This is a bunch of minor fixes that I split out from another patch which also
has some of the interfaces needed for the systemd core patch I sent a few
days ago (which is why that one didn't work).
After we get this one done I'll create a patch set for systemd that should
make pebenito happy. ;)
Fix some minor labelling issues for init.
Make lots of things optional_policy to allow more modular builds.
Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd
as well as upstart.
Allow kerneloops_t to read /proc/cpuinfo etc
make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
question
Index: refpolicy-2.20170212/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170212/policy/modules/system/init.fc
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
')
+/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
Index: refpolicy-2.20170212/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170212/policy/modules/system/logging.te
@@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
-locallogin_dontaudit_use_fds(auditctl_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(auditctl_t)
+')
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
@@ -565,6 +567,8 @@ optional_policy(`
optional_policy(`
udev_read_db(syslogd_t)
+ # for systemd-journal to read seat data from /run/udev/data
+ udev_read_pid_files(syslogd_t)
')
optional_policy(`
Index: refpolicy-2.20170212/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170212/policy/modules/system/lvm.te
@@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+
logging_send_syslog_msg(lvm_t)
miscfiles_read_localization(lvm_t)
Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te
@@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
-locallogin_dontaudit_use_fds(restorecond_t)
+optional_policy(`
+ locallogin_dontaudit_use_fds(restorecond_t)
+')
logging_send_syslog_msg(restorecond_t)
@@ -482,7 +484,9 @@ term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
-locallogin_use_fds(semanage_t)
+optional_policy(`
+ locallogin_use_fds(semanage_t)
+')
logging_send_syslog_msg(semanage_t)
Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te
@@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+optional_policy(`
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
@@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
+optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20170212/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.te
+++ refpolicy-2.20170212/policy/modules/system/init.te
@@ -304,10 +304,6 @@ ifdef(`init_systemd',`
',`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
- ',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- sysadm_shell_domtrans(init_t)
')
')
@@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_read_generic_certs(initrc_t)
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
+optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
seutil_read_config(initrc_t)
Index: refpolicy-2.20170212/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170212/policy/modules/system/udev.te
@@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+fs_read_cgroup_files(udev_t)
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run
kernel_load_module(udev_t)
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
+# systemd-udevd needs kernel_load_module
+kernel_load_module(udev_t)
kernel_getattr_core_if(udev_t)
kernel_use_fds(udev_t)
kernel_read_device_sysctls(udev_t)
Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
@@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
+kernel_read_system_state(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
Index: refpolicy-2.20170212/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170212/policy/modules/system/locallogin.te
@@ -62,6 +62,8 @@ kernel_link_key(local_login_t)
corecmd_list_bin(local_login_t)
corecmd_read_bin_symlinks(local_login_t)
+# for /bin/uname
+corecmd_exec_bin(local_login_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(local_login_t)
corecmd_read_bin_pipes(local_login_t)
Index: refpolicy-2.20170212/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170212/policy/modules/services/xserver.if
@@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs'
########################################
## <summary>
-## Create a named socket in a XDM
+## Create and unlink a named socket in a XDM
## temporary directory.
## </summary>
## <param name="domain">
@@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ allow $1 xdm_tmp_t:sock_file unlink;
')
########################################
On 02/12/17 06:38, Russell Coker via refpolicy wrote:
> This is a bunch of minor fixes that I split out from another patch which also
> has some of the interfaces needed for the systemd core patch I sent a few
> days ago (which is why that one didn't work).
>
> After we get this one done I'll create a patch set for systemd that should
> make pebenito happy. ;)
>
> Fix some minor labelling issues for init.
>
> Make lots of things optional_policy to allow more modular builds.
>
> Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd
> as well as upstart.
>
> Allow kerneloops_t to read /proc/cpuinfo etc
>
> make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
> question
>
>
> Index: refpolicy-2.20170212/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170212/policy/modules/system/init.fc
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
> /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
> ')
>
> +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
>
> /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
> @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
> /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
This doesn't seem right. Then if you don't have XDM, regular users
can't run startx.
> +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
>
> ifdef(`distro_gentoo', `
> /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
> Index: refpolicy-2.20170212/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170212/policy/modules/system/logging.te
> @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
>
> init_dontaudit_use_fds(auditctl_t)
>
> -locallogin_dontaudit_use_fds(auditctl_t)
> +optional_policy(`
> + locallogin_dontaudit_use_fds(auditctl_t)
> +')
This new optional should be moved down with the other auditctl_t ones,
above the mta_send_mail().
> logging_set_audit_parameters(auditctl_t)
> logging_send_syslog_msg(auditctl_t)
> @@ -565,6 +567,8 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(syslogd_t)
> + # for systemd-journal to read seat data from /run/udev/data
> + udev_read_pid_files(syslogd_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170212/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170212/policy/modules/system/lvm.te
> @@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
> init_use_script_ptys(lvm_t)
> init_read_script_state(lvm_t)
>
> +# for systemd-cryptsetup
> +dev_write_kmsg(lvm_t)
> +
> logging_send_syslog_msg(lvm_t)
>
> miscfiles_read_localization(lvm_t)
> Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te
> @@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond
> files_read_non_auth_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> -locallogin_dontaudit_use_fds(restorecond_t)
> +optional_policy(`
> + locallogin_dontaudit_use_fds(restorecond_t)
> +')
This optional should move down to the above the optional with
rpm_use_script_fds().
