From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sun, 12 Feb 2017 20:36:50 +0100 Subject: [refpolicy] [PATCH] little misc patches In-Reply-To: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au> References: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Feb 12, 2017 at 12:38 PM, Russell Coker via refpolicy < refpolicy@oss.tresys.com> wrote: > This is a bunch of minor fixes that I split out from another patch which > also > has some of the interfaces needed for the systemd core patch I sent a few > days ago (which is why that one didn't work). > > After we get this one done I'll create a patch set for systemd that should > make pebenito happy. ;) > > Fix some minor labelling issues for init. > > Make lots of things optional_policy to allow more modular builds. > > Remove the sysadm_shell_domtrans(init_t) line, it causes problems with > systemd > as well as upstart. > > Allow kerneloops_t to read /proc/cpuinfo etc > > make xserver_create_xdm_tmp_socket() also allow unlinking the socket in > question > > > Index: refpolicy-2.20170212/policy/modules/system/init.fc > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/init.fc > +++ refpolicy-2.20170212/policy/modules/system/init.fc > @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', ` > /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r: > initrc_state_t,s0) > ') > > +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r: > init_exec_t,s0) > +/usr/lib/systemd/system-generators/[^/]* -- > gen_context(system_u:object_r:init_exec_t,s0) > > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r: > initrc_exec_t,s0) > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r: > initrc_exec_t,s0) > Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t and /usr/lib/systemd/ contains other programs such as systemd services (which contexts are defined in policy/modules/system/systemd.fc). Nicolas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/a47e5c65/attachment.html