From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 6 Aug 2016 16:48:14 -0400 Subject: [refpolicy] [PATCH] add unit files In-Reply-To: <3a391629-ea01-5026-9713-be0eee539b4d@ieee.org> References: <20160803060540.xfltpljshg2i3y5b@athena.coker.com.au> <3a391629-ea01-5026-9713-be0eee539b4d@ieee.org> Message-ID: <6876bbf7-7d06-f683-3ef1-532d08a49ef1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/06/16 16:45, Chris PeBenito wrote: > On 08/03/16 02:05, Russell Coker wrote: >> This patch adds unit files labels for many daemons. Of all those >> daemons all >> apart from consolekit.fc and selinuxutil.fc have *_initrc_exec_t types. >> >> Another possibility is to use a template so that we don't have special >> code >> in every daemon module for both *_initrc_exec_t and *_unit_t. > > Yes, it seems like something to explore. It matches up with the > init_startstop_service() that was created a while ago. In the mean time, I've merged this patch, though I moved around a few lines. >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apache.fc >> ./policy/modules/contrib/apache.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/apache.fc >> 2016-07-30 08:14:41.069649126 +1000 >> +++ ./policy/modules/contrib/apache.fc 2016-08-03 >> 15:58:36.561019479 +1000 >> @@ -28,6 +28,9 @@ >> /etc/WebCalendar(/.*)? >> gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >> /etc/zabbix/web(/.*)? >> gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >> >> +/usr/lib/systemd/system/httpd.*\.service -- >> gen_context(system_u:object_r:httpd_unit_t,s0) >> +/usr/lib/systemd/system/jetty.*\.service -- >> gen_context(system_u:object_r:httpd_unit_t,s0) >> + >> /opt/.*\.cgi -- >> gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) >> /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? >> gen_context(system_u:object_r:httpd_var_run_t,s0) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apache.te >> ./policy/modules/contrib/apache.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/apache.te >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/apache.te 2016-08-03 >> 15:58:36.565019587 +1000 >> @@ -289,6 +289,8 @@ >> type httpd_keytab_t; >> files_type(httpd_keytab_t) >> >> +type httpd_unit_t; >> +init_unit_file(httpd_unit_t) >> type httpd_lock_t; >> files_lock_file(httpd_lock_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apcupsd.fc >> ./policy/modules/contrib/apcupsd.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/apcupsd.fc >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/apcupsd.fc 2016-08-03 >> 15:58:36.565019587 +1000 >> @@ -1,5 +1,7 @@ >> /etc/rc\.d/init\.d/apcupsd -- >> gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) >> >> +/usr/lib/systemd/system/apcupsd.*\.service -- >> gen_context(system_u:object_r:apcupsd_unit_t,s0) >> + >> /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) >> >> /usr/sbin/apcupsd -- >> gen_context(system_u:object_r:apcupsd_exec_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apcupsd.te >> ./policy/modules/contrib/apcupsd.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/apcupsd.te >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/apcupsd.te 2016-08-03 >> 15:58:36.565019587 +1000 >> @@ -24,6 +24,9 @@ >> type apcupsd_var_run_t; >> files_pid_file(apcupsd_var_run_t) >> >> +type apcupsd_unit_t; >> +init_unit_file(apcupsd_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apm.fc >> ./policy/modules/contrib/apm.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/apm.fc 2016-07-30 >> 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/apm.fc 2016-08-03 15:58:36.565019587 >> +1000 >> @@ -17,3 +17,5 @@ >> /var/run/powersave_socket -s >> gen_context(system_u:object_r:apmd_var_run_t,s0) >> >> /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) >> + >> +/usr/lib/systemd/system/apmd.*\.service -- >> gen_context(system_u:object_r:apmd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apm.te >> ./policy/modules/contrib/apm.