # Client local policy Index: refpolicy/policy/modules/contrib/arpwatch.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/arpwatch.fc +++ refpolicy/policy/modules/contrib/arpwatch.fc @@ -7,3 +7,5 @@ /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) + +/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) Index: refpolicy/policy/modules/contrib/arpwatch.te =================================================================== --- refpolicy.orig/policy/modules/contrib/arpwatch.te +++ refpolicy/policy/modules/contrib/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) +type arpwatch_unit_t; +init_unit_file(arpwatch_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/contrib/automount.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/automount.fc +++ refpolicy/policy/modules/contrib/automount.fc @@ -6,3 +6,5 @@ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) + +/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0) Index: refpolicy/policy/modules/contrib/automount.te =================================================================== --- refpolicy.orig/policy/modules/contrib/automount.te +++ refpolicy/policy/modules/contrib/automount.te @@ -25,6 +25,9 @@ files_mountpoint(automount_tmp_t) type automount_var_run_t; files_pid_file(automount_var_run_t) +type automount_unit_t; +init_unit_file(automount_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/contrib/avahi.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/avahi.fc +++ refpolicy/policy/modules/contrib/avahi.fc @@ -7,3 +7,5 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) + +/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0) Index: refpolicy/policy/modules/contrib/avahi.te =================================================================== --- refpolicy.orig/policy/modules/contrib/avahi.te +++ refpolicy/policy/modules/contrib/avahi.te @@ -19,6 +19,9 @@ files_pid_file(avahi_var_lib_t) type avahi_var_run_t; files_pid_file(avahi_var_run_t) +type avahi_unit_t; +init_unit_file(avahi_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/contrib/bind.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/bind.fc +++ refpolicy/policy/modules/contrib/bind.fc @@ -14,6 +14,9 @@ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0) +/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0) + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) Index: refpolicy/policy/modules/contrib/bind.te =================================================================== --- refpolicy.orig/policy/modules/contrib/bind.te +++ refpolicy/policy/modules/contrib/bind.te @@ -47,6 +47,9 @@ init_script_file(named_initrc_exec_t) type named_keytab_t; files_type(named_keytab_t) +type named_unit_t; +init_unit_file(named_unit_t) + type named_log_t; logging_log_file(named_log_t) Index: refpolicy/policy/modules/contrib/clamav.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/clamav.fc +++ refpolicy/policy/modules/contrib/clamav.fc @@ -24,3 +24,5 @@ /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/usr/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_t,s0) Index: refpolicy/policy/modules/contrib/clamav.te =================================================================== --- refpolicy.orig/policy/modules/contrib/clamav.te +++ refpolicy/policy/modules/contrib/clamav.te @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) +type clamd_unit_t; +init_unit_file(clamd_unit_t) + type clamd_tmp_t; files_tmp_file(clamd_tmp_t) Index: refpolicy/policy/modules/contrib/consolekit.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/consolekit.fc +++ refpolicy/policy/modules/contrib/consolekit.fc @@ -1,3 +1,5 @@ +/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) Index: refpolicy/policy/modules/contrib/consolekit.te =================================================================== --- refpolicy.orig/policy/modules/contrib/consolekit.te +++ refpolicy/policy/modules/contrib/consolekit.te @@ -19,6 +19,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") +type consolekit_unit_t; +init_unit_file(consolekit_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/contrib/cron.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/cron.fc +++ refpolicy/policy/modules/contrib/cron.fc @@ -64,3 +64,6 @@ ifdef(`distro_suse',` /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') + +/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0) +/usr/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0) Index: refpolicy/policy/modules/contrib/cron.te =================================================================== --- refpolicy.orig/policy/modules/contrib/cron.te +++ refpolicy/policy/modules/contrib/cron.te @@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t) type crond_initrc_exec_t; init_script_file(crond_initrc_exec_t) +type crond_unit_t; +init_unit_file(crond_unit_t) + type crond_tmp_t; files_tmp_file(crond_tmp_t) files_poly_parent(crond_tmp_t) Index: refpolicy/policy/modules/contrib/cups.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/cups.fc +++ refpolicy/policy/modules/contrib/cups.fc @@ -75,3 +75,5 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + +/usr/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_t,s0) Index: refpolicy/policy/modules/contrib/cups.te =================================================================== --- refpolicy.orig/policy/modules/contrib/cups.te +++ refpolicy/policy/modules/contrib/cups.te @@ -63,6 +63,9 @@ files_pid_file(cupsd_var_run_t) init_daemon_pid_file(cupsd_var_run_t, dir, "cups") mls_trusted_object(cupsd_var_run_t) +type cupsd_unit_t; +init_unit_file(cupsd_unit_t) + type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) Index: refpolicy/policy/modules/contrib/dhcp.