From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 May 2017 19:06:03 -0400 Subject: [refpolicy] [PATCH 2/3] Label systemd-tmpfiles static configuration files In-Reply-To: <15920749.gtu21uqWR7@cruinn> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> <20170518193110.27516-3-krzysztof.a.nowicki@gmail.com> <15920749.gtu21uqWR7@cruinn> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/18/2017 04:35 PM, Krzysztof Nowicki via refpolicy wrote: > Dnia czwartek, 18 maja 2017 21:52:09 CEST Christian G?ttsche pisze: >> 2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy >> >> : >>> From: Krzysztof Nowicki >>> >>> Reuse the label from dynamically created configuration. >>> --- >>> >>> policy/modules/system/modutils.te | 2 +- >>> policy/modules/system/systemd.fc | 6 ++++++ >>> policy/modules/system/systemd.if | 4 ++-- >>> policy/modules/system/systemd.te | 1 + >>> 4 files changed, 10 insertions(+), 3 deletions(-) >>> >>> diff --git a/policy/modules/system/modutils.te >>> b/policy/modules/system/modutils.te index 1f7bdcd..625129f 100644 >>> --- a/policy/modules/system/modutils.te >>> +++ b/policy/modules/system/modutils.te >>> @@ -118,7 +118,7 @@ ifdef(`init_systemd',` >>> >>> # for /run/tmpfiles.d/kmod.conf >>> allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms; >>> # kmod needs to create /run/tmpdiles.d >>> >>> - systemd_tmpfiles_creator(kmod_t) >>> + systemd_tmpfiles_config_creator(kmod_t) >>> >>> init_rw_stream_sockets(kmod_t) >>> >>> ') >>> >>> diff --git a/policy/modules/system/systemd.fc >>> b/policy/modules/system/systemd.fc index 57944e1..8bff2fa 100644 >>> --- a/policy/modules/system/systemd.fc >>> +++ b/policy/modules/system/systemd.fc >>> @@ -37,10 +37,16 @@ >>> >>> /usr/lib/systemd/system/systemd-backlight.* -- >>> gen_context(system_u:object_r:systemd_backlight_unit_t,s0) >>> /usr/lib/systemd/system/systemd-binfmt.* -- >>> gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)> >>> +# Systemd tmpfiles configuration >>> +/usr/lib/tmpfiles.d(/.*)? >>> gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) + >>> >>> /var/lib/systemd/backlight(/.*)? >>> gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) >>> /var/lib/systemd/coredump(/.*)? >>> gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) >>> /var/lib/systemd/linger(/.*)? >>> gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)> >>> +# Systemd tmpfiles configuration factory >>> +/usr/share/factory(/.*)? >>> gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) >> What is the benefit of labeling this directory and the >> /usr/lib/tmpfiles.d one with a private type? >> Shouldn't the read-only like usr_t type do the job? >> Also afaik local changes should be made in /etc/tmpfiles.d > > The idea was to avoid just that - giving the systemd-tmpfiles access to a > generic type. I've always felt that types are there to separate access rules. > > If you feel that it's not needed then I can go with usr_t instead. Generally usr_t is for files that aren't sensitive (generally readable), and written by the package manager. That seems to fit these files, unless there's something I'm missing. -- Chris PeBenito