Re: [PATCH] Add interface to create unit files with specified type via filetrans.

"Sugar, David" <dsugar@xxxxxxxxxx> · Tue, 15 Jan 2019 21:27:48 +0000

On 1/12/19 2:30 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> This is adding an interface to perform a filetrans when creating
>> systemd unit files (in systemd_unit_t directory).  Something like this
>> is required if creating new unit files for systemd and you want them
>> to have something other than the generic systemd_unit_t type.
> 
> I'm not against this change, but why wouldn't they be installed by the 
> package manager?  It seems less likely that this would be otherwise needed.
> 
> 
In this case the service files were being created by a system 
configuration program.  I have updated the way this works to have 
default service files installed by the package manager and the service 
disabled.  Then the configuration program just updates as needed and 
enables the service.  This will work without this change in reference 
policy.

This patch can be discarded.

>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>> ---
>>   policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
>>   1 file changed, 34 insertions(+)
>>
>> diff --git a/policy/modules/system/init.if 
>> b/policy/modules/system/init.if
>> index 5beb21e9..caed4867 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
>>       allow $1 { init_script_file_type systemdunit }:service reload;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Create systemd_unit_t objects with a private
>> +##    type using a type_transition.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <param name="file_type">
>> +##    <summary>
>> +##    Private file type.
>> +##    </summary>
>> +## </param>
>> +## <param name="class">
>> +##    <summary>
>> +##    Object classes to be created.
>> +##    </summary>
>> +## </param>
>> +## <param name="name" optional="true">
>> +##    <summary>
>> +##    The name of the object being created.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`init_unit_filetrans',`
>> +    gen_require(`
>> +        type systemd_unit_t;
>> +    ')
>> +
>> +    filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##      Allow unconfined access to send instructions to init
>>
> 
> 