init/systemd: move systemd_manage_all_units to init_manage_all_units

The attribute systemdunit is defined in the file init.te, so interfaces granting access on it should be defined in init.if Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-08 19:54:48 +02:00 · 2020-05-08 19:54:48 +02:00 · d769c71848
commit d769c71848
parent e683d67f46
3 changed files with 24 additions and 9 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -3382,6 +3382,26 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')

+########################################
+## <summary>
+##	Manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_dirs_pattern($1, systemdunit, systemdunit)
+	manage_files_pattern($1, systemdunit, systemdunit)
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
 ########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -402,6 +402,7 @@ ifdef(`init_systemd',`
 	# for network namespaces
 	fs_read_nsfs_files(init_t)

+	init_manage_all_unit_files(init_t)
 	init_read_script_state(init_t)

 	miscfiles_watch_localization(init_t)
@ -446,7 +447,6 @@ ifdef(`init_systemd',`
 	systemd_relabelto_tmpfiles_conf_files(init_t)
 	systemd_relabelto_journal_dirs(init_t)
 	systemd_relabelto_journal_files(init_t)
-	systemd_manage_all_units(init_t)
 	systemd_rw_networkd_netlink_route_sockets(init_t)

 	term_create_devpts_dirs(init_t)
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -524,7 +524,7 @@ interface(`systemd_manage_passwd_runtime_symlinks',`

 ########################################
 ## <summary>
-##      manage systemd unit dirs and the files in them
+##      manage systemd unit dirs and the files in them  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##      <summary>
@ -533,13 +533,8 @@ interface(`systemd_manage_passwd_runtime_symlinks',`
 ## </param>
 #
 interface(`systemd_manage_all_units',`
-	gen_require(`
-		attribute systemdunit;
-	')
-
-	manage_dirs_pattern($1, systemdunit, systemdunit)
-	manage_files_pattern($1, systemdunit, systemdunit)
-	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+	refpolicywarn(`$0() has been deprecated, use init_manage_all_unit_files() instead.')
+	init_manage_all_unit_files($1)
 ')

 ########################################