systemd unit improvements

systemd unit improvements

[Christian Göttsche]

Hello,

in the past systemd was checking operation on systemd units, like
enable, disable... , when using systemctl.
This feature was removed three years ago [1] and nowadays only {
reload start status stop } are checked.
I am trying to re-enable these checks with a new approach [2].

With this pull request I also would like to specify some permissions
more precisely:
    - method_kexec:                                 reboot -> kexec
    - method_switch_root:                         reboot -> switchroot
    - method_set_environment:                  reload -> environment
    - method_unset_environment:              reload -> environment
    - method_unset_and_set_environment: reload -> environment
    - bus_unit_method_set_properties:       start -> setproperties
    - bus_unit_method_ref:                        start -> ref

The new introduced checks are computed like:
    source context: process context of the dbus client
    target context:   either the file context of the installation path
for the requested unit (like ssh -> /lib/systemd/system/ssh.service ->
sshd_unit_t) if the file exists, or the process context of systemd
(init_t)
                            so when operating on edited units (like
/etc/systemd/system/ssh.service) the access is still checked against
the original unit context
    class:               "service"
    permission:       verb close to the action (like "enable", "preset"...)

Any comments are appreciated.

Best regards,
     Christian Göttsche


[1]: https://github.com/systemd/systemd/commit/8faae625dc9b6322db452937f54176e56e65265a
[2]: https://github.com/systemd/systemd/pull/10023