Add systemd units for core refpolicy services.

Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.

policy/modules/kernel/files.if

@@ -2890,6 +2890,24 @@ interface(`files_exec_etc_files',`
 	exec_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Get etc_t service status.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service status;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.

policy/modules/services/postgresql.if

@@ -569,7 +569,7 @@ interface(`postgresql_admin',`
 		type postgresql_t, postgresql_var_run_t;
 		type postgresql_tmp_t, postgresql_db_t;
 		type postgresql_etc_t, postgresql_log_t;
-		type postgresql_initrc_exec_t;
+		type postgresql_initrc_exec_t, postgresql_unit_t;
 	')
 
 	typeattribute $1 sepgsql_admin_type;
@@ -577,7 +577,7 @@ interface(`postgresql_admin',`
 	allow $1 postgresql_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postgresql_t)
 
-	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
 
 	admin_pattern($1, postgresql_var_run_t)
 

policy/modules/services/postgresql.te

@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")

policy/modules/system/init.if

@@ -1387,6 +1387,11 @@ interface(`init_all_labeled_script_domtrans',`
 ##	Labeled init script file.
 ##	</summary>
 ## </param>
+## <param name="unit" optional="true">
+##	<summary>
+##	Systemd unit file type.
+##	</summary>
+## </param>
 #
 interface(`init_startstop_service',`
 	gen_require(`
@@ -1404,6 +1409,18 @@ interface(`init_startstop_service',`
 			role_transition $2 $4 system_r;
 			allow $2 system_r;
 		')
+
+		ifdef(`init_systemd',`
+			# This ifelse condition is temporary, until
+			# all callers are updated to provide unit files.
+			ifelse(`$5',`',`',`
+				gen_require(`
+					class service { start stop };
+				')
+
+				allow $1 $5:service { start stop };
+			')
+		')
 	')
 ')
 

policy/modules/system/init.te

@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
 	corecmd_shell_domtrans(init_t, initrc_t)
 
 	files_read_boot_files(initrc_t)
+	# Allow initrc_t to check /etc/fstab "service." It appears that
+	# systemd is conflating files and services.
+	files_get_etc_unit_status(initrc_t)
 	files_setattr_pid_dirs(initrc_t)
 
 	selinux_set_enforce_mode(initrc_t)

policy/modules/system/ipsec.if

@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
 		type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
 		type ipsec_var_run_t, ipsec_mgmt_lock_t;
 		type ipsec_mgmt_var_run_t, racoon_tmp_t;
+		type ipsec_unit_t;
 	')
 
 	allow $1 ipsec_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ipsec_t)
 
-	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
 
 	ipsec_exec_mgmt($1)
 	ipsec_stream_connect($1)

policy/modules/system/ipsec.te

@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
 type ipsec_tmp_t;
 files_tmp_file(ipsec_tmp_t)
 
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)

policy/modules/system/iptables.fc

@@ -14,6 +14,11 @@
 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.*	 -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.*	-- gen_context(system_u:object_r:iptables_unit_t,s0)
+
 /usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)

policy/modules/system/iptables.if

@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
 interface(`iptables_admin',`
 	gen_require(`
 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
-		type iptables_tmp_t, iptables_var_run_t;
+		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
 	')
 
 	allow $1 iptables_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iptables_t)
 
-	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
 
 	files_list_etc($1)
 	admin_pattern($1, iptables_conf_t)

policy/modules/system/iptables.te

@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
 type iptables_var_run_t;
 files_pid_file(iptables_var_run_t)
 

policy/modules/system/logging.fc

@@ -17,6 +17,8 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)

policy/modules/system/logging.if

@@ -1024,7 +1024,7 @@ interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
-		type auditd_initrc_exec_t;
+		type auditd_initrc_exec_t, auditd_unit_t;
 	')
 
 	allow $1 auditd_t:process { ptrace signal_perms };
@@ -1041,7 +1041,7 @@ interface(`logging_admin_audit',`
 
 	logging_run_auditctl($1, $2)
 
-	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
 ')
 
 ########################################
@@ -1067,7 +1067,7 @@ interface(`logging_admin_syslog',`
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
-		type syslogd_initrc_exec_t;
+		type syslogd_initrc_exec_t, syslogd_unit_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1096,7 +1096,7 @@ interface(`logging_admin_syslog',`
 
 	logging_manage_all_logs($1)
 
-	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
 ')
 
 ########################################

policy/modules/system/logging.te

@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
 type auditd_initrc_exec_t;
 init_script_file(auditd_initrc_exec_t)
 
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
 
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
 type syslogd_var_lib_t;
 files_type(syslogd_var_lib_t)
 

policy/modules/system/lvm.fc

@@ -89,6 +89,12 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.*	-- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 

policy/modules/system/lvm.if

@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
 #
 interface(`lvm_admin',`
 	gen_require(`
-		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
 		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
 		type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
 	')
@@ -170,7 +170,7 @@ interface(`lvm_admin',`
 	allow $1 clvmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, clvmd_t)
 
-	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
 
 	files_search_etc($1)
 	admin_pattern($1, lvm_etc_t)

policy/modules/system/lvm.te

@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
 
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
 type lvm_var_lib_t;
 files_type(lvm_var_lib_t)
 

policy/modules/system/setrans.if

@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
 interface(`setrans_admin',`
 	gen_require(`
 		type setrans_t, setrans_initrc_exec_t;
-		type setrans_var_run_t;
+		type setrans_var_run_t, setrans_unit_t;
 	')
 
 	allow $1 setrans_t:process { ptrace signal_perms };
 	ps_process_pattern($1, setrans_t)
 
-	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
 
 	files_search_pids($1)
 	admin_pattern($1, setrans_var_run_t)

policy/modules/system/setrans.te

@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
 type setrans_initrc_exec_t;
 init_script_file(setrans_initrc_exec_t)
 
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
 type setrans_var_run_t;
 files_pid_file(setrans_var_run_t)
 mls_trusted_object(setrans_var_run_t)