This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.
Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
At early boot, I get the following messages in dmesg:
audit: type=1400 audit(1452851002.184:3): avc: denied { audit_read } for pid=1 comm="systemd" capability=37 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
systemd[1]: Listening on Journal Audit Socket.
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
