Package: selinux-policy-default Version: 2:2.20140421-4 Followup-For: Bug #756729
Hello! While checking another problem, I found out, that there is a 'special' feature in systemd: service files can be linked to /dev/null. (See e.g.: http://0pointer.de/blog/projects/three-levels-of-off) Therefore it must also be allowed to start, stop and status null_device_t. The new patch is attached. You can also pull it from this branch: https://github.com/flonatel/refpolicy-experimental/tree/bugfix/756729-udev-use-systemd-unit-files Kind regards Andre
diff --git a/debian/patches/1000-allow-udev-systemd_unit_file b/debian/patches/1000-allow-udev-systemd_unit_file new file mode 100644 index 0000000..8a6d638 --- /dev/null +++ b/debian/patches/1000-allow-udev-systemd_unit_file @@ -0,0 +1,81 @@ +There is the need for udev (hotplug) to run systemd_unit_file_type +programs like + /lib/systemd/system/[email protected] +which has the context + system_u:object_r:systemd_unit_file_t:SystemLow +in the same manner as the init scripts. +(init_t is e.g. used for 'auto eth0', udev_t for 'allow-hotplug eth0') + +Signed-off-by: Andreas Florath <[email protected]> + +Index: refpolicy-experimental/policy/modules/system/systemd.if +=================================================================== +--- refpolicy-experimental.orig/policy/modules/system/systemd.if ++++ refpolicy-experimental/policy/modules/system/systemd.if +@@ -626,6 +626,28 @@ interface(`systemd_config_all_services', + allow $1 systemd_unit_file_type:service all_service_perms; + ') + ++######################################## ++## <summary> ++## Allow the specified domain to access start, stop and status ++## service perms for all unit files ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`systemd_config_sss_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ type null_device_t; ++ ') ++ ++ allow $1 systemd_unit_file_type:service { stop start status }; ++ # There is a special feature in systemd, that unit files can be ++ # linked to /dev/null. ++ allow $1 null_device_t:service { stop start status }; ++') + + ######################################## + ## <summary> +Index: refpolicy-experimental/policy/modules/system/systemd.te +=================================================================== +--- refpolicy-experimental.orig/policy/modules/system/systemd.te ++++ refpolicy-experimental/policy/modules/system/systemd.te +@@ -1,4 +1,4 @@ +-policy_module(systemd, 1.0.0) ++policy_module(systemd, 1.0.1) + + ####################################### + # +@@ -47,7 +47,7 @@ init_systemd_domain(systemd_notify_t, sy + # type for systemd unit files + type systemd_unit_file_t; + systemd_unit_file(systemd_unit_file_t) +-allow init_t systemd_unit_file_t:service { stop start status }; ++systemd_config_sss_services(init_t) + + # executable for systemctl + type systemd_systemctl_exec_t; +Index: refpolicy-experimental/policy/modules/system/udev.te +=================================================================== +--- refpolicy-experimental.orig/policy/modules/system/udev.te ++++ refpolicy-experimental/policy/modules/system/udev.te +@@ -1,4 +1,4 @@ +-policy_module(udev, 1.17.1) ++policy_module(udev, 1.17.2) + + ######################################## + # +@@ -87,6 +87,8 @@ files_read_kernel_modules(udev_t) + init_search_pid_dirs(udev_t) + # for hdparm init script run by udev + initrc_service_status(udev_t) ++# for (hotplug) script run by udev ++systemd_config_sss_services(udev_t) + + kernel_getattr_core_if(udev_t) + kernel_use_fds(udev_t) diff --git a/debian/patches/series b/debian/patches/series index 0707cc2..fb44d3e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,4 @@ 0080-misc-daemon 0090-selinux 0100-chrome +1000-allow-udev-systemd_unit_file
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