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/apm.te 2016-07-30 >> 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/apm.te 2016-08-03 15:58:36.565019587 >> +1000 >> @@ -35,6 +35,9 @@ >> type apmd_var_run_t; >> files_pid_file(apmd_var_run_t) >> >> +type apmd_unit_t; >> +init_unit_file(apmd_unit_t) >> + >> ######################################## >> # >> # Client local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/arpwatch.fc >> ./policy/modules/contrib/arpwatch.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/arpwatch.fc >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/arpwatch.fc 2016-08-03 >> 15:58:36.569019697 +1000 >> @@ -7,3 +7,5 @@ >> /var/lib/arpwatch(/.*)? >> gen_context(system_u:object_r:arpwatch_data_t,s0) >> >> /var/run/arpwatch.*\.pid -- >> gen_context(system_u:object_r:arpwatch_var_run_t,s0) >> + >> +/usr/lib/systemd/system/arpwatch.*\.service -- >> gen_context(system_u:object_r:arpwatch_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/arpwatch.te >> ./policy/modules/contrib/arpwatch.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/arpwatch.te >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/arpwatch.te 2016-08-03 >> 15:58:36.569019697 +1000 >> @@ -21,6 +21,9 @@ >> type arpwatch_var_run_t; >> files_pid_file(arpwatch_var_run_t) >> >> +type arpwatch_unit_t; >> +init_unit_file(arpwatch_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/automount.fc >> ./policy/modules/contrib/automount.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/automount.fc >> 2016-07-30 08:14:41.073649232 +1000 >> +++ ./policy/modules/contrib/automount.fc 2016-08-03 >> 15:58:36.569019697 +1000 >> @@ -6,3 +6,5 @@ >> /var/lock/subsys/autofs -- >> gen_context(system_u:object_r:automount_lock_t,s0) >> >> /var/run/autofs.* >> gen_context(system_u:object_r:automount_var_run_t,s0) >> + >> +/usr/lib/systemd/system/autofs.*\.service -- >> gen_context(system_u:object_r:automount_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/automount.te >> ./policy/modules/contrib/automount.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/automount.te >> 2016-07-30 08:14:41.077649338 +1000 >> +++ ./policy/modules/contrib/automount.te 2016-08-03 >> 15:58:36.569019697 +1000 >> @@ -25,6 +25,9 @@ >> type automount_var_run_t; >> files_pid_file(automount_var_run_t) >> >> +type automount_unit_t; >> +init_unit_file(automount_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/avahi.fc >> ./policy/modules/contrib/avahi.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/avahi.fc >> 2016-07-30 08:14:41.077649338 +1000 >> +++ ./policy/modules/contrib/avahi.fc 2016-08-03 15:58:36.569019697 >> +1000 >> @@ -7,3 +7,5 @@ >> /var/run/avahi-daemon(/.*)? >> gen_context(system_u:object_r:avahi_var_run_t,s0) >> >> /var/lib/avahi-autoipd(/.*)? >> gen_context(system_u:object_r:avahi_var_lib_t,s0) >> + >> +/usr/lib/systemd/system/avahi.*\.service -- >> gen_context(system_u:object_r:avahi_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/avahi.te >> ./policy/modules/contrib/avahi.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/avahi.te >> 2016-07-30 08:14:41.077649338 +1000 >> +++ ./policy/modules/contrib/avahi.te 2016-08-03 15:58:36.569019697 >> +1000 >> @@ -19,6 +19,9 @@ >> type avahi_var_run_t; >> files_pid_file(avahi_var_run_t) >> >> +type avahi_unit_t; >> +init_unit_file(avahi_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/bind.fc >> ./policy/modules/contrib/bind.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/bind.fc 2016-07-30 >> 08:14:41.077649338 +1000 >> +++ ./policy/modules/contrib/bind.fc 2016-08-03 15:58:36.573019806 >> +1000 >> @@ -14,6 +14,9 @@ >> /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) >> /etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) >> >> +/usr/lib/systemd/system/unbound.*\.service -- >> gen_context(system_u:object_r:named_unit_t,s0) >> +/usr/lib/systemd/system/named.*\.service -- >> gen_context(system_u:object_r:named_unit_t,s0) >> + >> /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) >> /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) >> /usr/sbin/named-checkconf -- >> gen_context(system_u:object_r:named_checkconf_exec_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/bind.te >> ./policy/modules/contrib/bind.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/bind.te 2016-07-30 >> 08:14:41.077649338 +1000 >> +++ ./policy/modules/contrib/bind.te 2016-08-03 15:58:36.573019806 >> +1000 >> @@ -47,6 +47,9 @@ >> type named_keytab_t; >> files_type(named_keytab_t) >> >> +type named_unit_t; >> +init_unit_file(named_unit_t) >> + >> type named_log_t; >> logging_log_file(named_log_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/clamav.fc >> ./policy/modules/contrib/clamav.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/clamav.fc >> 2016-07-30 08:14:41.085649549 +1000 >> +++ ./policy/modules/contrib/clamav.fc 2016-08-03 >> 15:58:36.573019806 +1000 >> @@ -24,3 +24,5 @@ >> /var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) >> >> /var/spool/amavisd/clamd\.sock -s >> gen_context(system_u:object_r:clamd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/clamd.*\.service -- >> gen_context(system_u:object_r:clamd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/clamav.te >> ./policy/modules/contrib/clamav.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/clamav.te >> 2016-07-30 08:14:41.085649549 +1000 >> +++ ./policy/modules/contrib/clamav.te 2016-08-03 >> 15:58:36.573019806 +1000 >> @@ -38,6 +38,9 @@ >> type clamd_initrc_exec_t; >> init_script_file(clamd_initrc_exec_t) >> >> +type clamd_unit_t; >> +init_unit_file(clamd_unit_t) >> + >> type clamd_tmp_t; >> files_tmp_file(clamd_tmp_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/consolekit.fc >> ./policy/modules/contrib/consolekit.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/consolekit.fc >> 2016-07-30 08:14:41.085649549 +1000 >> +++ ./policy/modules/contrib/consolekit.fc 2016-08-03 >> 15:58:36.573019806 +1000 >> @@ -1,3 +1,5 @@ >> +/usr/lib/systemd/system/console-kit.*\.service -- >> gen_context(system_u:object_r:consolekit_unit_t,s0) >> + >> /usr/sbin/console-kit-daemon -- >> gen_context(system_u:object_r:consolekit_exec_t,s0) >> >> /var/log/ConsoleKit(/.*)? >> gen_context(system_u:object_r:consolekit_log_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/consolekit.te >> ./policy/modules/contrib/consolekit.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/consolekit.te >> 2016-07-30 08:14:41.085649549 +1000 >> +++ ./policy/modules/contrib/consolekit.te 2016-08-03 >> 15:58:36.577019915 +1000 >> @@ -19,6 +19,9 @@ >> files_pid_file(consolekit_var_run_t) >> init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") >> >> +type consolekit_unit_t; >> +init_unit_file(consolekit_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cron.fc >> ./policy/modules/contrib/cron.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/cron.fc 2016-07-30 >> 08:14:41.089649654 +1000 >> +++ ./policy/modules/contrib/cron.fc 2016-08-03 15:58:36.577019915 >> +1000 >> @@ -64,3 +64,6 @@ >> /var/spool/cron/lastrun/[^/]* -- <> >> /var/spool/cron/tabs -d >> gen_context(system_u:object_r:cron_spool_t,s0) >> ') >> + >> +/usr/lib/systemd/system/atd.*\.service -- >> gen_context(system_u:object_r:crond_unit_t,s0) >> +/usr/lib/systemd/system/crond.*\.service -- >> gen_context(system_u:object_r:crond_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cron.te >> ./policy/modules/contrib/cron.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/cron.te 2016-07-30 >> 08:14:41.089649654 +1000 >> +++ ./policy/modules/contrib/cron.te 2016-08-03 15:58:36.577019915 >> +1000 >> @@ -71,6 +71,9 @@ >> type crond_initrc_exec_t; >> init_script_file(crond_initrc_exec_t) >> >> +type crond_unit_t; >> +init_unit_file(crond_unit_t) >> + >> type crond_tmp_t; >> files_tmp_file(crond_tmp_t) >> files_poly_parent(crond_tmp_t) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cups.fc >> ./policy/modules/contrib/cups.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/cups.fc 2016-07-30 >> 08:14:41.089649654 +1000 >> +++ ./policy/modules/contrib/cups.fc 2016-08-03 15:58:36.577019915 >> +1000 >> @@ -75,3 +75,5 @@ >> /var/run/ptal-mlcd(/.*)? >> gen_context(system_u:object_r:ptal_var_run_t,s0) >> /var/run/udev-configure-printer(/.*)? >> gen_context(system_u:object_r:cupsd_config_var_run_t,s0) >> /var/turboprint(/.*)? >> gen_context(system_u:object_r:cupsd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/cups.*\.service -- >> gen_context(system_u:object_r:cupsd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cups.te >> ./policy/modules/contrib/cups.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/cups.te 2016-07-30 >> 08:14:41.089649654 +1000 >> +++ ./policy/modules/contrib/cups.te 2016-08-03 15:58:36.577019915 >> +1000 >> @@ -63,6 +63,9 @@ >> init_daemon_pid_file(cupsd_var_run_t, dir, "cups") >> mls_trusted_object(cupsd_var_run_t) >> >> +type cupsd_unit_t; >> +init_unit_file(cupsd_unit_t) >> + >> type hplip_t; >> type hplip_exec_t; >> init_daemon_domain(hplip_t, hplip_exec_t) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/dhcp.fc >> ./policy/modules/contrib/dhcp.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/dhcp.fc 2016-07-30 >> 08:14:41.093649760 +1000 >> +++ ./policy/modules/contrib/dhcp.fc 2016-08-03 15:58:36.577019915 >> +1000 >> @@ -6,3 +6,4 @@ >> /var/lib/dhcp(3)?/dhcpd\.leases.* -- >> gen_context(system_u:object_r:dhcpd_state_t,s0) >> >> /var/run/dhcpd(6)?\.pid -- >> gen_context(system_u:object_r:dhcpd_var_run_t,s0) >> +/usr/lib/systemd/system/dhcpcd.*\.service -- >> gen_context(system_u:object_r:dhcpd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/dhcp.te >> ./policy/modules/contrib/dhcp.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/dhcp.te 2016-07-30 >> 08:14:41.093649760 +1000 >> +++ ./policy/modules/contrib/dhcp.te 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -20,6 +20,9 @@ >> type dhcpd_initrc_exec_t; >> init_script_file(dhcpd_initrc_exec_t) >> >> +type dhcpd_unit_t; >> +init_unit_file(dhcpd_unit_t) >> + >> type dhcpd_state_t; >> files_type(dhcpd_state_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ftp.fc >> ./policy/modules/contrib/ftp.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/ftp.fc 2016-07-30 >> 08:14:41.101649971 +1000 >> +++ ./policy/modules/contrib/ftp.fc 2016-08-03 15:58:36.593020353 >> +1000 >> @@ -26,3 +26,6 @@ >> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) >> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) >> /var/log/xferreport.* -- >> gen_context(system_u:object_r:xferlog_t,s0) >> + >> +/usr/lib/systemd/system/vsftpd.*\.service -- >> gen_context(system_u:object_r:ftpd_unit_t,s0) >> +/usr/lib/systemd/system/proftpd.*\.service -- >> gen_context(system_u:object_r:ftpd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ftp.te >> ./policy/modules/contrib/ftp.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/ftp.te 2016-07-30 >> 08:14:41.101649971 +1000 >> +++ ./policy/modules/contrib/ftp.te 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -127,6 +127,9 @@ >> type ftpd_keytab_t; >> files_type(ftpd_keytab_t) >> >> +type ftpd_unit_t; >> +init_unit_file(ftpd_unit_t) >> + >> type ftpd_lock_t; >> files_lock_file(ftpd_lock_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/kdump.fc >> ./policy/modules/contrib/kdump.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/kdump.fc >> 2016-07-30 08:14:41.109650183 +1000 >> +++ ./policy/modules/contrib/kdump.fc 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -11,3 +11,5 @@ >> >> /usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) >> /usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) >> + >> +/usr/lib/systemd/system/kdump.*\.service -- >> gen_context(system_u:object_r:kdump_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ldap.fc >> ./policy/modules/contrib/ldap.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/ldap.fc 2016-07-30 >> 08:14:41.113650288 +1000 >> +++ ./policy/modules/contrib/ldap.fc 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -27,3 +27,5 @@ >> /var/run/slapd.* -s >> gen_context(system_u:object_r:slapd_var_run_t,s0) >> /var/run/slapd\.args -- >> gen_context(system_u:object_r:slapd_var_run_t,s0) >> /var/run/slapd\.pid -- >> gen_context(system_u:object_r:slapd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/slapd.*\.service -- >> gen_context(system_u:object_r:slapd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ldap.te >> ./policy/modules/contrib/ldap.