[refpolicy] [PATCH] another first systemd patch

[nicolas.iooss@m4x.org (Nicolas Iooss)]

On Sun, Feb 19, 2017 at 12:49 PM, Russell Coker via refpolicy <
refpolicy@oss.tresys.com> wrote:

> Here's another first patch for systemd support.  I split out the misc patch
> and parts of what became the dpkg patch as well as a heap of other stuff
> that
> will be in a later patch.
>
> This patch has all the interfaces needed to build and no excess interfaces.
>
> It starts with allowing a dynamic transition from kernel_t which is
> something
> that systemd likes to do.  It has lots of changes for init_t which are
> needed
> by systemd which does a lot more than the old SysV init.
>
> It probably also has some init_t and initrc_t changes that aren't specific
> to
> systemd.  As I only use systemd I don't know exactly what is required
> without
> it nowadays.
>
> The file contexts have a few non-systemd changes that were in the same
> patch,
> while I'm aiming to just have systemd stuff sometimes it seems easier to
> put
> a few little things in than to split them out.
>
> There are significant changes to syslogd_t because we have systemd-journald
> running in that domain and it does a lot more.
>
> There are some changes to userdomain policy to interact with systemd.  The
> way systemd manages logins requires a lot more interaction with various
> daemons.
>
> There's a minor change to the lvm related policy due to having a systemd
> process using that domain.  lvm_t isn't an ideal name any more, but that's
> an
> issue to discuss later.
>
> For the main systemd policy I only added some extra type definitions and
> the
> policy for systemd_backlight_t.  I added policy for systemd_backlight_t
> instead of any of the other systemd domains because I have the policy
> file in alphabetical order and I didn't want to make a huge patch.  There
> is more to come in future patches.  ;)
>
> [...]

> @@ -140,29 +176,33 @@ dontaudit systemd_log_parse_env_type sel
>  kernel_read_system_state(systemd_log_parse_env_type)
>
>  dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
>  init_read_state(systemd_log_parse_env_type)
> -
>  logging_send_syslog_msg(systemd_log_parse_env_type)
> +term_use_console(systemd_log_parse_env_type)
>
>  ######################################
>  #
>  # Backlight local policy
>  #
>
> +allow systemd_backlight_t self:unix_dgram_socket { connect
> connected_socket_perms };
> +
>  allow systemd_backlight_t systemd_backlight_var_lib_t:dir
> manage_dir_perms;
> -init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t,
> dir)
>  manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t,
> systemd_backlight_var_lib_t)
> -
>  systemd_log_parse_environment(systemd_backlight_t)
>
> +kernel_read_system_state(systemd_backlight_t)
> +
>  # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
>  dev_rw_sysfs(systemd_backlight_t)
> -
> +dev_write_kmsg(systemd_backlight_t)
> +# for udev.conf
>  files_read_etc_files(systemd_backlight_t)
>
> +init_read_state(systemd_backlight_t)
> +init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t,
> dir)
> +logging_send_syslog_msg(systemd_backlight_t)
> +# for /run/udev/data/+backlight*
>  udev_read_pid_files(systemd_backlight_t)
>

Why are init_read_state(systemd_backlight_t),
logging_send_syslog_msg(systemd_backlight_t)...
needed with systemd_log_parse_environment(systemd_backlight_t)? The
accesses these calls provide should already be handled by attribute
systemd_log_parse_env_type, right above in systemd.te.

Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170219/e1421379/attachment-0001.html