> logging_send_syslog_msg(restorecond_t)
>
> @@ -482,7 +484,9 @@ term_use_all_terms(semanage_t)
> # Running genhomedircon requires this for finding all users
> auth_use_nsswitch(semanage_t)
>
> -locallogin_use_fds(semanage_t)
> +optional_policy(`
> + locallogin_use_fds(semanage_t)
> +')
This new optional should go down after the distro_ubuntu block.
> logging_send_syslog_msg(semanage_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te
> @@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t)
>
> miscfiles_read_localization(dhcpc_t)
>
> -modutils_run_insmod(dhcpc_t, dhcpc_roles)
> +optional_policy(`
> + modutils_run_insmod(dhcpc_t, dhcpc_roles)
> +')
This new optional should go down above the netutil_run*(dhcpc_t)
optional block.
> sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
>
> @@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t)
>
> miscfiles_read_localization(ifconfig_t)
>
> -modutils_domtrans_insmod(ifconfig_t)
> +optional_policy(`
> + modutils_domtrans_insmod(ifconfig_t)
> +')
This new optional should go down after the ipsec_*() optional block.
> seutil_use_runinit_fds(ifconfig_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170212/policy/modules/system/init.te
> @@ -304,10 +304,6 @@ ifdef(`init_systemd',`
> ',`
> tunable_policy(`init_upstart',`
> corecmd_shell_domtrans(init_t, initrc_t)
> - ',`
> - # Run the shell in the sysadm role for single-user mode.
> - # causes problems with upstart
> - sysadm_shell_domtrans(init_t)
I don't think we want to remove this, as it will impact sysvinit, which
Gentoo still uses.
> ')
> ')
>
> @@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t)
> # slapd needs to read cert files from its initscript
> miscfiles_read_generic_certs(initrc_t)
>
> -modutils_read_module_config(initrc_t)
> -modutils_domtrans_insmod(initrc_t)
> +optional_policy(`
> + modutils_read_module_config(initrc_t)
> + modutils_domtrans_insmod(initrc_t)
> +')
This new optional should much farther down, between the mailman and mta
optional blocks.
> seutil_read_config(initrc_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170212/policy/modules/system/udev.te
> @@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con
> allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow udev_t self:netlink_generic_socket create_socket_perms;
> allow udev_t self:rawip_socket create_socket_perms;
> +fs_read_cgroup_files(udev_t)
The should go down with the other fs_* calls.
> allow udev_t udev_exec_t:file write;
> can_exec(udev_t, udev_exec_t)
> @@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run
> kernel_load_module(udev_t)
> kernel_read_system_state(udev_t)
> kernel_request_load_module(udev_t)
> +# systemd-udevd needs kernel_load_module
> +kernel_load_module(udev_t)
This rule is already in, at the top of the hunk actually :)
> kernel_getattr_core_if(udev_t)
> kernel_use_fds(udev_t)
> kernel_read_device_sysctls(udev_t)
> Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
> @@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
> files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
>
> kernel_read_ring_buffer(kerneloops_t)
> +kernel_read_system_state(kerneloops_t)
>
> domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170212/policy/modules/system/locallogin.te
> @@ -62,6 +62,8 @@ kernel_link_key(local_login_t)
>
> corecmd_list_bin(local_login_t)
> corecmd_read_bin_symlinks(local_login_t)
> +# for /bin/uname
> +corecmd_exec_bin(local_login_t)
Why would /bin/login run uname?
> # cjp: these are probably not needed:
> corecmd_read_bin_files(local_login_t)
> corecmd_read_bin_pipes(local_login_t)
> Index: refpolicy-2.20170212/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170212/policy/modules/services/xserver.if
> @@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs'
>
> ########################################
> ## <summary>
> -## Create a named socket in a XDM
> +## Create and unlink a named socket in a XDM
> ## temporary directory.
> ## </summary>
> ## <param name="domain">
> @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
> files_search_tmp($1)
> allow $1 xdm_tmp_t:dir list_dir_perms;
> create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
> + allow $1 xdm_tmp_t:sock_file unlink;
This should be a new interface, as callers won't expect the unlink
access from a "create" interface.
--
Chris PeBenito
On Sun, Feb 12, 2017 at 12:38 PM, Russell Coker via refpolicy <
[email protected]> wrote:
> This is a bunch of minor fixes that I split out from another patch which
> also
> has some of the interfaces needed for the systemd core patch I sent a few
> days ago (which is why that one didn't work).
>
> After we get this one done I'll create a patch set for systemd that should
> make pebenito happy. ;)
>
> Fix some minor labelling issues for init.
>
> Make lots of things optional_policy to allow more modular builds.
>
> Remove the sysadm_shell_domtrans(init_t) line, it causes problems with
> systemd
> as well as upstart.
