From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 25 Mar 2017 13:52:02 -0400 Subject: [refpolicy] [PATCH] sort rules for systemd cgroups hostnamed and logind In-Reply-To: <20170322082717.5hrh35g6n44lcgls@athena.coker.com.au> References: <20170322082717.5hrh35g6n44lcgls@athena.coker.com.au> Message-ID: <3fd54dde-2e80-d0a4-1ad3-6905a86b6ca5@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/22/2017 04:27 AM, Russell Coker via refpolicy wrote: > As requested this patch sorts some rules for systemd policy, removes > some dupes, and does nothing else. The next patch actually does > things. There's a couple notes about the sorting. I'd appreciate suggestions or patches to improve the clarity of the style guide. I've merged this so the latter patch could be merged, but fixed the issues afterward. > Index: refpolicy-2.20170313/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/system/systemd.te +++ > refpolicy-2.20170313/policy/modules/system/systemd.te @@ -202,12 > +202,11 @@ fs_register_binary_executable_type(syste > kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > kernel_dgram_send(systemd_cgroups_t) > > -selinux_getattr_fs(systemd_cgroups_t) - # write to > /run/systemd/cgroups-agent init_dgram_send(systemd_cgroups_t) > init_stream_connect(systemd_cgroups_t) > > +selinux_getattr_fs(systemd_cgroups_t) Actually this line was in the right place because selinux module is in kernel layer, while init and systemd are in system (higher layer). > systemd_log_parse_environment(systemd_cgroups_t) > > ###################################### @@ -256,14 +255,12 @@ > seutil_search_default_contexts(systemd_c > kernel_read_kernel_sysctls(systemd_hostnamed_t) > > files_read_etc_files(systemd_hostnamed_t) - > seutil_read_file_contexts(systemd_hostnamed_t) - > systemd_log_parse_environment(systemd_hostnamed_t) > > optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) > dbus_connect_system_bus(systemd_hostnamed_t) + > dbus_system_bus_client(systemd_hostnamed_t) Within a group of rules from a particular module (dbus_*) they don't necessarily need to be sorted. > ') > > ####################################### @@ -318,51 +315,46 @@ > init_var_lib_filetrans(systemd_logind_t, > > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, > systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t, > systemd_logind_var_run_t, systemd_logind_var_run_t) > -files_search_pids(systemd_logind_t) > > kernel_read_kernel_sysctls(systemd_logind_t) > > auth_manage_faillog(systemd_logind_t) - > -dev_rw_sysfs(systemd_logind_t) -dev_rw_input_dev(systemd_logind_t) > dev_getattr_dri_dev(systemd_logind_t) > -dev_setattr_dri_dev(systemd_logind_t) > dev_getattr_sound_dev(systemd_logind_t) > +dev_rw_input_dev(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) > +dev_setattr_dri_dev(systemd_logind_t) > dev_setattr_sound_dev(systemd_logind_t) - Within a group of rules from a particular module (dbus_*) they don't necessarily need to be sorted. Also there should be a blank line between dev_* rules and files_* rules > files_read_etc_files(systemd_logind_t) - > -fs_read_efivarfs_files(systemd_logind_t) > +files_search_pids(systemd_logind_t) > > fs_getattr_tmpfs(systemd_logind_t) - > -storage_getattr_removable_dev(systemd_logind_t) > -storage_setattr_removable_dev(systemd_logind_t) > -storage_getattr_scsi_generic_dev(systemd_logind_t) > -storage_setattr_scsi_generic_dev(systemd_logind_t) - > -term_use_unallocated_ttys(systemd_logind_t) > +fs_read_efivarfs_files(systemd_logind_t) > > init_get_all_units_status(systemd_logind_t) > +init_service_start(systemd_logind_t) > +init_service_status(systemd_logind_t) > init_start_all_units(systemd_logind_t) > init_stop_all_units(systemd_logind_t) > -init_service_status(systemd_logind_t) > -init_service_start(systemd_logind_t) - > locallogin_read_state(systemd_logind_t) > > +storage_getattr_removable_dev(systemd_logind_t) > +storage_getattr_scsi_generic_dev(systemd_logind_t) > +storage_setattr_removable_dev(systemd_logind_t) > +storage_setattr_scsi_generic_dev(systemd_logind_t) > systemd_log_parse_environment(systemd_logind_t) > systemd_start_power_units(systemd_logind_t) > > +term_use_unallocated_ttys(systemd_logind_t) + > udev_read_db(systemd_logind_t) udev_read_pid_files(systemd_logind_t) > > userdom_use_user_ttys(systemd_logind_t) > > optional_policy(` - dbus_system_bus_client(systemd_logind_t) > dbus_connect_system_bus(systemd_logind_t) + > dbus_system_bus_client(systemd_logind_t) ') > > ######################################### -- Chris PeBenito