This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The type systemd_unit_t is actually declared in init.te.
Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight@.service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock