2011-07-24 05:59:01

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] new refpolicy release

http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease

It seems that the latest refpolicy release is from 2010. Are there plans for
a new one soon?

I am just uploading what I plan to be the last 20100524 based release for
Debian/Unstable. I will try to get stuff from that included in Debian/Squeeze
(the current stable release) but apart from that I'm finished with 20100524.

I'm not really keen on getting a 6 month old release as I've got a heap of
changes, some of which should go upstream. I'd like to get a new upstream
release to base on for the purpose of sorting out all the patches.

One option I'm considering is taking the current git tree, calling it
20110724, and using it as the base for Debian development.

As an aside, what's the status of systemd policy?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


2011-07-25 12:12:25

by cpebenito

[permalink] [raw]
Subject: [refpolicy] new refpolicy release

On 07/24/11 01:59, Russell Coker wrote:
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
>
> It seems that the latest refpolicy release is from 2010. Are there plans for
> a new one soon?

Yes, I'm doing one this week.

> I am just uploading what I plan to be the last 20100524 based release for
> Debian/Unstable. I will try to get stuff from that included in Debian/Squeeze
> (the current stable release) but apart from that I'm finished with 20100524.
>
> I'm not really keen on getting a 6 month old release as I've got a heap of
> changes, some of which should go upstream. I'd like to get a new upstream
> release to base on for the purpose of sorting out all the patches.
>
> One option I'm considering is taking the current git tree, calling it
> 20110724, and using it as the base for Debian development.
>
> As an aside, what's the status of systemd policy?

There isn't one upstream. The last time it was discussed, I suggested
that it was so different and did so many more things that it should
probably be its own module. I haven't heard or seen anything since then.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-07-25 12:17:11

by domg472

[permalink] [raw]
Subject: [refpolicy] new refpolicy release



On Mon, 2011-07-25 at 08:12 -0400, Christopher J. PeBenito wrote:
> On 07/24/11 01:59, Russell Coker wrote:
> > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
> >
> > It seems that the latest refpolicy release is from 2010. Are there plans for
> > a new one soon?
>
> Yes, I'm doing one this week.
>
> > I am just uploading what I plan to be the last 20100524 based release for
> > Debian/Unstable. I will try to get stuff from that included in Debian/Squeeze
> > (the current stable release) but apart from that I'm finished with 20100524.
> >
> > I'm not really keen on getting a 6 month old release as I've got a heap of
> > changes, some of which should go upstream. I'd like to get a new upstream
> > release to base on for the purpose of sorting out all the patches.
> >
> > One option I'm considering is taking the current git tree, calling it
> > 20110724, and using it as the base for Debian development.
> >
> > As an aside, what's the status of systemd policy?
>
> There isn't one upstream. The last time it was discussed, I suggested
> that it was so different and did so many more things that it should
> probably be its own module. I haven't heard or seen anything since then.
>

I started working on it and gotten pretty far until i tried shutdown.
That is when i hit issues.

Kernel logging is stopped pretty early and so i could not determine what
all systemd needs to shutdown properly. Spend about a week just trying
various things but could not get it to work. Gave up.

In the mean time new functionality was added to systemd like supports
for multi seat and there more to come.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/a6afec89/attachment.bin

2011-07-25 12:39:27

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] new refpolicy release

On Mon, 25 Jul 2011, Dominick Grift <[email protected]> wrote:
> > > As an aside, what's the status of systemd policy?
> >
> > There isn't one upstream. The last time it was discussed, I suggested
> > that it was so different and did so many more things that it should
> > probably be its own module. I haven't heard or seen anything since then.
>
> I started working on it and gotten pretty far until i tried shutdown.
> That is when i hit issues.
>
> Kernel logging is stopped pretty early and so i could not determine what
> all systemd needs to shutdown properly. Spend about a week just trying
> various things but could not get it to work. Gave up.

Could you please post what you did to the list so others can work on it
without reinventing any wheels?

> In the mean time new functionality was added to systemd like supports
> for multi seat and there more to come.

What is "multi seat"?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2011-07-25 12:53:23

by domg472

[permalink] [raw]
Subject: [refpolicy] new refpolicy release



On Mon, 2011-07-25 at 22:39 +1000, Russell Coker wrote:
>
> Could you please post what you did to the list so others can work on it
> without reinventing any wheels?

I will try and dig my systemd policy up from my back up and post it in
this thread asap.

> What is "multi seat"?
>

http://www.freedesktop.org/wiki/Software/systemd/multiseat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/71270cc7/attachment.bin

2011-07-25 13:31:03

by domg472

[permalink] [raw]
Subject: [refpolicy] new refpolicy release



On Mon, 2011-07-25 at 22:39 +1000, Russell Coker wrote:
> On Mon, 25 Jul 2011, Dominick Grift <[email protected]> wrote:
> > > > As an aside, what's the status of systemd policy?
> > >
> > > There isn't one upstream. The last time it was discussed, I suggested
> > > that it was so different and did so many more things that it should
> > > probably be its own module. I haven't heard or seen anything since then.
> >
> > I started working on it and gotten pretty far until i tried shutdown.
> > That is when i hit issues.
> >
> > Kernel logging is stopped pretty early and so i could not determine what
> > all systemd needs to shutdown properly. Spend about a week just trying
> > various things but could not get it to work. Gave up.
>
> Could you please post what you did to the list so others can work on it
> without reinventing any wheels?

Enclosed you will find what i ended up with. Keep in mind though that
this is dated by now (was done months ago)

Also note that i pretty much gave each executable file a private type
and each process a private domain which is overkill but it was my
intention at that time to just figure out what each process separately
needs and then later consider merging domain that have similar
properties. The idea was to first just map systemd and then clean it up.

Also there may be things i would do different now that we have the named
file transitions in Fedora 16.

Also note that this policy is made in a modified refpolicy so not all
interface calls may be available to you (but similar ones should be)
-------------- next part --------------
/\.readahead.* -- gen_context(system_u:object_r:systemd_readahead_root_t,s0)

/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
/bin/systemd -- gen_context(system_u:object_r:systemd_exec_t,s0)
/bin/systemd-ask-password -- gen_context(system_u:object_r:systemd_ask_password_exec_t,s0)
/bin/systemd-machine-id-setup -- gen_context(system_u:object_r:systemd_machine_id_setup_exec_t,s0)
/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_tty_ask_password_agent_exec_t,s0)

/etc/binfmt\.d(/.*)? gen_context(system_u:object_r:systemd_binfmt_etc_t,s0)

/etc/machine-id -- gen_context(system_u:object_r:systemd_machine_id_etc_t,s0)

/etc/modules-load\.d(/.*)? gen_context(system_u:object_r:systemd_modules_load_etc_t,s0)

/etc/sysctl\.d(/.*)? gen_context(system_u:object_r:systemd_sysctl_etc_t,s0)

/etc/systemd(/.*)? gen_context(system_u:object_r:systemd_etc_t,s0)
/etc/systemd/system(/.*)? gen_context(system_u:object_r:systemd_system_etc_t,s0)
/etc/systemd/system.conf -- gen_context(system_u:object_r:systemd_system_etc_t,s0)

/etc/tmpfiles\.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_etc_t,s0)
/etc/tmpfiles\.d/legacy.conf -- gen_context(system_u:object_r:systemd_tmpfiles_legacy_etc_t,s0)
/etc/tmpfiles\.d/systemd.conf -- gen_context(system_u:object_r:systemd_tmpfiles_systemd_etc_t,s0)
/etc/tmpfiles\.d/x11.conf -- gen_context(system_u:object_r:systemd_tmpfiles_x11_etc_t,s0)

