From eedf23b82b8bcc81a11a0b35ca65512c3fbfa535 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 19 Jul 2011 16:38:13 -0400
Subject: [PATCH] Add systemd_unit file handling along with httpd just to try
 this out

---
 policy/modules/roles/unconfineduser.te |  2 ++
 policy/modules/services/apache.fc      |  2 ++
 policy/modules/services/apache.if      |  3 +++
 policy/modules/services/apache.te      |  3 +++
 policy/modules/system/systemd.if       | 21 +++++++++++++++++++++
 policy/modules/system/unconfined.if    |  1 +
 policy/modules/system/userdomain.if    |  2 ++
 policy/support/obj_perm_sets.spt       |  1 +
 8 files changed, 35 insertions(+)

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 230d3704..99f35d5f 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -120,6 +120,8 @@ libs_run_ldconfig(unconfined_t, unconfined_r)
 logging_send_syslog_msg(unconfined_t)
 logging_run_auditctl(unconfined_t, unconfined_r)
 
+systemd_config_all_services(unconfined_t)
+
 optional_policy(`
 	mount_run_unconfined(unconfined_t, unconfined_r)
 	# Unconfined running as system_r
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 0145f7c3..8de44ba8 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -21,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:objec
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
+/lib/systemd/system/httpd.?\.service  --              gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index b32b10ea..d38ce74f 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1363,6 +1363,7 @@ interface(`apache_admin',`
 		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
 		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
 		type httpd_suexec_tmp_t, httpd_tmp_t;
+		type httpd_systemd_unit_t;
 	')
 
 	allow $1 httpd_t:process { ptrace signal_perms };
@@ -1400,6 +1401,8 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_php_tmp_t)
 	admin_pattern($1, httpd_suexec_tmp_t)
 
+	allow $1 httpd_systemd_unit_t:service all_service_perms;
+
 	ifdef(`TODO',`
 		apache_set_booleans($1, $2, $3, httpd_bool_t)
 		seutil_setsebool_role_template($1, $3, $2)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index edeae62c..8115e0e8 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -242,6 +242,9 @@ role system_r types httpd_helper_t;
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
 
+type httpd_unit_t;
+systemd_unit_file(httpd_unit_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 16371dfc..67fcd262 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -342,3 +342,24 @@ interface(`systemd_logger_stream_connect',`
 
 	allow $1 systemd_logger_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_config_all_services',`
+	gen_require(`
+		attribute systemd_unit_file_type;
+	')
+
+	allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
+
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 9f3c1c12..a56f5422 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -50,6 +50,7 @@ interface(`unconfined_domain_noaudit',`
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
+	systemd_config_all_services($1)
 
 	domain_mmap_low($1)
 
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b0955cf3..181ada4e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1466,6 +1466,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
+	systemd_config_all_services($1_t)
+
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 184f238e..fb625552 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -334,4 +334,5 @@ define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid k
 define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
 define(`all_dbus_perms', `{ acquire_svc send_msg } ')
 define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_service_perms', `{ start stop status reload kill } ')
 define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
-- 
2.47.2