Improve the SELinux support in systemd, especially re-adding checks for unit file operations, like enable, mask... The original pull request can be found at https://github.com/systemd/systemd/pull/10023 Patch 1 and 2 improve logging on failures in permissive mode. Patch 3 adds the ability to obtain the context for a masked unit. Patch 4 and 5 change several system und service checks. For better distinction two new permissions are introduced: modify and listdynusers. Patch 6 and 7 re-introduce checking unit file install operations. They were dropped in 8faae625dc9b6322db452937f54176e56e65265a . For consistency in the unexpected case while perforimg a service access check no path can be gathered, now the check will still be executed on the service security class (currently it switches to the system security class). Patch 8 adds some notes for adding future D-Bus interfaces. Christian Göttsche (8): selinux-util: increase log severity selinux-access: log warning on context acquisition failure core: bookkeeping withdrawal path of masked units core: add missing SELinux checks for dbus methods core: make SELinux access permissions more distinct core: add support for MAC checks on unit install operations core: implement the sd-bus generic callback for SELinux core: add notes to D-Bus interfaces about adding SELinux checks src/analyze/analyze.c | 11 ++- src/basic/selinux-util.c | 4 +- src/core/dbus-automount.c | 3 + src/core/dbus-cgroup.c | 3 + src/core/dbus-device.c | 3 + src/core/dbus-execute.c | 3 + src/core/dbus-job.c | 7 ++ src/core/dbus-kill.c | 3 + src/core/dbus-manager.c | 164 ++++++++++++++++++++++++++++------- src/core/dbus-mount.c | 3 + src/core/dbus-path.c | 3 + src/core/dbus-scope.c | 3 + src/core/dbus-service.c | 3 + src/core/dbus-slice.c | 3 + src/core/dbus-socket.c | 3 + src/core/dbus-swap.c | 3 + src/core/dbus-target.c | 3 + src/core/dbus-timer.c | 3 + src/core/dbus-unit.c | 14 ++- src/core/load-fragment.c | 10 +++ src/core/manager.c | 10 ++- src/core/manager.h | 2 + src/core/selinux-access.c | 44 ++++++++-- src/core/selinux-access.h | 28 +++++- src/core/unit.c | 13 ++- src/core/unit.h | 3 +- src/shared/install.c | 101 +++++++++++++++++---- src/shared/install.h | 42 ++++++--- src/shared/unit-file.c | 52 ++++++++--- src/shared/unit-file.h | 1 + src/systemctl/systemctl.c | 28 +++--- src/test/test-install-root.c | 86 +++++++++--------- src/test/test-install.c | 38 ++++---- src/test/test-unit-file.c | 8 +- 34 files changed, 543 insertions(+), 165 deletions(-) -- 2.24.1