/lib/systemd(/.*)? gen_context(system_u:object_r:systemd_lib_t,s0)

/lib/systemd/fedora-autorelabel -- gen_context(system_u:object_r:fedora_autorelabel_exec_t,s0)
/lib/systemd/fedora-autoswap -- gen_context(system_u:object_r:fedora_autoswap_exec_t,s0)
/lib/systemd/fedora-configure -- gen_context(system_u:object_r:fedora_configure_exec_t,s0)
/lib/systemd/fedora-loadmodules -- gen_context(system_u:object_r:fedora_loadmodules_exec_t,s0)
/lib/systemd/fedora-readonly -- gen_context(system_u:object_r:fedora_readonly_exec_t,s0)
/lib/systemd/fedora-storage-init -- gen_context(system_u:object_r:fedora_storage_init_exec_t,s0)

/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_units_t,s0)

/lib/systemd/systemd-ac-power -- gen_context(system_u:object_r:systemd_ac_power_exec_t,s0)
/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_agent_exec_t,s0)
/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:systemd_cryptsetup_exec_t,s0)
/lib/systemd/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:systemd_fsck_exec_t,s0)
/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0)
/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:systemd_kmsg_syslogd_exec_t,s0)
/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/lib/systemd/systemd-quotacheck -- gen_context(system_u:object_r:systemd_quotacheck_exec_t,s0)
/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:systemd_random_seed_exec_t,s0)
/lib/systemd/systemd-readahead-collect -- gen_context(system_u:object_r:systemd_readahead_collect_exec_t,s0)
/lib/systemd/systemd-readahead-replay -- gen_context(system_u:object_r:systemd_readahead_replay_exec_t,s0)
/lib/systemd/systemd-remount-api-vfs -- gen_context(system_u:object_r:systemd_remount_api_vfs_exec_t,s0)
/lib/systemd/systemd-reply-password -- gen_context(system_u:object_r:systemd_reply_password_exec_t,s0)
/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:systemd_shutdown_exec_t,s0)
/lib/systemd/systemd-shutdownd -- gen_context(system_u:object_r:systemd_shutdownd_exec_t,s0)
/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
/lib/systemd/systemd-timestamp -- gen_context(system_u:object_r:systemd_timestamp_exec_t,s0)
/lib/systemd/systemd-update-utmp -- gen_context(system_u:object_r:systemd_update_utmp_exec_t,s0)
/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_user_sessions_exec_t,s0)
/lib/systemd/systemd-vconsole-setup -- gen_context(system_u:object_r:systemd_vconsole_setup_exec_t,s0)

/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:systemd_generators_lib_t,s0)
/lib/systemd/system-generators/systemd-cryptsetup-generator -- gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
/lib/systemd/system-generators/systemd-getty-generator -- gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0)

/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:systemd_shutdown_lib_t,s0)

/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
/usr/bin/systemd-cgls -- gen_context(system_u:object_r:systemd_cgls_exec_t,s0)
/usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)

/usr/lib/systemd(/.*)? gen_context(system_u:object_r:systemd_lib_t,s0)
/usr/lib/systemd/user(/.*)? gen_context(system_u:object_r:systemd_user_lib_t,s0)

/var/lib/random-seed -- gen_context(system_u:object_r:systemd_random_seed_var_lib_t,s0)

/var/run/nologin -- gen_context(system_u:object_r:systemd_user_sessions_var_run_t,s0)
/var/run/systemd(/.*)? gen_context(system_u:object_r:systemd_var_run_t,s0)
/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:systemd_readahead_var_run_t,s0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd.if
Type: text/x-matlab
Size: 11756 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/1b92c66d/attachment-0002.bin
-------------- next part --------------
policy_module(systemd, 1.0.0)

#######################################
#
# Declarations
#

permissive systemd_t;
permissive systemd_shutdown_t;

attribute systemd_file;
attribute systemd_unit_file_type;
attribute systemd_domain_type;

type systemd_systemctl_t, systemd_domain_type;
type systemd_systemctl_exec_t;
domain_base_type(systemd_systemctl_t)
domain_entry_file(systemd_systemctl_t, systemd_systemctl_exec_t)
role system_r types systemd_systemctl_t;

type systemd_t, systemd_domain_type;
type systemd_exec_t;
domain_base_type(systemd_t)
domain_entry_file(systemd_t, systemd_exec_t)
role system_r types systemd_t;

type systemd_ask_password_t, systemd_domain_type;
type systemd_ask_password_exec_t;
domain_base_type(systemd_ask_password_t)
domain_entry_file(systemd_ask_password_t, systemd_ask_password_exec_t)

type systemd_machine_id_setup_t, systemd_domain_type;
type systemd_machine_id_setup_exec_t;
domain_base_type(systemd_machine_id_setup_t)
domain_entry_file(systemd_machine_id_setup_t, systemd_machine_id_setup_exec_t)

type systemd_notify_t, systemd_domain_type;
type systemd_notify_exec_t;
domain_base_type(systemd_notify_t)
domain_entry_file(systemd_notify_t, systemd_notify_exec_t)
role system_r types systemd_notify_t;

type systemd_tmpfiles_t, systemd_domain_type;
type systemd_tmpfiles_exec_t;
domain_base_type(systemd_tmpfiles_t)
domain_entry_file(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
role system_r types systemd_tmpfiles_t;

type systemd_tty_ask_password_agent_t, systemd_domain_type;
type systemd_tty_ask_password_agent_exec_t;
domain_base_type(systemd_tty_ask_password_agent_t)
domain_entry_file(systemd_tty_ask_password_agent_t, systemd_tty_ask_password_agent_t)

type systemd_binfmt_etc_t, systemd_file;
files_config_file(systemd_binfmt_etc_t)

type systemd_machine_id_etc_t, systemd_file;
files_config_file(systemd_binfmt_etc_t)

type systemd_modules_load_etc_t, systemd_file;
files_config_file(systemd_modules_load_etc_t)

type systemd_sysctl_etc_t, systemd_file;
files_config_file(systemd_sysctl_etc_t)

type systemd_etc_t, systemd_file;
files_config_file(systemd_etc_t)

type systemd_system_etc_t, systemd_file;
files_config_file(systemd_etc_t)

type systemd_tmpfiles_etc_t, systemd_file;
files_config_file(systemd_tmpfiles_etc_t)

type systemd_tmpfiles_legacy_etc_t, systemd_file;
files_config_file(systemd_tmpfiles_legacy_etc_t)

type systemd_tmpfiles_systemd_etc_t, systemd_file;
files_config_file(systemd_tmpfiles_systemd_etc_t)

type systemd_tmpfiles_x11_etc_t, systemd_file;
files_config_file(systemd_tmpfiles_x11_etc_t)

type systemd_lib_t, systemd_file;
files_type(systemd_lib_t)

type fedora_autorelabel_t, systemd_domain_type;
type fedora_autorelabel_exec_t;
domain_base_type(fedora_autorelabel_t)
domain_entry_file(fedora_autorelabel_t, fedora_autorelabel_exec_t)

type fedora_autoswap_t, systemd_domain_type;
type fedora_autoswap_exec_t;
domain_base_type(fedora_autoswap_t)
domain_entry_file(fedora_autoswap_t, fedora_autoswap_exec_t)
role system_r types fedora_autoswap_t;

type fedora_configure_t, systemd_domain_type;
type fedora_configure_exec_t;
domain_base_type(fedora_configure_t)
domain_entry_file(fedora_configure_t, fedora_configure_exec_t)