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/dhcp.fc +++ refpolicy/policy/modules/contrib/dhcp.fc @@ -6,3 +6,4 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0) Index: refpolicy/policy/modules/contrib/dhcp.te =================================================================== --- refpolicy.orig/policy/modules/contrib/dhcp.te +++ refpolicy/policy/modules/contrib/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) +type dhcpd_unit_t; +init_unit_file(dhcpd_unit_t) + type dhcpd_state_t; files_type(dhcpd_state_t) Index: refpolicy/policy/modules/contrib/ftp.te =================================================================== --- refpolicy.orig/policy/modules/contrib/ftp.te +++ refpolicy/policy/modules/contrib/ftp.te @@ -127,6 +127,9 @@ init_script_file(ftpd_initrc_exec_t) type ftpd_keytab_t; files_type(ftpd_keytab_t) +type ftpd_unit_t; +init_unit_file(ftpd_unit_t) + type ftpd_lock_t; files_lock_file(ftpd_lock_t) Index: refpolicy/policy/modules/contrib/kdump.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/kdump.fc +++ refpolicy/policy/modules/contrib/kdump.fc @@ -11,3 +11,5 @@ /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0) Index: refpolicy/policy/modules/contrib/ldap.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/ldap.fc +++ refpolicy/policy/modules/contrib/ldap.fc @@ -27,3 +27,5 @@ /var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/usr/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_t,s0) Index: refpolicy/policy/modules/contrib/ldap.te =================================================================== --- refpolicy.orig/policy/modules/contrib/ldap.te +++ refpolicy/policy/modules/contrib/ldap.te @@ -24,6 +24,9 @@ init_script_file(slapd_initrc_exec_t) type slapd_keytab_t; files_type(slapd_keytab_t) +type slapd_unit_t; +init_unit_file(slapd_unit_t) + type slapd_lock_t; files_lock_file(slapd_lock_t) Index: refpolicy/policy/modules/contrib/mysql.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/mysql.fc +++ refpolicy/policy/modules/contrib/mysql.fc @@ -25,3 +25,5 @@ HOME_DIR/\.my\.cnf -- gen_context(system /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) + +/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0) Index: refpolicy/policy/modules/contrib/mysql.te =================================================================== --- refpolicy.orig/policy/modules/contrib/mysql.te +++ refpolicy/policy/modules/contrib/mysql.te @@ -38,6 +38,9 @@ files_config_file(mysqld_etc_t) type mysqld_home_t; userdom_user_home_content(mysqld_home_t) +type mysqld_unit_t; +init_unit_file(mysqld_unit_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) Index: refpolicy/policy/modules/contrib/nis.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/nis.fc +++ refpolicy/policy/modules/contrib/nis.fc @@ -20,3 +20,8 @@ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) + +/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0) +/usr/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) +/usr/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) +/usr/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) Index: refpolicy/policy/modules/contrib/nis.te =================================================================== --- refpolicy.orig/policy/modules/contrib/nis.te +++ refpolicy/policy/modules/contrib/nis.te @@ -27,6 +27,9 @@ files_tmp_file(ypbind_tmp_t) type ypbind_var_run_t; files_pid_file(ypbind_var_run_t) +type ypbind_unit_t; +init_unit_file(ypbind_unit_t) + type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) @@ -55,6 +58,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) +type nis_unit_t; +init_unit_file(nis_unit_t) + ######################################## # # ypbind local policy Index: refpolicy/policy/modules/contrib/nscd.te =================================================================== --- refpolicy.orig/policy/modules/contrib/nscd.te +++ refpolicy/policy/modules/contrib/nscd.te @@ -31,6 +31,9 @@ role nscd_roles types nscd_t; type nscd_initrc_exec_t; init_script_file(nscd_initrc_exec_t) +type nscd_unit_t; +init_unit_file(nscd_unit_t) + type nscd_log_t; logging_log_file(nscd_log_t) Index: refpolicy/policy/modules/contrib/ntp.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/ntp.fc +++ refpolicy/policy/modules/contrib/ntp.fc @@ -27,3 +27,7 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) + +/usr/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) Index: refpolicy/policy/modules/contrib/ppp.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/ppp.fc +++ refpolicy/policy/modules/contrib/ppp.fc @@ -28,3 +28,5 @@ HOME_DIR/\.ppprc -- gen_context(system_u /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + +/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0) Index: refpolicy/policy/modules/contrib/ppp.te =================================================================== --- refpolicy.orig/policy/modules/contrib/ppp.te +++ refpolicy/policy/modules/contrib/ppp.te @@ -41,6 +41,9 @@ files_type(pppd_etc_rw_t) type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) +type pppd_unit_t; +init_unit_file(pppd_unit_t) + type pppd_secret_t; files_type(pppd_secret_t) Index: refpolicy/policy/modules/contrib/rpc.