From: dac.override@gmail.com (Dominick Grift)
Date: Tue, 5 Sep 2017 16:24:29 +0200
Subject: [refpolicy] Interface for systemd using SELinuxContext option
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4B361@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4B361@Exchange10.columbia.tresys.com>
Message-ID: <20170905142429.GA22703@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Tue, Sep 05, 2017 at 02:05:19PM +0000, David Sugar via refpolicy wrote:
> We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
>
> We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
>
> We have created the following interface (in init.if) to meet our needs. I don't think the interface name is acceptable (I'm open to suggestions) and would like to submit a patch for this based on comments from the list. The interface is very much like init_domain except for the use of domain_transition_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
Why not just make these normal init_daemon_domain() or init_system_domain()
The SELinuxContext= option automatically works for init_daemon_domain() init_system_domain()
>
> ########################################
> ##
> ## Create a domain which can be started by init.
> ##
> ##
> ##
> ## Type to be used as a domain.
> ##
> ##
> ##
> ##
> ## Type of the program being executed when starting this domain.
> ##
> ##
> #
> interface(`init_manual_trans',`
> gen_require(`
> type init_t;
> role system_r;
> ')
>
> domain_type($1)
> domain_entry_file($1, $2)
>
> role system_r types $1;
>
> domain_transition_pattern(init_t, $2, $1)
>
> ifdef(`init_systemd',`
> allow $1 init_t:unix_stream_socket { getattr read write ioctl };
>
> allow init_t $1:process2 { nnp_transition nosuid_transition };
> ')
> ')
>
>
> [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
>
> Input is appreciated.
> Dave Sugar
> dsugar at tresys.com
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170905/412a6148/attachment.bin