Add systemd units for core refpolicy services.

Only for services that already have a named init script. Add rules to init_startstop_service(), with conditional arg until all of refpolicy-contrib callers are updated.
author: Chris PeBenito <cpebenito@tresys.com> 2015-10-20 14:33:56 -0400
committer: Jason Zaman <jason@perfinion.com> 2015-10-26 11:54:24 +0800
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9 (patch)
tree: 8f1427c842d9ed4a9121533739b35689636008cb
parent: Add rules for sysadm_r to manage the services. (diff)
download: hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.tar.gz
hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.tar.bz2
hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.zip
18 files changed, 86 insertions, 13 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe8..20acc0ee 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
 	exec_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Get etc_t service status.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service status;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 11526b6b..32e5d063 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
 		type postgresql_t, postgresql_var_run_t;
 		type postgresql_tmp_t, postgresql_db_t;
 		type postgresql_etc_t, postgresql_log_t;
-		type postgresql_initrc_exec_t;
+		type postgresql_initrc_exec_t, postgresql_unit_t;
 	')
 
 	typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
 	allow $1 postgresql_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postgresql_t)
 
-	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
 
 	admin_pattern($1, postgresql_var_run_t)
 
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b4ba0f1d..6844c354 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508fa..cfe4bd46 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
 ##	Labeled init script file.
 ##	</summary>
 ## </param>
+## <param name="unit" optional="true">
+##	<summary>
+##	Systemd unit file type.
+##	</summary>
+## </param>
 #
 interface(`init_startstop_service',`
 	gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
 			role_transition $2 $4 system_r;
 			allow $2 system_r;
 		')
+
+		ifdef(`init_systemd',`
+			# This ifelse condition is temporary, until
+			# all callers are updated to provide unit files.
+			ifelse(`$5',`',`',`
+				gen_require(`
+					class service { start stop };
+				')
+
+				allow $1 $5:service { start stop };
+			')
+		')
 	')
 ')
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895f..79400f21 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
 	corecmd_shell_domtrans(init_t, initrc_t)
 
 	files_read_boot_files(initrc_t)
+	# Allow initrc_t to check /etc/fstab "service." It appears that
+	# systemd is conflating files and services.
+	files_get_etc_unit_status(initrc_t)
 	files_setattr_pid_dirs(initrc_t)
 
 	selinux_set_enforce_mode(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 3d64054b..eec93e65 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
 		type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
 		type ipsec_var_run_t, ipsec_mgmt_lock_t;
 		type ipsec_mgmt_var_run_t, racoon_tmp_t;
+		type ipsec_unit_t;
 	')
 
 	allow $1 ipsec_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ipsec_t)
 
-	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
 
 	ipsec_exec_mgmt($1)
 	ipsec_stream_connect($1)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3dd5c8b2..f08fd011 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
 type ipsec_tmp_t;
 files_tmp_file(ipsec_tmp_t)
 
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e1..b3eda3e5 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,11 @@
 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.*	 -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.*	-- gen_context(system_u:object_r:iptables_unit_t,s0)
+
 /usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 26ce647f..5d2b4065 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
 interface(`iptables_admin',`
 	gen_require(`
 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
-		type iptables_tmp_t, iptables_var_run_t;
+		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
 	')
 
 	allow $1 iptables_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iptables_t)
 
-	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
 
 	files_list_etc($1)
 	admin_pattern($1, iptables_conf_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 88406339..aa999fb0 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
 type iptables_var_run_t;
 files_pid_file(iptables_var_run_t)
 
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index fb319d4f..e504aec4 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6a279f3d..9ededbfe 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
-		type auditd_initrc_exec_t;
+		type auditd_initrc_exec_t, auditd_unit_t;
 	')
 
 	allow $1 auditd_t:process { ptrace signal_perms };
@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`
 
 	logging_run_auditctl($1, $2)
 
-	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
 ')
 
 ########################################
@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
-		type syslogd_initrc_exec_t;
+		type syslogd_initrc_exec_t, syslogd_unit_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`
 
 	logging_manage_all_logs($1)
 
-	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6f7335e0..fd941ab4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
 type auditd_initrc_exec_t;
 init_script_file(auditd_initrc_exec_t)
 
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
 
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
 type syslogd_var_lib_t;
 files_type(syslogd_var_lib_t)
 
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index ea5ba341..83782b06 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.*	-- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 6561474a..5774034f 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
 #
 interface(`lvm_admin',`
 	gen_require(`
-		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
 		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
 		type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
 	')
@@ -170,7 +170,7 @@ interface(`lvm_admin',`
 	allow $1 clvmd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, clvmd_t)
 
-	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
 
 	files_search_etc($1)
 	admin_pattern($1, lvm_etc_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f0bea032..61bd92b8 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
 
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
 type lvm_var_lib_t;
 files_type(lvm_var_lib_t)
 
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 2a8ecaad..9478dd9b 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
 interface(`setrans_admin',`
 	gen_require(`
 		type setrans_t, setrans_initrc_exec_t;
-		type setrans_var_run_t;
+		type setrans_var_run_t, setrans_unit_t;
 	')
 
 	allow $1 setrans_t:process { ptrace signal_perms };
 	ps_process_pattern($1, setrans_t)
 
-	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
 
 	files_search_pids($1)
 	admin_pattern($1, setrans_var_run_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2df8b53f..e4d4500b 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
 type setrans_initrc_exec_t;
 init_script_file(setrans_initrc_exec_t)
 
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
 type setrans_var_run_t;
 files_pid_file(setrans_var_run_t)
 mls_trusted_object(setrans_var_run_t)
author	Chris PeBenito <cpebenito@tresys.com>	2015-10-20 14:33:56 -0400
committer	Jason Zaman <jason@perfinion.com>	2015-10-26 11:54:24 +0800
commit	eaa1a1b1454ce8ae38f2d84774b3047e9203efd9 (patch)
tree	8f1427c842d9ed4a9121533739b35689636008cb
parent	Add rules for sysadm_r to manage the services. (diff)
download	hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.tar.gz hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.tar.bz2 hardened-refpolicy-eaa1a1b1454ce8ae38f2d84774b3047e9203efd9.zip