type fedora_loadmodules_t, systemd_domain_type;
type fedora_loadmodules_exec_t;
domain_base_type(fedora_loadmodules_t)
domain_entry_file(fedora_loadmodules_t, fedora_loadmodules_exec_t)

type fedora_readonly_t, systemd_domain_type;
type fedora_readonly_exec_t;
domain_base_type(fedora_readonly_t)
domain_entry_file(fedora_readonly_t, fedora_readonly_exec_t)
role system_r types fedora_readonly_t;

type fedora_storage_init_t, systemd_domain_type;
type fedora_storage_init_exec_t;
domain_base_type(fedora_storage_init_t)
domain_entry_file(fedora_storage_init_t, fedora_storage_init_exec_t)
role system_r types fedora_storage_init_t;

type systemd_units_t, systemd_file;
systemd_unit_file(systemd_units_t)

type systemd_ac_power_t, systemd_domain_type;
type systemd_ac_power_exec_t;
domain_base_type(systemd_ac_power_t)
domain_entry_file(systemd_ac_power_t, systemd_ac_power_exec_t)

type systemd_binfmt_t, systemd_domain_type;
type systemd_binfmt_exec_t;
domain_base_type(systemd_binfmt_t)
domain_entry_file(systemd_binfmt_t, systemd_binfmt_exec_t)

type systemd_cgroups_agent_t, systemd_domain_type;
type systemd_cgroups_agent_exec_t;
domain_base_type(systemd_cgroups_agent_t)
domain_entry_file(systemd_cgroups_agent_t, systemd_cgroups_agent_exec_t)
role system_r types systemd_cgroups_agent_t;

type systemd_cryptsetup_t, systemd_domain_type;
type systemd_cryptsetup_exec_t;
domain_base_type(systemd_cryptsetup_t)
domain_entry_file(systemd_cryptsetup_t, systemd_cryptsetup_exec_t)

type systemd_detect_virt_t, systemd_domain_type;
type systemd_detect_virt_exec_t;
domain_base_type(systemd_cryptsetup_t)
domain_entry_file(systemd_cryptsetup_t, systemd_cryptsetup_exec_t)

type systemd_fsck_t, systemd_domain_type;
type systemd_fsck_exec_t;
domain_base_type(systemd_fsck_t)
domain_entry_file(systemd_fsck_t, systemd_fsck_exec_t)
role system_r types systemd_fsck_t;

type systemd_initctl_t, systemd_domain_type;
type systemd_initctl_exec_t;
domain_base_type(systemd_initctl_t)
domain_entry_file(systemd_initctl_t, systemd_initctl_exec_t)

type systemd_kmsg_syslogd_t, systemd_domain_type;
type systemd_kmsg_syslogd_exec_t;
domain_base_type(systemd_kmsg_syslogd_t)
domain_entry_file(systemd_kmsg_syslogd_t, systemd_kmsg_syslogd_exec_t)
role system_r types systemd_kmsg_syslogd_t;

type systemd_logger_t, systemd_domain_type;
type systemd_logger_exec_t;
domain_base_type(systemd_logger_t)
domain_entry_file(systemd_logger_t, systemd_logger_exec_t)
role system_r types systemd_logger_t;

type systemd_modules_load_t, systemd_domain_type;
type systemd_modules_load_exec_t;
domain_type(systemd_modules_load_t)
domain_entry_file(systemd_modules_load_t, systemd_modules_load_exec_t)

type systemd_quotacheck_t, systemd_domain_type;
type systemd_quotacheck_exec_t;
domain_base_type(systemd_quotacheck_t)
domain_entry_file(systemd_quotacheck_t, systemd_quotacheck_exec_t)

type systemd_random_seed_t, systemd_domain_type;
type systemd_random_seed_exec_t;
domain_base_type(systemd_random_seed_t)
domain_entry_file(systemd_random_seed_t, systemd_random_seed_exec_t)
role system_r types systemd_random_seed_t;

type systemd_readahead_collect_t, systemd_domain_type;
type systemd_readahead_collect_exec_t;
domain_base_type(systemd_readahead_collect_t)
domain_entry_file(systemd_readahead_collect_t, systemd_readahead_collect_exec_t)
role system_r types systemd_readahead_collect_t;

type systemd_readahead_replay_t, systemd_domain_type;
type systemd_readahead_replay_exec_t;
domain_base_type(systemd_readahead_replay_t)
domain_entry_file(systemd_readahead_replay_t, systemd_readahead_replay_exec_t)
role system_r types systemd_readahead_replay_t;

type systemd_remount_api_vfs_t, systemd_domain_type;
type systemd_remount_api_vfs_exec_t;
domain_base_type(systemd_remount_api_vfs_t)
domain_entry_file(systemd_remount_api_vfs_t, systemd_remount_api_vfs_exec_t)
role system_r types systemd_remount_api_vfs_t;

type systemd_reply_password_t, systemd_domain_type;
type systemd_reply_password_exec_t;
domain_base_type(systemd_reply_password_t)
domain_entry_file(systemd_reply_password_t, systemd_reply_password_exec_t)

type systemd_shutdown_t, systemd_domain_type;
type systemd_shutdown_exec_t;
domain_base_type(systemd_shutdown_t)
domain_entry_file(systemd_shutdown_t, systemd_shutdown_exec_t)
role system_r types systemd_shutdown_t; # test

type systemd_shutdownd_t, systemd_domain_type;
type systemd_shutdownd_exec_t;
domain_base_type(systemd_shutdownd_t)
domain_entry_file(systemd_shutdownd_t, systemd_shutdownd_exec_t)

type systemd_sysctl_t, systemd_domain_type;
type systemd_sysctl_exec_t;
domain_base_type(systemd_sysctl_t)
domain_entry_file(systemd_sysctl_t, systemd_sysctl_exec_t)
role system_r types systemd_sysctl_t;

type systemd_timestamp_t, systemd_domain_type;
type systemd_timestamp_exec_t;
domain_base_type(systemd_timestamp_t)
domain_entry_file(systemd_timestamp_t, systemd_timestamp_exec_t)

type systemd_update_utmp_t, systemd_domain_type;
type systemd_update_utmp_exec_t;
domain_base_type(systemd_update_utmp_t)
domain_entry_file(systemd_update_utmp_t, systemd_update_utmp_exec_t)
role system_r types systemd_update_utmp_t;

type systemd_user_sessions_t, systemd_domain_type;
type systemd_user_sessions_exec_t;
domain_base_type(systemd_user_sessions_t)
domain_entry_file(systemd_user_sessions_t, systemd_user_sessions_exec_t)
role system_r types systemd_user_sessions_t;

type systemd_user_sessions_var_run_t, systemd_file;
files_pid_file(systemd_user_sessions_var_run_t)

type systemd_vconsole_setup_t, systemd_domain_type;
type systemd_vconsole_setup_exec_t;
domain_base_type(systemd_vconsole_setup_t)
domain_entry_file(systemd_vconsole_setup_t, systemd_vconsole_setup_exec_t)
role system_r types systemd_vconsole_setup_t;

type systemd_generators_lib_t, systemd_file;
files_type(systemd_generators_lib_t)

type systemd_cryptsetup_generator_t, systemd_domain_type;
type systemd_cryptsetup_generator_exec_t;
domain_base_type(systemd_cryptsetup_generator_t)
domain_entry_file(systemd_cryptsetup_generator_t, systemd_cryptsetup_generator_exec_t)
role system_r types systemd_cryptsetup_generator_t;

type systemd_getty_generator_t, systemd_domain_type;
type systemd_getty_generator_exec_t;
domain_base_type(systemd_getty_generator_t)
domain_entry_file(systemd_getty_generator_t, systemd_getty_generator_exec_t)
role system_r types systemd_getty_generator_t;

