From: jason@perfinion.com (Jason Zaman)
Date: Wed, 3 Aug 2016 11:08:28 +0800
Subject: [refpolicy] are we going to have unit file types?
In-Reply-To: <2ca303f1-3a52-a41f-4684-2de641f9db55@ieee.org>
References: <20160731124041.fxzedsuloxfbgnz2@athena.coker.com.au>
	<20160731143556.GC8181@meriadoc>
	<201608022216.06786.russell@coker.com.au>
	<2ca303f1-3a52-a41f-4684-2de641f9db55@ieee.org>
Message-ID: <20160803030828.GC29738@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Aug 02, 2016 at 07:26:23PM -0400, Chris PeBenito wrote:
> On 08/02/16 08:16, Russell Coker wrote:
> > On Mon, 1 Aug 2016 12:35:56 AM Jason Zaman wrote:
> >> On Sun, Jul 31, 2016 at 10:40:41PM +1000, Russell Coker wrote:
> >>> Below is a patch that's been in my Debian tree for some time, I didn't
> >>> write it I took it from rawhide some years ago.
> >>>
> >>>
> >>>
> >>> Is this the way we are going to do things?  If so I can tidy it up and
> >>> submit it.  If not I'll delete it and make the Debian policy work without
> >>> it.
> >>>
> >>>
> >>>
> >>> Note that I am not suggesting this patch for inclusion at the
> >>> moment.  I'm just offering it for discussion.
> >>
> >> We have unit files in refpol yeah, they are different from the stuff in
> >> redhat tho i think.
> >>
> >> A whole bunch like this for example:
> >> mandb.te:type mandb_unit_t;
> >> mandb.te:init_unit_file(mandb_unit_t)
> >> mandb.fc:/usr/lib/systemd/system/[^/]*man-db.*  --      gen_context(system_
> >> u:object_r:mandb_unit_t,s0)
> >
> > Thanks for the pointer.
> >
> > Is the plan that every daemon domain will get a _unit_t type?  I've revised
> 
> There weren't any specific plans to ensure all daemons have a unit, but 
> I'm open to that.

There somewhat were. At least cases where there was a foo_initrc_exec_t
should probably also have a _unit_t. I added init_startstop_service() to
a ton of things a while back. The intention was that it takes pretty
much everything needed for all the different types of init daemons
(sysvinit, openrc, upstart, systemd) and gives the perms for it in
tunables/booleans. The unit param is optional still tho cuz not all
domains have it yet I think.

I also just realized that all the fcontexts in the policy are only for
/usr/lib/systemd/system/ but units can also be in /etc/ or /run. Do we
need to add a subs_dist for this?

-- Jason