From: dsugar@tresys.com (David Sugar)
Date: Tue, 5 Sep 2017 14:05:19 +0000
Subject: [refpolicy] Interface for systemd using SELinuxContext option
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4B361@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option  to specify a context for the service being started.  The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each.  The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0)  [2]
 
We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t 

We have created the following interface (in init.if) to meet our needs.  I don't think the interface name is acceptable (I'm open to suggestions) and would like to submit a patch for this based on comments from the list.  The interface is very much like init_domain except for the use of domain_transition_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.

########################################
## <summary>
##	Create a domain which can be started by init.
## </summary>
## <param name="domain">
##	<summary>
##	Type to be used as a domain.
##	</summary>
## </param>
## <param name="entry_point">
##	<summary>
##	Type of the program being executed when starting this domain.
##	</summary>
## </param>
#
interface(`init_manual_trans',`
	gen_require(`
		type init_t;
		role system_r;
	')

	domain_type($1)
	domain_entry_file($1, $2)

	role system_r types $1;

	domain_transition_pattern(init_t, $2, $1)

	ifdef(`init_systemd',`
		allow $1 init_t:unix_stream_socket { getattr read write ioctl };

		allow init_t $1:process2 { nnp_transition nosuid_transition };
	')
')


[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html

Input is appreciated.
Dave Sugar
dsugar at tresys.com