type systemd_shutdown_lib_t, systemd_file;
files_type(systemd_shutdown_lib_t)

type systemd_analyze_t, systemd_domain_type;
type systemd_analyze_exec_t;
domain_base_type(systemd_analyze_t)
domain_entry_file(systemd_analyze_t, systemd_analyze_exec_t)

type systemd_cgls_t, systemd_domain_type;
type systemd_cgls_exec_t;
domain_base_type(systemd_cgls_t)
domain_entry_file(systemd_cgls_t, systemd_cgls_exec_t)

type systemd_nspawn_t, systemd_domain_type;
type systemd_nspawn_exec_t;
domain_base_type(systemd_nspawn_t)
domain_entry_file(systemd_nspawn_t, systemd_nspawn_exec_t)

type systemd_stdio_bridge_t, systemd_domain_type;
type systemd_stdio_bridge_exec_t;
domain_base_type(systemd_stdio_bridge_t)
domain_entry_file(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)

type systemd_random_seed_var_lib_t, systemd_file;
files_type(systemd_random_seed_var_lib_t)

type systemd_user_lib_t, systemd_file;
files_type(systemd_user_lib_t)

type systemd_var_run_t, systemd_file;
files_pid_file(systemd_var_run_t)

type systemd_readahead_var_run_t, systemd_file;
files_pid_file(systemd_readahead_var_run_t)

type systemd_readahead_root_t, systemd_file;
files_type(systemd_readahead_root_t)

#######################################
#
# systemd local policy
#

allow systemd_t self:capability { sys_admin net_admin sys_tty_config sys_boot sys_ptrace sys_resource setpcap };
allow systemd_t self:process { setsockcreate setfscreate setsched getcap setcap };
allow systemd_t self:fifo_file rw_fifo_file_perms;
allow systemd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow systemd_t self:udp_socket create_socket_perms;
allow systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_t self:netlink_route_socket rw_netlink_socket_perms;

allow systemd_t systemd_logger_t:unix_stream_socket { create_stream_socket_perms connectto };

manage_dirs_pattern(systemd_t, systemd_var_run_t, systemd_var_run_t)
manage_files_pattern(systemd_t, systemd_var_run_t, systemd_var_run_t)
manage_sock_files_pattern(systemd_t, systemd_var_run_t, systemd_var_run_t)
files_pid_filetrans(systemd_t, systemd_var_run_t, dir)

domtrans_pattern(systemd_t, systemd_fsck_exec_t, systemd_fsck_t)
domtrans_pattern(systemd_t, systemd_cryptsetup_generator_exec_t, systemd_cryptsetup_generator_t)
domtrans_pattern(systemd_t, systemd_getty_generator_exec_t, systemd_getty_generator_t)
domtrans_pattern(systemd_t, systemd_readahead_collect_exec_t, systemd_readahead_collect_t)
domtrans_pattern(systemd_t, systemd_shutdownd_exec_t, systemd_shutdownd_t)
domtrans_pattern(systemd_t, systemd_kmsg_syslogd_exec_t, systemd_kmsg_syslogd_t)
domtrans_pattern(systemd_t, fedora_storage_init_exec_t, fedora_storage_init_t)
domtrans_pattern(systemd_t, systemd_logger_exec_t, systemd_logger_t)
domtrans_pattern(systemd_t, systemd_remount_api_vfs_exec_t, systemd_remount_api_vfs_t)
domtrans_pattern(systemd_t, systemd_sysctl_exec_t, systemd_sysctl_t)
domtrans_pattern(systemd_t, systemd_vconsole_setup_exec_t, systemd_vconsole_setup_t)
domtrans_pattern(systemd_t, fedora_autoswap_exec_t, fedora_autoswap_t)
domtrans_pattern(systemd_t, fedora_readonly_exec_t, fedora_readonly_t)
domtrans_pattern(systemd_t, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
domtrans_pattern(systemd_t, systemd_random_seed_exec_t, systemd_random_seed_t)
domtrans_pattern(systemd_t, systemd_systemctl_exec_t, systemd_systemctl_t)
domtrans_pattern(systemd_t, systemd_notify_exec_t, systemd_notify_t)
domtrans_pattern(systemd_t, systemd_update_utmp_exec_t, systemd_update_utmp_t)
domtrans_pattern(systemd_t, systemd_user_sessions_exec_t, systemd_user_sessions_t)
domtrans_pattern(systemd_t, systemd_readahead_replay_exec_t, systemd_readahead_replay_t)
domtrans_pattern(systemd_t, systemd_shutdown_exec_t, systemd_shutdown_t)

allow systemd_t systemd_domain_type:process signal;
ps_process_pattern(systemd_t, systemd_domain_type)

read_files_pattern(systemd_t, { systemd_etc_t systemd_lib_t }, { systemd_etc_t systemd_system_etc_t systemd_machine_id_etc_t systemd_units_t })
list_dirs_pattern(systemd_t, { systemd_binfmt_etc_t systemd_modules_load_etc_t systemd_sysctl_etc_t }, { systemd_binfmt_etc_t systemd_modules_load_etc_t systemd_sysctl_etc_t })
list_dirs_pattern(systemd_t, { systemd_system_etc_t systemd_generators_lib_t systemd_units_t }, { systemd_system_etc_t systemd_generators_lib_t systemd_units_t })

allow systemd_t systemd_shutdownd_t:unix_dgram_socket create_socket_perms;
allow systemd_t systemd_kmsg_syslogd_t:unix_dgram_socket create_socket_perms;

kernel_mounton_sysctl_fs_dirs(systemd_t)
kernel_read_system_state(systemd_t)
kernel_read_network_state(systemd_t)
# cgroupfs
kernel_search_unlabeled(systemd_t)
kernel_stream_connect(systemd_t)

corecmd_exec_bin(systemd_t)
corecmd_read_bin_symlinks(systemd_t)
corecmd_exec_shell(systemd_t)

# /dev/mqueue: This somehow gets labelled tmpfs_t
dev_create_generic_dirs(systemd_t)
# i dont think this should be happening: /dev/log: even with logging_create_devlog_sock_file.
# dev_create_generic_sock_files(systemd_t)
# .in_sysinit
dev_create_generic_files(systemd_t)
dev_delete_generic_files(systemd_t)
dev_relabel_all_dev_nodes(systemd_t)
# /dev/console
dev_rw_inherited_generic_chr_files(systemd_t)
dev_mounton_generic_sysfs_dirs(systemd_t)
# mount on /dev/mqueue
dev_mounton_generic_dirs(systemd_t)
dev_read_sysfs(systemd_t)
dev_read_urand(systemd_t)
dev_write_kmsg(systemd_t)
dev_read_autofs(systemd_t)

# Begin testing shutdown
# dev_unconfined(systemd_t) # not fatal
# domain_unconfined(systemd_t) # not fatal
# domain_kill_all_domains(systemd_t)
unconfined_domain(systemd_t)
# mcs_killall(systemd_t)
# mcs_ptrace_all(systemd_t)