>
> Allow kerneloops_t to read /proc/cpuinfo etc
>
> make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
> question
>
>
> Index: refpolicy-2.20170212/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170212/policy/modules/system/init.fc
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
> /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:
> initrc_state_t,s0)
> ')
>
> +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:
> init_exec_t,s0)
> +/usr/lib/systemd/system-generators/[^/]* --
> gen_context(system_u:object_r:init_exec_t,s0)
>
> /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:
> initrc_exec_t,s0)
> /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:
> initrc_exec_t,s0)
>
Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of
bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t
and /usr/lib/systemd/ contains other programs such as systemd services
(which contexts are defined in policy/modules/system/systemd.fc).
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/a47e5c65/attachment.html
On Mon, 13 Feb 2017 06:25:20 AM Chris PeBenito via refpolicy wrote:
> > @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
> >
> > /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> > /usr/sbin/open_init_pty --
gen_context(system_u:object_r:initrc_exec_t,s
> > 0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> >
> > +/usr/sbin/startx --
gen_context(system_u:object_r:initrc_exec_t,s0)
>
> This doesn't seem right. Then if you don't have XDM, regular users
> can't run startx.
Can they run startx anyway? I don't expect it to work but haven't tested it.
Anyway I removed that from my tree as it probably wouldn't work either. ;)
> > --- refpolicy-2.20170212.orig/policy/modules/system/logging.te
> > +++ refpolicy-2.20170212/policy/modules/system/logging.te
> > @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
> >
> > init_dontaudit_use_fds(auditctl_t)
> >
> > -locallogin_dontaudit_use_fds(auditctl_t)
> > +optional_policy(`
> > + locallogin_dontaudit_use_fds(auditctl_t)
> > +')
>
> This new optional should be moved down with the other auditctl_t ones,
> above the mta_send_mail().
That's an auditd_t optional. But in any case I moved the auditctl_t one to
the bottom of it's section.
> > -locallogin_dontaudit_use_fds(restorecond_t)
> > +optional_policy(`
> > + locallogin_dontaudit_use_fds(restorecond_t)
> > +')
>
> This optional should move down to the above the optional with
> rpm_use_script_fds().
OK.
> > -locallogin_use_fds(semanage_t)
> > +optional_policy(`
> > + locallogin_use_fds(semanage_t)
> > +')
>
> This new optional should go down after the distro_ubuntu block.
OK.
> > -modutils_run_insmod(dhcpc_t, dhcpc_roles)
> > +optional_policy(`
> > + modutils_run_insmod(dhcpc_t, dhcpc_roles)
> > +')
>
> This new optional should go down above the netutil_run*(dhcpc_t)
> optional block.
OK.
> > -modutils_domtrans_insmod(ifconfig_t)
> > +optional_policy(`
> > + modutils_domtrans_insmod(ifconfig_t)
> > +')
>
> This new optional should go down after the ipsec_*() optional block.
OK.
> > - ',`
> > - # Run the shell in the sysadm role for single-user mode.
> > - # causes problems with upstart
> > - sysadm_shell_domtrans(init_t)
>
> I don't think we want to remove this, as it will impact sysvinit, which
> Gentoo still uses.
Does Gentoo have systemd working?
I've added ifndef(`distro_debian' around it. That gives it clear function and
clear intent for the next people who want to work on it.
> > -modutils_read_module_config(initrc_t)
> > -modutils_domtrans_insmod(initrc_t)
> > +optional_policy(`
> > + modutils_read_module_config(initrc_t)
> > + modutils_domtrans_insmod(initrc_t)
> > +')
>
> This new optional should much farther down, between the mailman and mta
> optional blocks.
OK.
> > +fs_read_cgroup_files(udev_t)
>
> The should go down with the other fs_* calls.
OK
> > +# systemd-udevd needs kernel_load_module
> > +kernel_load_module(udev_t)
>
> This rule is already in, at the top of the hunk actually :)
OK.
> > +# for /bin/uname
> > +corecmd_exec_bin(local_login_t)
>
> Why would /bin/login run uname?
I can't reproduce it at this time. So I've removed it from my tree.
> > @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
> >
> > files_search_tmp($1)
> > allow $1 xdm_tmp_t:dir list_dir_perms;
> > create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
> >
> > + allow $1 xdm_tmp_t:sock_file unlink;
>
> This should be a new interface, as callers won't expect the unlink
> access from a "create" interface.
I've added a new interface. It has no callers yet as I didn't make a note of
which domains needed to unlink it. I'm sure I'll find some in the next few
days. ;)
I'll send a new patch in a few minutes.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Mon, 13 Feb 2017 06:36:50 AM Nicolas Iooss via refpolicy wrote:
> > +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:
> > init_exec_t,s0)
> > +/usr/lib/systemd/system-generators/[^/]* --
> > gen_context(system_u:object_r:init_exec_t,s0)
> >
> > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:
> > initrc_exec_t,s0)
> >
> > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:
> > initrc_exec_t,s0)
>
> Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of
> bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t
> and /usr/lib/systemd/ contains other programs such as systemd services
> (which contexts are defined in policy/modules/system/systemd.fc).
I've removed that, it works well without it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/