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/ldap.te 2016-07-30 >> 08:14:41.113650288 +1000 >> +++ ./policy/modules/contrib/ldap.te 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -24,6 +24,9 @@ >> type slapd_keytab_t; >> files_type(slapd_keytab_t) >> >> +type slapd_unit_t; >> +init_unit_file(slapd_unit_t) >> + >> type slapd_lock_t; >> files_lock_file(slapd_lock_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mysql.fc >> ./policy/modules/contrib/mysql.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/mysql.fc >> 2016-07-30 08:14:41.121650499 +1000 >> +++ ./policy/modules/contrib/mysql.fc 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -25,3 +25,5 @@ >> /var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) >> /var/run/mysqlmanager.* -- >> gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) >> /var/run/mysqld/mysqlmanager.* -- >> gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/mysqld.*\.service -- >> gen_context(system_u:object_r:mysqld_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mysql.te >> ./policy/modules/contrib/mysql.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/mysql.te >> 2016-07-30 08:14:41.121650499 +1000 >> +++ ./policy/modules/contrib/mysql.te 2016-08-03 15:58:36.581020025 >> +1000 >> @@ -38,6 +38,9 @@ >> type mysqld_home_t; >> userdom_user_home_content(mysqld_home_t) >> >> +type mysqld_unit_t; >> +init_unit_file(mysqld_unit_t) >> + >> type mysqld_initrc_exec_t; >> init_script_file(mysqld_initrc_exec_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/nis.fc >> ./policy/modules/contrib/nis.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/nis.fc 2016-07-30 >> 08:14:41.125650605 +1000 >> +++ ./policy/modules/contrib/nis.fc 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -20,3 +20,8 @@ >> /var/run/ypbind.* -- >> gen_context(system_u:object_r:ypbind_var_run_t,s0) >> /var/run/ypserv.* -- >> gen_context(system_u:object_r:ypserv_var_run_t,s0) >> /var/run/yppass.* -- >> gen_context(system_u:object_r:yppasswdd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/ypbind.*\.service -- >> gen_context(system_u:object_r:ypbind_unit_t,s0) >> +/usr/lib/systemd/system/ypserv.*\.service -- >> gen_context(system_u:object_r:nis_unit_t,s0) >> +/usr/lib/systemd/system/yppasswdd.*\.service -- >> gen_context(system_u:object_r:nis_unit_t,s0) >> +/usr/lib/systemd/system/ypxfrd.*\.service -- >> gen_context(system_u:object_r:nis_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/nis.te >> ./policy/modules/contrib/nis.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/nis.te 2016-07-30 >> 08:14:41.125650605 +1000 >> +++ ./policy/modules/contrib/nis.te 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -27,6 +27,9 @@ >> type ypbind_var_run_t; >> files_pid_file(ypbind_var_run_t) >> >> +type ypbind_unit_t; >> +init_unit_file(ypbind_unit_t) >> + >> type yppasswdd_t; >> type yppasswdd_exec_t; >> init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) >> @@ -55,6 +58,9 @@ >> type ypxfr_var_run_t; >> files_pid_file(ypxfr_var_run_t) >> >> +type nis_unit_t; >> +init_unit_file(nis_unit_t) >> + >> ######################################## >> # >> # ypbind local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/nscd.te >> ./policy/modules/contrib/nscd.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/nscd.te 2016-07-30 >> 08:14:41.125650605 +1000 >> +++ ./policy/modules/contrib/nscd.te 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -31,6 +31,9 @@ >> type nscd_initrc_exec_t; >> init_script_file(nscd_initrc_exec_t) >> >> +type nscd_unit_t; >> +init_unit_file(nscd_unit_t) >> + >> type nscd_log_t; >> logging_log_file(nscd_log_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ntp.fc >> ./policy/modules/contrib/ntp.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/ntp.fc 2016-07-30 >> 08:14:41.125650605 +1000 >> +++ ./policy/modules/contrib/ntp.fc 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -27,3 +27,7 @@ >> /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) >> >> /var/run/ntpd\.pid -- >> gen_context(system_u:object_r:ntpd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/ntpd.*\.service -- >> gen_context(system_u:object_r:ntpd_unit_t,s0) >> + >> +/usr/usr/lib/systemd/system/ntpd.