# Some weird shit going on.
# files_unconfined(systemd_t)
# gen_require(`
# attribute file_type;
# ')

# allow systemd_t file_type:filesystem *;

# Too coarse
# fs_unmount_all_fs(systemd_t)
# End testing shutdown

files_list_root(systemd_t)
files_list_generic_etc(systemd_t)
# /etc/fedora-release
files_read_generic_etc_files(systemd_t)
files_read_generic_etc_symlinks(systemd_t)
files_list_generic_usr(systemd_t)

files_relabel_all_locks(systemd_t)
files_relabel_all_pids(systemd_t)
files_list_generic_locks(systemd_t)

fs_create_hugetlbfs_dirs(systemd_t)
fs_mounton_hugetlbfs_dirs(systemd_t)
fs_list_autofs(systemd_t)
fs_mount_autofs(systemd_t)
fs_list_cgroup(systemd_t)
fs_create_cgroup_dirs(systemd_t)
fs_delete_cgroup_dirs(systemd_t)
fs_read_cgroup_files(systemd_t)
fs_write_cgroup_files(systemd_t)
fs_mount_tmpfs(systemd_t)
fs_mount_cgroup(systemd_t)
fs_mounton_cgroup_dirs(systemd_t)
fs_relabel_all_files(systemd_t)
fs_list_generic_tmpfs_dirs(systemd_t)
fs_read_generic_tmpfs_symlinks(systemd_t)

mcs_process_set_categories(systemd_t)

selinux_dontaudit_getattr_fs(systemd_t)
selinux_compute_create_context(systemd_t)

term_use_console(systemd_t)
term_use_controlling_term(systemd_t)
term_use_generic_ptys(systemd_t)
term_use_unallocated_ttys(systemd_t)

init_rw_utmp_var_run_files(systemd_t)
init_write_wtmp_var_log_files(systemd_t)

logging_create_devlog_sock_file(systemd_t)
logging_read_auditd_var_run_files(systemd_t)
logging_send_audit_msgs(systemd_t)
logging_send_syslog_msg(systemd_t)

# systemd-logger
miscfiles_read_localization(systemd_t)

seutil_read_config(systemd_t)
seutil_read_file_contexts(systemd_t)

dbus_system_bus_service(systemd_t)
dbus_create_system_pid_dirs(systemd_t)
dbus_create_system_pid_sock_files(systemd_t)
dbus_create_system_stream_sockets(systemd_t)

optional_policy(`
init_domtrans_all_script(systemd_t)
init_read_all_script_state(systemd_t)
init_manage_initctl_fifo_files(systemd_t)
')

optional_policy(`
plymouth_list_plymouthd_pids(systemd_t)
plymouth_stream_connect_plymouthd(systemd_t)
')

optional_policy(`
setrans_search_pids(systemd_t)
')

optional_policy(`
ssh_read_sshd_var_run_files(systemd_t)
')

optional_policy(`
udev_create_udevd_dgram_sockets(systemd_t)
udev_list_pids(systemd_t)
udev_read_pid_files(systemd_t)
udev_read_etc_files(systemd_t)
')

#######################################
#
# systemd fsck local policy
#

allow systemd_fsck_t systemd_t:unix_stream_socket { read write };

systemd_sendto_dgram_socket(systemd_fsck_t)

ps_process_pattern(systemd_fsck_t, systemd_t)

kernel_read_system_state(systemd_fsck_t)

selinux_dontaudit_getattr_fs(systemd_fsck_t)

logging_send_syslog_msg(systemd_fsck_t)

optional_policy(`
fstools_domtrans(systemd_fsck_t)
')

#######################################
#
# systemd cryptsetup generator local policy
#

allow systemd_cryptsetup_generator_t self:unix_stream_socket create_socket_perms;

allow systemd_cryptsetup_generator_t systemd_t:unix_stream_socket { read write };

kernel_read_system_state(systemd_cryptsetup_generator_t)

dev_write_kmsg(systemd_cryptsetup_generator_t)

selinux_dontaudit_getattr_fs(systemd_cryptsetup_generator_t)

logging_send_syslog_msg(systemd_cryptsetup_generator_t)

optional_policy(`
init_read_crypttab_files(systemd_cryptsetup_generator_t)
')

#######################################
#
# systemd getty generator local policy
#

allow systemd_getty_generator_t self:unix_stream_socket create_socket_perms;

allow systemd_getty_generator_t systemd_t:unix_stream_socket { read write };

ps_process_pattern(systemd_getty_generator_t, systemd_t)

kernel_read_system_state(systemd_getty_generator_t)

dev_read_sysfs(systemd_getty_generator_t)
dev_write_kmsg(systemd_getty_generator_t)

selinux_dontaudit_getattr_fs(systemd_getty_generator_t)

logging_send_syslog_msg(systemd_getty_generator_t)

#######################################
#
# systemd cgroups agent local policy
#

allow systemd_cgroups_agent_t self:unix_stream_socket create_socket_perms;

stream_connect_pattern(systemd_cgroups_agent_t, systemd_var_run_t, systemd_var_run_t, systemd_t)

kernel_read_system_state(systemd_cgroups_agent_t)

dev_write_kmsg(systemd_cgroups_agent_t)

files_search_generic_pids(systemd_cgroups_agent_t)

selinux_dontaudit_getattr_fs(systemd_cgroups_agent_t)

logging_send_syslog_msg(systemd_cgroups_agent_t)

#######################################
#
# systemd readahead collect local policy
#

allow systemd_readahead_collect_t self:capability { sys_admin dac_override };
allow systemd_readahead_collect_t self:process setsched;
allow systemd_readahead_collect_t self:unix_stream_socket create_socket_perms;

manage_dirs_pattern(systemd_readahead_collect_t, systemd_readahead_var_run_t, systemd_readahead_var_run_t)
manage_files_pattern(systemd_readahead_collect_t, systemd_readahead_var_run_t, systemd_readahead_var_run_t)
filetrans_pattern(systemd_readahead_collect_t, systemd_var_run_t, systemd_readahead_var_run_t, dir)

manage_files_pattern(systemd_readahead_collect_t, systemd_readahead_root_t, systemd_readahead_root_t)
files_root_filetrans(systemd_readahead_collect_t, systemd_readahead_root_t, file)

allow systemd_readahead_collect_t systemd_t:unix_dgram_socket sendto;

stream_connect_pattern(systemd_readahead_collect_t, systemd_var_run_t, systemd_var_run_t, systemd_t)

read_files_pattern(systemd_readahead_collect_t, systemd_units_t, systemd_unit_file_type)

ps_process_pattern(systemd_readahead_collect_t, systemd_t)

allow systemd_readahead_collect_t systemd_lib_t:dir search_dir_perms;
allow systemd_readahead_collect_t { systemd_tmpfiles_etc_t systemd_sysctl_etc_t }:dir list_dir_perms;
allow systemd_readahead_collect_t { systemd_tmpfiles_etc_t systemd_tmpfiles_x11_etc_t systemd_tmpfiles_legacy_etc_t systemd_tmpfiles_systemd_etc_t }:file read_file_perms;

allow systemd_readahead_collect_t systemd_random_seed_var_lib_t:file read_file_perms;

kernel_read_system_state(systemd_readahead_collect_t)

corecmd_read_all_executable_files(systemd_readahead_collect_t)

files_list_root(systemd_readahead_collect_t)
files_list_generic_tmp(systemd_readahead_collect_t)
files_list_generic_var_lib(systemd_readahead_collect_t)
files_read_generic_etc_files(systemd_readahead_collect_t)
files_list_generic_etc(systemd_readahead_collect_t)
files_read_generic_usr_files(systemd_readahead_collect_t)
files_list_generic_usr(systemd_readahead_collect_t)
files_read_kernel_modules(systemd_readahead_collect_t)

fs_getattr_xattr_fs(systemd_readahead_collect_t)

dev_write_kmsg(systemd_readahead_collect_t)
dev_read_sysfs(systemd_readahead_collect_t)

selinux_dontaudit_getattr_fs(systemd_readahead_collect_t)

