From: russell@coker.com.au (Russell Coker)
Date: Wed, 5 Apr 2017 14:44:44 +1000
Subject: [refpolicy] [PATCH] systemd related changes
In-Reply-To: <71065d33-6158-49f9-923b-44eae092e97f@ieee.org>
References: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au>
	<201704041652.32469.russell@coker.com.au>
	<71065d33-6158-49f9-923b-44eae092e97f@ieee.org>
Message-ID: <201704051444.45014.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 5 Apr 2017 09:10:05 AM Chris PeBenito via refpolicy wrote:
> >> I think this was merged in the last patch but renamed
> >> init_get_script_status().
> > 
> > A grep of the source doesn't turn up a match for init_get_script_status.
> 
> Ok, then that's what the interface should be called :)

OK.

> >>> +#######################################
> >>> +## <summary>
> >>> +##  Send generic signals to systemd_passwd_agent processes.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##  <summary>
> >>> +##  Domain allowed access.
> >>> +##  </summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`systemd_manage_passwd_run',`
> >>> +	gen_require(`
> >>> +		type systemd_passwd_agent_t;
> >>> +		type systemd_passwd_var_run_t;
> >>> +	')
> >>> +
> >>> +	manage_files_pattern($1, systemd_passwd_var_run_t,
> >>> systemd_passwd_var_run_t) +	manage_sock_files_pattern($1,
> >>> systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
> >>> +	allow systemd_passwd_agent_t $1:process signull;
> >>> +	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> >> 
> >> This looks like it should be 2-4 interfaces, but I'm not sure how many.
> > 
> > It's all for a single purpose, using systemd to get a password.  So far
> > the only users of it are httpd_t (for getting passwords for locked SSL
> > certificate files) and init_t (for a "strict" configuration).
> > 
> > I don't think it makes sense to split it.  A better name and description
> > would make sense, do you have a suggestion for a new name?
> 
> That seems very peculiar having that large amount of file access in
> addition to the unix socket use.  But if that's the case, then I think
> I'd go with something like systemd_use_passwd_agent() since that gets
> the concept across and abstracts away any details about unix sockets and
> file access.

OK.

I'll send another patch

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/