From: russell@coker.com.au (Russell Coker) Date: Wed, 22 Mar 2017 19:27:17 +1100 Subject: [refpolicy] [PATCH] sort rules for systemd cgroups hostnamed and logind Message-ID: <20170322082717.5hrh35g6n44lcgls@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com As requested this patch sorts some rules for systemd policy, removes some dupes, and does nothing else. The next patch actually does things. Index: refpolicy-2.20170313/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170313.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170313/policy/modules/system/systemd.te @@ -202,12 +202,11 @@ fs_register_binary_executable_type(syste kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) kernel_dgram_send(systemd_cgroups_t) -selinux_getattr_fs(systemd_cgroups_t) - # write to /run/systemd/cgroups-agent init_dgram_send(systemd_cgroups_t) init_stream_connect(systemd_cgroups_t) +selinux_getattr_fs(systemd_cgroups_t) systemd_log_parse_environment(systemd_cgroups_t) ###################################### @@ -256,14 +255,12 @@ seutil_search_default_contexts(systemd_c kernel_read_kernel_sysctls(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) - seutil_read_file_contexts(systemd_hostnamed_t) - systemd_log_parse_environment(systemd_hostnamed_t) optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) dbus_connect_system_bus(systemd_hostnamed_t) + dbus_system_bus_client(systemd_hostnamed_t) ') ####################################### @@ -318,51 +315,46 @@ init_var_lib_filetrans(systemd_logind_t, manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) -files_search_pids(systemd_logind_t) kernel_read_kernel_sysctls(systemd_logind_t) auth_manage_faillog(systemd_logind_t) - -dev_rw_sysfs(systemd_logind_t) -dev_rw_input_dev(systemd_logind_t) dev_getattr_dri_dev(systemd_logind_t) -dev_setattr_dri_dev(systemd_logind_t) dev_getattr_sound_dev(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) dev_setattr_sound_dev(systemd_logind_t) - files_read_etc_files(systemd_logind_t) - -fs_read_efivarfs_files(systemd_logind_t) +files_search_pids(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t) - -storage_getattr_removable_dev(systemd_logind_t) -storage_setattr_removable_dev(systemd_logind_t) -storage_getattr_scsi_generic_dev(systemd_logind_t) -storage_setattr_scsi_generic_dev(systemd_logind_t) - -term_use_unallocated_ttys(systemd_logind_t) +fs_read_efivarfs_files(systemd_logind_t) init_get_all_units_status(systemd_logind_t) +init_service_start(systemd_logind_t) +init_service_status(systemd_logind_t) init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) -init_service_status(systemd_logind_t) -init_service_start(systemd_logind_t) - locallogin_read_state(systemd_logind_t) +storage_getattr_removable_dev(systemd_logind_t) +storage_getattr_scsi_generic_dev(systemd_logind_t) +storage_setattr_removable_dev(systemd_logind_t) +storage_setattr_scsi_generic_dev(systemd_logind_t) systemd_log_parse_environment(systemd_logind_t) systemd_start_power_units(systemd_logind_t) +term_use_unallocated_ttys(systemd_logind_t) + udev_read_db(systemd_logind_t) udev_read_pid_files(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) optional_policy(` - dbus_system_bus_client(systemd_logind_t) dbus_connect_system_bus(systemd_logind_t) + dbus_system_bus_client(systemd_logind_t) ') #########################################