auth_read_lastlog_files(systemd_readahead_collect_t)
auth_read_shadow(systemd_readahead_collect_t)

dbus_list_config(systemd_readahead_collect_t)
dbus_read_config_files(systemd_readahead_collect_t)
dbus_read_system_var_lib_files(systemd_readahead_collect_t)

init_read_btmp_var_log_files(systemd_readahead_collect_t)
init_read_wtmp_var_log_files(systemd_readahead_collect_t)
init_read_initrc_tmp_files(systemd_readahead_collect_t)
init_read_hwclock_etc_files(systemd_readahead_collect_t)
init_read_sysctl_etc_files(systemd_readahead_collect_t)

logging_read_generic_log_files(systemd_readahead_collect_t)
logging_list_syslog_etc(systemd_readahead_collect_t)
logging_read_syslog_etc_files(systemd_readahead_collect_t)
logging_send_syslog_msg(systemd_readahead_collect_t)

lvm_read_lvm_etc_files(systemd_readahead_collect_t)
lvm_read_lvm_metadata_files(systemd_readahead_collect_t)

miscfiles_read_localization(systemd_readahead_collect_t)
miscfiles_read_generic_cert_files(systemd_readahead_collect_t)
miscfiles_read_hwdata(systemd_readahead_collect_t)

modutils_read_modules_conf_files(systemd_readahead_collect_t)
modutils_list_modules_conf_dirs(systemd_readahead_collect_t)
modutils_read_modules_dep_files(systemd_readahead_collect_t)

plymouth_read_var_lib_files(systemd_readahead_collect_t)

seutil_read_file_contexts(systemd_readahead_collect_t)
seutil_read_default_contexts(systemd_readahead_collect_t)
seutil_read_config(systemd_readahead_collect_t)
seutil_read_bin_policy_files(systemd_readahead_collect_t)

ssh_read_ssh_etc_files(systemd_readahead_collect_t)
ssh_read_sshd_key_files(systemd_readahead_collect_t)

sysnet_read_config(systemd_readahead_collect_t)
sysnet_read_dhcpc_state_files(systemd_readahead_collect_t)
sysnet_read_dhcp_etc_files(systemd_readahead_collect_t)
sysnet_list_dhcp_etc(systemd_readahead_collect_t)
sysnet_read_dhcpc_tmp_files(systemd_readahead_collect_t)

udev_read_etc_files(systemd_readahead_collect_t)
udev_read_pid_files(systemd_readahead_collect_t)
udev_read_rules_files(systemd_readahead_collect_t)

userdom_read_generic_home_content_files(systemd_readahead_collect_t)

#######################################
#
# systemd readahead replay local policy
#

allow systemd_readahead_replay_t self:capability { sys_admin dac_override };
allow systemd_readahead_replay_t self:process setsched;
allow systemd_readahead_replay_t self:unix_stream_socket create_socket_perms;

allow systemd_readahead_replay_t systemd_readahead_root_t:file read_file_perms;

allow systemd_readahead_replay_t systemd_random_seed_var_lib_t:file read_file_perms;

manage_dirs_pattern(systemd_readahead_replay_t, systemd_readahead_var_run_t, systemd_readahead_var_run_t)
manage_files_pattern(systemd_readahead_replay_t, systemd_readahead_var_run_t, systemd_readahead_var_run_t)
filetrans_pattern(systemd_readahead_replay_t, systemd_var_run_t, systemd_readahead_var_run_t, dir)

read_files_pattern(systemd_readahead_replay_t, { systemd_lib_t systemd_tmpfiles_etc_t }, { systemd_tmpfiles_x11_etc_t systemd_tmpfiles_systemd_etc_t systemd_tmpfiles_legacy_etc_t systemd_tmpfiles_etc_t })

read_files_pattern(systemd_readahead_replay_t, systemd_units_t, systemd_unit_file_type)

allow systemd_readahead_replay_t systemd_t:unix_dgram_socket sendto;

stream_connect_pattern(systemd_readahead_replay_t, systemd_var_run_t, systemd_var_run_t, systemd_t)

ps_process_pattern(systemd_readahead_replay_t, systemd_t)

corecmd_read_all_executable_files(systemd_readahead_replay_t)

kernel_read_system_state(systemd_readahead_replay_t)

dev_rw_sysfs(systemd_readahead_replay_t)
dev_write_kmsg(systemd_readahead_replay_t)

files_search_generic_pids(systemd_readahead_replay_t)
files_read_generic_etc_files(systemd_readahead_replay_t)
files_read_generic_usr_files(systemd_readahead_replay_t)
files_read_kernel_modules(systemd_readahead_replay_t)

selinux_dontaudit_getattr_fs(systemd_readahead_replay_t)

auth_read_lastlog_files(systemd_readahead_replay_t)
auth_read_shadow(systemd_readahead_replay_t)

dbus_read_config_files(systemd_readahead_replay_t)
dbus_read_system_var_lib_files(systemd_readahead_replay_t)

init_read_btmp_var_log_files(systemd_readahead_replay_t)
init_read_wtmp_var_log_files(systemd_readahead_replay_t)
init_read_hwclock_etc_files(systemd_readahead_replay_t)
init_read_sysctl_etc_files(systemd_readahead_replay_t)

logging_read_generic_log_files(systemd_readahead_replay_t)
logging_send_syslog_msg(systemd_readahead_replay_t)
logging_read_syslog_etc_files(systemd_readahead_replay_t)

lvm_read_lvm_etc_files(systemd_readahead_replay_t)
lvm_read_lvm_metadata_files(systemd_readahead_replay_t)

miscfiles_read_localization(systemd_readahead_replay_t)
miscfiles_read_generic_cert_files(systemd_readahead_replay_t)
miscfiles_read_hwdata(systemd_readahead_replay_t)

modutils_read_modules_conf_files(systemd_readahead_replay_t)
modutils_read_modules_dep_files(systemd_readahead_replay_t)

plymouth_read_var_lib_files(systemd_readahead_replay_t)

seutil_read_config(systemd_readahead_replay_t)
seutil_read_default_contexts(systemd_readahead_replay_t)
seutil_read_file_contexts(systemd_readahead_replay_t)
seutil_read_bin_policy_files(systemd_readahead_replay_t)

ssh_read_ssh_etc_files(systemd_readahead_replay_t)
ssh_read_sshd_key_files(systemd_readahead_replay_t)

sysnet_read_dhcpc_state_files(systemd_readahead_replay_t)
sysnet_read_config(systemd_readahead_replay_t)
sysnet_read_dhcp_etc_files(systemd_readahead_replay_t)

udev_read_etc_files(systemd_readahead_replay_t)
udev_read_rules_files(systemd_readahead_replay_t)

userdom_read_generic_home_content_files(systemd_readahead_replay_t)

#######################################
#
# systemd kmsg syslogd local policy
#

allow systemd_kmsg_syslogd_t self:unix_dgram_socket create_socket_perms;

stream_connect_pattern(systemd_kmsg_syslogd_t, systemd_var_run_t, systemd_var_run_t, systemd_t)
allow systemd_kmsg_syslogd_t systemd_t:unix_dgram_socket sendto;

kernel_read_system_state(systemd_kmsg_syslogd_t)

dev_write_kmsg(systemd_kmsg_syslogd_t)

files_search_generic_pids(systemd_kmsg_syslogd_t)

selinux_dontaudit_getattr_fs(systemd_kmsg_syslogd_t)