*\.service -- >> gen_context(system_u:object_r:ntpd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ppp.fc >> ./policy/modules/contrib/ppp.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/ppp.fc 2016-07-30 >> 08:14:41.133650816 +1000 >> +++ ./policy/modules/contrib/ppp.fc 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -28,3 +28,5 @@ >> /var/run/pppd[0-9]*\.tdb -- >> gen_context(system_u:object_r:pppd_var_run_t,s0) >> /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) >> /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) >> + >> +/usr/lib/systemd/system/ppp.*\.service -- >> gen_context(system_u:object_r:pppd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/ppp.te >> ./policy/modules/contrib/ppp.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/ppp.te 2016-07-30 >> 08:14:41.133650816 +1000 >> +++ ./policy/modules/contrib/ppp.te 2016-08-03 15:58:36.585020134 >> +1000 >> @@ -41,6 +41,9 @@ >> type pppd_initrc_exec_t alias pppd_script_exec_t; >> init_script_file(pppd_initrc_exec_t) >> >> +type pppd_unit_t; >> +init_unit_file(pppd_unit_t) >> + >> type pppd_secret_t; >> files_type(pppd_secret_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/rpc.fc >> ./policy/modules/contrib/rpc.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/rpc.fc 2016-07-30 >> 08:14:41.141651028 +1000 >> +++ ./policy/modules/contrib/rpc.fc 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -20,3 +20,6 @@ >> >> /var/run/rpc\.statd(/.*)? >> gen_context(system_u:object_r:rpcd_var_run_t,s0) >> /var/run/rpc\.statd\.pid -- >> gen_context(system_u:object_r:rpcd_var_run_t,s0) >> + >> +/usr/lib/systemd/system/nfs.*\.service -- >> gen_context(system_u:object_r:nfsd_unit_t,s0) >> +/usr/lib/systemd/system/rpc.*\.service -- >> gen_context(system_u:object_r:rpcd_unit_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/rpc.te >> ./policy/modules/contrib/rpc.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/rpc.te 2016-07-30 >> 08:14:41.145651133 +1000 >> +++ ./policy/modules/contrib/rpc.te 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -52,11 +52,17 @@ >> type rpcd_initrc_exec_t; >> init_script_file(rpcd_initrc_exec_t) >> >> +type rpcd_unit_t; >> +init_unit_file(rpcd_unit_t) >> + >> rpc_domain_template(nfsd) >> >> type nfsd_initrc_exec_t; >> init_script_file(nfsd_initrc_exec_t) >> >> +type nfsd_unit_t; >> +init_unit_file(nfsd_unit_t) >> + >> type nfsd_rw_t; >> files_type(nfsd_rw_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/samba.fc >> ./policy/modules/contrib/samba.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/samba.fc >> 2016-07-30 08:14:41.145651133 +1000 >> +++ ./policy/modules/contrib/samba.fc 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -8,6 +8,8 @@ >> /etc/samba/smbpasswd -- >> gen_context(system_u:object_r:samba_secrets_t,s0) >> /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) >> >> +/usr/lib/systemd/system/smb.*\.service -- >> gen_context(system_u:object_r:samba_unit_t,s0) >> + >> /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) >> /usr/bin/ntlm_auth -- >> gen_context(system_u:object_r:winbind_helper_exec_t,s0) >> /usr/bin/smbcontrol -- >> gen_context(system_u:object_r:smbcontrol_exec_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/samba.te >> ./policy/modules/contrib/samba.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/samba.te >> 2016-07-30 08:14:41.145651133 +1000 >> +++ ./policy/modules/contrib/samba.te 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -113,6 +113,9 @@ >> type samba_initrc_exec_t; >> init_script_file(samba_initrc_exec_t) >> >> +type samba_unit_t; >> +init_unit_file(samba_unit_t) >> + >> type samba_log_t; >> logging_log_file(samba_log_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/tor.fc >> ./policy/modules/contrib/tor.fc >> --- /home/rjc/src/pol-git/policy/modules/contrib/tor.fc 2016-07-30 >> 08:14:41.153651345 +1000 >> +++ ./policy/modules/contrib/tor.fc 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -5,6 +5,8 @@ >> /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) >> /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) >> >> +/usr/lib/systemd/system/tor.