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/rpc.fc +++ refpolicy/policy/modules/contrib/rpc.fc @@ -20,3 +20,6 @@ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + +/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0) +/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0) Index: refpolicy/policy/modules/contrib/rpc.te =================================================================== --- refpolicy.orig/policy/modules/contrib/rpc.te +++ refpolicy/policy/modules/contrib/rpc.te @@ -52,11 +52,17 @@ rpc_domain_template(rpcd) type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) +type rpcd_unit_t; +init_unit_file(rpcd_unit_t) + rpc_domain_template(nfsd) type nfsd_initrc_exec_t; init_script_file(nfsd_initrc_exec_t) +type nfsd_unit_t; +init_unit_file(nfsd_unit_t) + type nfsd_rw_t; files_type(nfsd_rw_t) Index: refpolicy/policy/modules/contrib/samba.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/samba.fc +++ refpolicy/policy/modules/contrib/samba.fc @@ -8,6 +8,8 @@ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) +/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0) + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) Index: refpolicy/policy/modules/contrib/samba.te =================================================================== --- refpolicy.orig/policy/modules/contrib/samba.te +++ refpolicy/policy/modules/contrib/samba.te @@ -113,6 +113,9 @@ files_config_file(samba_etc_t) type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) +type samba_unit_t; +init_unit_file(samba_unit_t) + type samba_log_t; logging_log_file(samba_log_t) Index: refpolicy/policy/modules/contrib/tor.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/tor.fc +++ refpolicy/policy/modules/contrib/tor.fc @@ -5,6 +5,8 @@ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0) + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) Index: refpolicy/policy/modules/contrib/tor.te =================================================================== --- refpolicy.orig/policy/modules/contrib/tor.te +++ refpolicy/policy/modules/contrib/tor.te @@ -33,6 +33,9 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) init_daemon_pid_file(tor_var_run_t, dir, "tor") +type tor_unit_t; +init_unit_file(tor_unit_t) + ######################################## # # Local policy Index: refpolicy/policy/modules/system/logging.fc =================================================================== --- refpolicy.orig/policy/modules/system/logging.fc +++ refpolicy/policy/modules/system/logging.fc @@ -27,6 +27,7 @@ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) Index: refpolicy/policy/flask/access_vectors =================================================================== --- refpolicy.orig/policy/flask/access_vectors +++ refpolicy/policy/flask/access_vectors @@ -931,3 +931,8 @@ class service enable disable } + +class proxy +{ + read +} Index: refpolicy/policy/flask/security_classes =================================================================== --- refpolicy.orig/policy/flask/security_classes +++ refpolicy/policy/flask/security_classes @@ -147,4 +147,7 @@ class db_language # userspace class service # userspace +# gssd services +class proxy + # FLASK Index: refpolicy/policy/modules/system/selinuxutil.fc =================================================================== --- refpolicy.orig/policy/modules/system/selinuxutil.fc +++ refpolicy/policy/modules/system/selinuxutil.fc @@ -36,6 +36,7 @@ /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) +/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) Index: refpolicy/policy/modules/system/selinuxutil.te =================================================================== --- refpolicy.orig/policy/modules/system/selinuxutil.te +++ refpolicy/policy/modules/system/selinuxutil.te @@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restor domain_obj_id_change_exemption(restorecond_t) role system_r types restorecond_t; +type restorecond_unit_t; +init_unit_file(restorecond_unit_t) + type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) Index: refpolicy/policy/modules/system/setrans.fc =================================================================== --- refpolicy.orig/policy/modules/system/setrans.fc +++ refpolicy/policy/modules/system/setrans.fc @@ -1,5 +1,6 @@ /etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0) /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) +/usr/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_t,s0) /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) Index: refpolicy/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy.orig/policy/modules/kernel/corecommands.fc +++ refpolicy/policy/modules/kernel/corecommands.fc @@ -135,7 +135,7 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/systemd-.* -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) Index: refpolicy/policy/modules/contrib/ftp.fc =================================================================== --- refpolicy.orig/policy/modules/contrib/ftp.fc +++ refpolicy/policy/modules/contrib/ftp.fc @@ -26,3 +26,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) + +/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) +/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)