#######################################
#
# Systemd logger local policy
#

allow systemd_logger_t self:capability { sys_admin sys_tty_config };
allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;

stream_connect_pattern(systemd_logger_t, systemd_var_run_t, systemd_var_run_t, systemd_t)
allow systemd_logger_t systemd_t:unix_dgram_socket sendto;

kernel_read_system_state(systemd_logger_t)
kernel_use_fds(systemd_logger_t)

dev_write_kmsg(systemd_logger_t)

files_search_generic_pids(systemd_logger_t)

selinux_dontaudit_getattr_fs(systemd_logger_t)

term_use_console(systemd_logger_t)
term_use_generic_ptys(systemd_logger_t)

miscfiles_read_localization(systemd_logger_t)

logging_send_syslog_msg(systemd_logger_t)

#######################################
#
# Systemd remount api vfs local policy
#

allow systemd_remount_api_vfs_t systemd_t:unix_stream_socket { read write };

kernel_read_system_state(systemd_remount_api_vfs_t)

# /etc/fstab
files_read_generic_etc_files(systemd_remount_api_vfs_t)

selinux_dontaudit_getattr_fs(systemd_remount_api_vfs_t)

logging_send_syslog_msg(systemd_remount_api_vfs_t)

optional_policy(`
mount_domtrans(systemd_remount_api_vfs_t)
')

#######################################
#
# Systemd vconsole setup local policy
#

allow systemd_vconsole_setup_t self:capability { sys_admin sys_tty_config };
allow systemd_vconsole_setup_t self:fifo_file rw_fifo_file_perms;
allow systemd_vconsole_setup_t self:unix_stream_socket create_socket_perms;

allow systemd_vconsole_setup_t systemd_t:unix_stream_socket { read write ioctl };

ps_process_pattern(systemd_vconsole_setup_t, systemd_t)

kernel_read_system_state(systemd_vconsole_setup_t)

# /bin/setfont
corecmd_exec_bin(systemd_vconsole_setup_t)
corecmd_exec_shell(systemd_vconsole_setup_t)
corecmd_read_bin_symlinks(systemd_vconsole_setup_t)

files_list_root(systemd_vconsole_setup_t)
files_read_generic_etc_files(systemd_vconsole_setup_t)
files_search_generic_pids(systemd_vconsole_setup_t)

selinux_dontaudit_getattr_fs(systemd_vconsole_setup_t)

term_use_controlling_term(systemd_vconsole_setup_t)
term_use_unallocated_ttys(systemd_vconsole_setup_t)

logging_send_syslog_msg(systemd_vconsole_setup_t)

miscfiles_read_localization(systemd_vconsole_setup_t)

optional_policy(`
loadkeys_domtrans(systemd_vconsole_setup_t)
')

#######################################
#
# Systemd sysctl local policy
#

allow systemd_sysctl_t self:capability net_admin;

list_dirs_pattern(systemd_sysctl_t, systemd_sysctl_etc_t, systemd_sysctl_etc_t)

kernel_read_system_state(systemd_sysctl_t)
kernel_rw_network_sysctl(systemd_sysctl_t)
kernel_write_kernel_sysctl(systemd_sysctl_t)

selinux_dontaudit_getattr_fs(systemd_sysctl_t)

logging_send_syslog_msg(systemd_sysctl_t)

optional_policy(`
init_read_sysctl_etc_files(systemd_sysctl_t)
')

#######################################
#
# Systemd tmpfiles local policy
#

allow systemd_tmpfiles_t self:capability { fsetid chown };
allow systemd_tmpfiles_t self:process setfscreate;
allow systemd_tmpfiles_t self:unix_stream_socket create_socket_perms;

# ask-passwd might want private type
allow systemd_tmpfiles_t systemd_var_run_t:dir setattr_dir_perms;

allow systemd_tmpfiles_t systemd_tmpfiles_etc_t:dir list_dir_perms;
read_files_pattern(systemd_tmpfiles_t, systemd_tmpfiles_etc_t, { systemd_tmpfiles_etc_t systemd_tmpfiles_legacy_etc_t systemd_tmpfiles_systemd_etc_t systemd_tmpfiles_x11_etc_t })

allow systemd_tmpfiles_t systemd_var_run_t:dir search_dir_perms;

files_list_generic_tmp(systemd_tmpfiles_t)
files_relabel_generic_tmp_dirs(systemd_tmpfiles_t)
files_setattr_generic_tmp_dirs(systemd_tmpfiles_t)
# nsswitch.conf
files_read_generic_etc_files(systemd_tmpfiles_t)
files_create_generic_lock_dirs(systemd_tmpfiles_t)
files_setattr_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_locks(systemd_tmpfiles_t)
files_list_all_locks(systemd_tmpfiles_t)
files_relabel_all_pids(systemd_tmpfiles_t)

selinux_get_enforce_mode(systemd_tmpfiles_t)

auth_list_pam_auth_pids(systemd_tmpfiles_t)

init_create_netreport_pid_dirs(systemd_tmpfiles_t)
init_setattr_netreport_pid_dirs(systemd_tmpfiles_t)
init_relabel_netreport_pid_dirs(systemd_tmpfiles_t)
init_create_utmp_pid_files(systemd_tmpfiles_t)
init_setattr_utmp_pid_files(systemd_tmpfiles_t)
init_create_wtmp_log_files(systemd_tmpfiles_t)
init_setattr_wtmp_log_files(systemd_tmpfiles_t)
init_create_btmp_log_files(systemd_tmpfiles_t)
init_setattr_btmp_log_files(systemd_tmpfiles_t)
init_list_initrc_tmp(systemd_tmpfiles_t)

seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)

setrans_search_pids(systemd_tmpfiles_t)
setrans_relabel_pid_dirs(systemd_tmpfiles_t)
setrans_create_pid_dirs(systemd_tmpfiles_t)
setrans_setattr_pid_dirs(systemd_tmpfiles_t)

logging_send_syslog_msg(systemd_tmpfiles_t)
logging_relabel_all_logs(systemd_tmpfiles_t)

lvm_list_pids(systemd_tmpfiles_t)
lvm_delete_pid_dirs(systemd_tmpfiles_t)
lvm_setattr_pid_dirs(systemd_tmpfiles_t)
lvm_search_locks(systemd_tmpfiles_t)
lvm_delete_lock_dirs(systemd_tmpfiles_t)
lvm_setattr_lock_dirs(systemd_tmpfiles_t)

miscfiles_read_localization(systemd_tmpfiles_t)
miscfiles_relabel_man_dirs(systemd_tmpfiles_t)
miscfiles_list_man(systemd_tmpfiles_t)

# temporary workarounds:
gen_require(`
type var_lib_t, var_run_t;
')

allow systemd_tmpfiles_t var_lib_t:dir manage_dir_perms;
allow systemd_tmpfiles_t var_lib_t:file manage_file_perms;
allow systemd_tmpfiles_t var_run_t:dir setattr_dir_perms;

#######################################
#
# Systemd random seed local policy
#

manage_files_pattern(systemd_random_seed_t, systemd_random_seed_var_lib_t, systemd_random_seed_var_lib_t)
files_var_lib_filetrans(systemd_random_seed_t, systemd_random_seed_var_lib_t, file)

kernel_read_system_state(systemd_random_seed_t)
kernel_read_kernel_sysctl(systemd_random_seed_t)

dev_rw_urand(systemd_random_seed_t)

files_search_generic_var_lib(systemd_random_seed_t)

selinux_dontaudit_getattr_fs(systemd_random_seed_t)

logging_send_syslog_msg(systemd_random_seed_t)

miscfiles_read_localization(systemd_random_seed_t)