*\.service -- >> gen_context(system_u:object_r:tor_unit_t,s0) >> + >> /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) >> /var/lib/tor-data(/.*)? >> gen_context(system_u:object_r:tor_var_lib_t,s0) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/tor.te >> ./policy/modules/contrib/tor.te >> --- /home/rjc/src/pol-git/policy/modules/contrib/tor.te 2016-07-30 >> 08:14:41.153651345 +1000 >> +++ ./policy/modules/contrib/tor.te 2016-08-03 15:58:36.589020244 >> +1000 >> @@ -33,6 +33,9 @@ >> files_pid_file(tor_var_run_t) >> init_daemon_pid_file(tor_var_run_t, dir, "tor") >> >> +type tor_unit_t; >> +init_unit_file(tor_unit_t) >> + >> ######################################## >> # >> # Local policy >> diff -ru /home/rjc/src/pol-git/policy/modules/system/init.te >> ./policy/modules/system/init.te >> --- /home/rjc/src/pol-git/policy/modules/system/init.te 2016-07-28 >> 20:33:39.967961825 +1000 >> +++ ./policy/modules/system/init.te 2016-08-03 15:45:01.782699499 >> +1000 >> @@ -568,6 +568,9 @@ >> userdom_use_user_terminals(initrc_t) >> >> ifdef(`distro_debian',` >> + kernel_getattr_core_if(initrc_t) >> + >> + dev_getattr_generic_blk_files(initrc_t) >> dev_setattr_generic_dirs(initrc_t) >> >> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) >> diff -ru /home/rjc/src/pol-git/policy/modules/system/logging.fc >> ./policy/modules/system/logging.fc >> --- /home/rjc/src/pol-git/policy/modules/system/logging.fc >> 2016-07-28 20:33:39.967961825 +1000 >> +++ ./policy/modules/system/logging.fc 2016-08-03 >> 15:58:36.589020244 +1000 >> @@ -27,6 +27,7 @@ >> /usr/sbin/rsyslogd -- >> gen_context(system_u:object_r:syslogd_exec_t,s0) >> /usr/sbin/syslog-ng -- >> gen_context(system_u:object_r:syslogd_exec_t,s0) >> /usr/sbin/syslogd -- >> gen_context(system_u:object_r:syslogd_exec_t,s0) >> +/usr/lib/systemd/system/rsyslog.*\.service -- >> gen_context(system_u:object_r:syslogd_unit_t,s0) >> >> /var/lib/misc/syslog-ng.persist-? -- >> gen_context(system_u:object_r:syslogd_var_lib_t,s0) >> /var/lib/syslog-ng(/.*)? >> gen_context(system_u:object_r:syslogd_var_lib_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc >> ./policy/modules/system/selinuxutil.fc >> --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc >> 2016-07-28 20:33:39.971961928 +1000 >> +++ ./policy/modules/system/selinuxutil.fc 2016-08-03 >> 15:58:36.593020353 +1000 >> @@ -36,6 +36,7 @@ >> >> /usr/sbin/load_policy -- >> gen_context(system_u:object_r:load_policy_exec_t,s0) >> /usr/sbin/restorecond -- >> gen_context(system_u:object_r:restorecond_exec_t,s0) >> +/usr/lib/systemd/system/restorecond.*\.service -- >> gen_context(system_u:object_r:restorecond_unit_t,s0) >> /usr/sbin/run_init -- >> gen_context(system_u:object_r:run_init_exec_t,s0) >> /usr/sbin/setfiles.* -- >> gen_context(system_u:object_r:setfiles_exec_t,s0) >> /usr/sbin/setsebool -- >> gen_context(system_u:object_r:semanage_exec_t,s0) >> diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te >> ./policy/modules/system/selinuxutil.te >> --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te >> 2016-07-28 20:33:39.971961928 +1000 >> +++ ./policy/modules/system/selinuxutil.te 2016-08-03 >> 15:58:36.593020353 +1000 >> @@ -85,6 +85,9 @@ >> domain_obj_id_change_exemption(restorecond_t) >> role system_r types restorecond_t; >> >> +type restorecond_unit_t; >> +init_unit_file(restorecond_unit_t) >> + >> type restorecond_var_run_t; >> files_pid_file(restorecond_var_run_t) >> >> diff -ru /home/rjc/src/pol-git/policy/modules/system/setrans.fc >> ./policy/modules/system/setrans.fc >> --- /home/rjc/src/pol-git/policy/modules/system/setrans.fc >> 2016-07-28 20:33:39.971961928 +1000 >> +++ ./policy/modules/system/setrans.fc 2016-08-03 >> 15:58:36.593020353 +1000 >> @@ -1,5 +1,6 @@ >> /etc/rc\.d/init\.d/mcstrans -- >> gen_context(system_u:object_r:setrans_initrc_exec_t,s0) >> >> /sbin/mcstransd -- >> gen_context(system_u:object_r:setrans_exec_t,s0) >> +/usr/lib/systemd/system/mcstrans.*\.service -- >> gen_context(system_u:object_r:setrans_unit_t,s0) >> >> /var/run/setrans(/.*)? >> gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) > > > -- Chris PeBenito