LinuxLists.cc - [refpolicy] [PATCH] sort rules for systemd cgroups hostnamed and logind

2017-03-22 08:27:17

Subject: [refpolicy] [PATCH] sort rules for systemd cgroups hostnamed and logind

As requested this patch sorts some rules for systemd policy, removes some
dupes, and does nothing else. The next patch actually does things.

Index: refpolicy-2.20170313/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170313/policy/modules/system/systemd.te
@@ -202,12 +202,11 @@ fs_register_binary_executable_type(syste
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
kernel_dgram_send(systemd_cgroups_t)

-selinux_getattr_fs(systemd_cgroups_t)
-
# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)

+selinux_getattr_fs(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)

######################################
@@ -256,14 +255,12 @@ seutil_search_default_contexts(systemd_c
kernel_read_kernel_sysctls(systemd_hostnamed_t)

files_read_etc_files(systemd_hostnamed_t)
-
seutil_read_file_contexts(systemd_hostnamed_t)
-
systemd_log_parse_environment(systemd_hostnamed_t)

optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
+ dbus_system_bus_client(systemd_hostnamed_t)
')

#######################################
@@ -318,51 +315,46 @@ init_var_lib_filetrans(systemd_logind_t,

manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
-files_search_pids(systemd_logind_t)

kernel_read_kernel_sysctls(systemd_logind_t)

auth_manage_faillog(systemd_logind_t)
-
-dev_rw_sysfs(systemd_logind_t)
-dev_rw_input_dev(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
-dev_setattr_dri_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
-
files_read_etc_files(systemd_logind_t)
-
-fs_read_efivarfs_files(systemd_logind_t)
+files_search_pids(systemd_logind_t)

fs_getattr_tmpfs(systemd_logind_t)
-
-storage_getattr_removable_dev(systemd_logind_t)
-storage_setattr_removable_dev(systemd_logind_t)
-storage_getattr_scsi_generic_dev(systemd_logind_t)
-storage_setattr_scsi_generic_dev(systemd_logind_t)
-
-term_use_unallocated_ttys(systemd_logind_t)
+fs_read_efivarfs_files(systemd_logind_t)

init_get_all_units_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
-init_service_status(systemd_logind_t)
-init_service_start(systemd_logind_t)
-
locallogin_read_state(systemd_logind_t)

+storage_getattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)

+term_use_unallocated_ttys(systemd_logind_t)
+
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)

userdom_use_user_ttys(systemd_logind_t)

optional_policy(`
- dbus_system_bus_client(systemd_logind_t)
dbus_connect_system_bus(systemd_logind_t)
+ dbus_system_bus_client(systemd_logind_t)
')

#########################################

2017-03-25 17:52:02

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] sort rules for systemd cgroups hostnamed and logind

On 03/22/2017 04:27 AM, Russell Coker via refpolicy wrote:
> As requested this patch sorts some rules for systemd policy, removes
> some dupes, and does nothing else. The next patch actually does
> things.

There's a couple notes about the sorting. I'd appreciate suggestions or
patches to improve the clarity of the style guide. I've merged this so
the latter patch could be merged, but fixed the issues afterward.

> Index: refpolicy-2.20170313/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/systemd.te +++
> refpolicy-2.20170313/policy/modules/system/systemd.te @@ -202,12
> +202,11 @@ fs_register_binary_executable_type(syste
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> kernel_dgram_send(systemd_cgroups_t)
>
> -selinux_getattr_fs(systemd_cgroups_t) - # write to
> /run/systemd/cgroups-agent init_dgram_send(systemd_cgroups_t)
> init_stream_connect(systemd_cgroups_t)
>
> +selinux_getattr_fs(systemd_cgroups_t)

Actually this line was in the right place because selinux module is in
kernel layer, while init and systemd are in system (higher layer).

> systemd_log_parse_environment(systemd_cgroups_t)
>
> ###################################### @@ -256,14 +255,12 @@
> seutil_search_default_contexts(systemd_c
> kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t) -
> seutil_read_file_contexts(systemd_hostnamed_t) -
> systemd_log_parse_environment(systemd_hostnamed_t)
>
> optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t)
> dbus_connect_system_bus(systemd_hostnamed_t) +
> dbus_system_bus_client(systemd_hostnamed_t)

Within a group of rules from a particular module (dbus_*) they don't
necessarily need to be sorted.

> ')
>
> ####################################### @@ -318,51 +315,46 @@
> init_var_lib_filetrans(systemd_logind_t,
>
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t,
> systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t,
> systemd_logind_var_run_t, systemd_logind_var_run_t)
> -files_search_pids(systemd_logind_t)
>
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> auth_manage_faillog(systemd_logind_t) -
> -dev_rw_sysfs(systemd_logind_t) -dev_rw_input_dev(systemd_logind_t)
> dev_getattr_dri_dev(systemd_logind_t)
> -dev_setattr_dri_dev(systemd_logind_t)
> dev_getattr_sound_dev(systemd_logind_t)
> +dev_rw_input_dev(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t)
> +dev_setattr_dri_dev(systemd_logind_t)
> dev_setattr_sound_dev(systemd_logind_t) -

Within a group of rules from a particular module (dbus_*) they don't
necessarily need to be sorted. Also there should be a blank line between
dev_* rules and files_* rules

> files_read_etc_files(systemd_logind_t) -
> -fs_read_efivarfs_files(systemd_logind_t)
> +files_search_pids(systemd_logind_t)
>
> fs_getattr_tmpfs(systemd_logind_t) -
> -storage_getattr_removable_dev(systemd_logind_t)
> -storage_setattr_removable_dev(systemd_logind_t)
> -storage_getattr_scsi_generic_dev(systemd_logind_t)
> -storage_setattr_scsi_generic_dev(systemd_logind_t) -
> -term_use_unallocated_ttys(systemd_logind_t)
> +fs_read_efivarfs_files(systemd_logind_t)
>
> init_get_all_units_status(systemd_logind_t)
> +init_service_start(systemd_logind_t)
> +init_service_status(systemd_logind_t)
> init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> -init_service_status(systemd_logind_t)
> -init_service_start(systemd_logind_t) -
> locallogin_read_state(systemd_logind_t)
>
> +storage_getattr_removable_dev(systemd_logind_t)
> +storage_getattr_scsi_generic_dev(systemd_logind_t)
> +storage_setattr_removable_dev(systemd_logind_t)
> +storage_setattr_scsi_generic_dev(systemd_logind_t)
> systemd_log_parse_environment(systemd_logind_t)
> systemd_start_power_units(systemd_logind_t)
>
> +term_use_unallocated_ttys(systemd_logind_t) +
> udev_read_db(systemd_logind_t) udev_read_pid_files(systemd_logind_t)
>
> userdom_use_user_ttys(systemd_logind_t)
>
> optional_policy(` - dbus_system_bus_client(systemd_logind_t)
> dbus_connect_system_bus(systemd_logind_t) +
> dbus_system_bus_client(systemd_logind_t) ')
>
> #########################################

--
Chris PeBenito