#######################################
#
# systemd systemctl local policy
#

allow systemd_systemctl_t self:unix_stream_socket create_socket_perms;

stream_connect_pattern(systemd_systemctl_t, systemd_var_run_t, systemd_var_run_t, systemd_t)

ps_process_pattern(systemd_systemctl_t, systemd_t)

kernel_read_system_state(systemd_systemctl_t)

files_search_generic_pids(systemd_systemctl_t)

selinux_dontaudit_getattr_fs(systemd_systemctl_t)

#######################################
#
# Systemd notify local policy
#

search_dirs_pattern(systemd_notify_t, systemd_var_run_t, systemd_var_run_t)
allow systemd_notify_t systemd_readahead_var_run_t:dir add_entry_dir_perms;
manage_files_pattern(systemd_notify_t, systemd_readahead_var_run_t, systemd_readahead_var_run_t)

kernel_read_system_state(systemd_notify_t)

files_search_generic_pids(systemd_notify_t)

selinux_dontaudit_getattr_fs(systemd_notify_t)

#######################################
#
# Systemd update utmp local policy
#

allow systemd_update_utmp_t self:unix_stream_socket create_socket_perms;

stream_connect_pattern(systemd_update_utmp_t, systemd_var_run_t, systemd_var_run_t, systemd_t)

kernel_read_system_state(systemd_update_utmp_t)

files_search_generic_pids(systemd_update_utmp_t)

selinux_dontaudit_getattr_fs(systemd_update_utmp_t)

init_rw_utmp_var_run_files(systemd_update_utmp_t)
init_write_wtmp_var_log_files(systemd_update_utmp_t)

logging_send_audit_msgs(systemd_update_utmp_t)
logging_send_syslog_msg(systemd_update_utmp_t)

#######################################
#
# Systemd user sessions local policy
#

manage_files_pattern(systemd_user_sessions_t, systemd_user_sessions_var_run_t, systemd_user_sessions_var_run_t)
files_pid_filetrans(systemd_user_sessions_t, systemd_user_sessions_var_run_t, file)

ps_process_pattern(systemd_user_sessions_t, systemd_t)

kernel_read_system_state(systemd_user_sessions_t)

domain_signal_all_domains(systemd_user_sessions_t)

fs_list_cgroup(systemd_user_sessions_t)
fs_delete_cgroup_dirs(systemd_user_sessions_t)
fs_read_cgroup_files(systemd_user_sessions_t)

selinux_dontaudit_getattr_fs(systemd_user_sessions_t)

logging_send_syslog_msg(systemd_user_sessions_t)

#######################################
#
# (TEST) Systemd shutdown local policy
#

unconfined_domain(systemd_shutdown_t)

mcs_killall(systemd_shutdown_t)
mcs_ptrace_all(systemd_shutdown_t)

#######################################
#
# Fedora storage init local policy
#

allow fedora_storage_init_t self:fifo_file rw_fifo_file_perms;
allow fedora_storage_init_t self:unix_stream_socket create_socket_perms;

allow fedora_storage_init_t systemd_lib_t:dir search_dir_perms;

kernel_read_system_state(fedora_storage_init_t)
kernel_read_software_raid_state(fedora_storage_init_t)

corecmd_exec_bin(fedora_storage_init_t)
corecmd_read_bin_symlinks(fedora_storage_init_t)

files_read_generic_etc_files(fedora_storage_init_t)
files_read_generic_etc_symlinks(fedora_storage_init_t)
files_search_generic_pids(fedora_storage_init_t)

selinux_dontaudit_getattr_fs(fedora_storage_init_t)

term_use_controlling_term(fedora_storage_init_t)

miscfiles_read_localization(fedora_storage_init_t)

optional_policy(`
init_domtrans_consoletype(fedora_storage_init_t)
')

optional_policy(`
lvm_domtrans(fedora_storage_init_t)
')

#######################################
#
# Fedora autoswap local policy
#

allow fedora_autoswap_t self:fifo_file rw_fifo_file_perms;
allow fedora_autoswap_t self:unix_stream_socket create_socket_perms;

search_dirs_pattern(fedora_autoswap_t, systemd_lib_t, systemd_lib_t)

kernel_read_system_state(fedora_autoswap_t)

# nsswitch.conf
files_read_generic_etc_files(fedora_autoswap_t)
files_read_generic_etc_symlinks(fedora_autoswap_t)
files_search_generic_pids(fedora_autoswap_t)

term_use_controlling_term(fedora_autoswap_t)

miscfiles_read_localization(fedora_autoswap_t)

optional_policy(`
init_domtrans_consoletype(fedora_autoswap_t)
')

#######################################
#
# Fedora readonly local policy
#

allow fedora_readonly_t self:fifo_file rw_fifo_file_perms;
allow fedora_readonly_t self:unix_stream_socket create_socket_perms;

search_dirs_pattern(fedora_readonly_t, systemd_lib_t, systemd_lib_t)

corecmd_exec_bin(fedora_readonly_t)

# /etc/sysconfig/readonly-root
files_read_generic_etc_files(fedora_readonly_t)
files_read_generic_etc_symlinks(fedora_readonly_t)
files_search_generic_pids(fedora_readonly_t)

selinux_get_enforce_mode(fedora_readonly_t)

term_use_controlling_term(fedora_readonly_t)
term_use_unallocated_ttys(fedora_readonly_t)
term_use_console(fedora_readonly_t)

miscfiles_read_localization(fedora_readonly_t)

optional_policy(`
init_domtrans_consoletype(fedora_readonly_t)
')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/1b92c66d/attachment-0003.bin

2011-07-25 14:51:15

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] new refpolicy release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2011 09:31 AM, Dominick Grift wrote:
>
>
> On Mon, 2011-07-25 at 22:39 +1000, Russell Coker wrote:
>> On Mon, 25 Jul 2011, Dominick Grift <[email protected]> wrote:
>>>>> As an aside, what's the status of systemd policy?
>>>>
>>>> There isn't one upstream. The last time it was discussed, I
>>>> suggested that it was so different and did so many more things
>>>> that it should probably be its own module. I haven't heard or
>>>> seen anything since then.
>>>
>>> I started working on it and gotten pretty far until i tried
>>> shutdown. That is when i hit issues.
>>>
>>> Kernel logging is stopped pretty early and so i could not
>>> determine what all systemd needs to shutdown properly. Spend
>>> about a week just trying various things but could not get it to
>>> work. Gave up.
>>
>> Could you please post what you did to the list so others can work
>> on it without reinventing any wheels?
>
> Enclosed you will find what i ended up with. Keep in mind though
> that this is dated by now (was done months ago)
>
> Also note that i pretty much gave each executable file a private
> type and each process a private domain which is overkill but it was
> my intention at that time to just figure out what each process
> separately needs and then later consider merging domain that have
> similar properties. The idea was to first just map systemd and then
> clean it up.
>
> Also there may be things i would do different now that we have the
> named file transitions in Fedora 16.
>
> Also note that this policy is made in a modified refpolicy so not
> all interface calls may be available to you (but similar ones should
> be)
>
>
>
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Systemd is changing so fast and adding so many new features that we have
not looked at this. We are currently trying to make sure launching apps
is working correctly we have a systemd policy for some of the helper
apps at this point.

I think it would make sense to revisit the separation at a point when
the systemd stabilized.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4tguIACgkQrlYvE4MpobOblACfSGvzmuzDo1vXuKsgLBGyDoyN
rTUAn3ep1Zi9z1if1zlJU2A2FRwElRGg
=MRP3
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: systemd.te
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: systemd.if
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0001.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: systemd.fc
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0002.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd.te.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd.if.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd.fc.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110725/20c2622f/attachment-0002.bin