Add systemd_unit file handling along with httpd just to try this out

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 230d3704db119f3388965d06b8a1c5284779ad8e..99f35d5f6331e6c08b40f2f271733ae2dfe6b71a 100644 (file)
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -120,6 +120,8 @@ libs_run_ldconfig(unconfined_t, unconfined_r)
 logging_send_syslog_msg(unconfined_t)
 logging_run_auditctl(unconfined_t, unconfined_r)
 
+systemd_config_all_services(unconfined_t)
+
 optional_policy(`
        mount_run_unconfined(unconfined_t, unconfined_r)
        # Unconfined running as system_r

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 0145f7c3d288d8b38b5ad0cce86865d6fd7b92b9..8de44ba829580b4966d4f347cdade8f6e9b01dd8 100644 (file)
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -21,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
 /etc/vhosts                    --      gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/zabbix/web(/.*)?                  gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
+/lib/systemd/system/httpd.?\.service  --              gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
 /srv/([^/]*/)?www(/.*)?                        gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /srv/gallery2(/.*)?                    gen_context(system_u:object_r:httpd_sys_content_t,s0)
 

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index b32b10ea96b0dcf187e4a53ae136ab8c29fc53b2..d38ce74f3a019fddb0301e33f219210fc492ed3c 100644 (file)
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1363,6 +1363,7 @@ interface(`apache_admin',`
                type httpd_modules_t, httpd_lock_t, httpd_bool_t;
                type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
                type httpd_suexec_tmp_t, httpd_tmp_t;
+               type httpd_systemd_unit_t;
        ')
 
        allow $1 httpd_t:process { ptrace signal_perms };
@@ -1400,6 +1401,8 @@ interface(`apache_admin',`
        admin_pattern($1, httpd_php_tmp_t)
        admin_pattern($1, httpd_suexec_tmp_t)
 
+       allow $1 httpd_systemd_unit_t:service all_service_perms;
+
        ifdef(`TODO',`
                apache_set_booleans($1, $2, $3, httpd_bool_t)
                seutil_setsebool_role_template($1, $3, $2)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index edeae62c57818be447a04546d78941353e25cbcd..8115e0e879f2b91157bdae15b280785da6861cbf 100644 (file)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -242,6 +242,9 @@ role system_r types httpd_helper_t;
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
 
+type httpd_unit_t;
+systemd_unit_file(httpd_unit_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 16371dfc0ad6c6c9184a069052f93f5254453a1f..67fcd262c02d7cb708c4e10863ee4bebe188befc 100644 (file)
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -342,3 +342,24 @@ interface(`systemd_logger_stream_connect',`
 
        allow $1 systemd_logger_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##     Allow the specified domain to connect to
+##     systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_config_all_services',`
+       gen_require(`
+               attribute systemd_unit_file_type;
+       ')
+
+       allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
+

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 9f3c1c123b6098414f5cd6180a44a436d4c634c6..a56f5422a02e493da95931ef9d1c8692c0cde95e 100644 (file)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -50,6 +50,7 @@ interface(`unconfined_domain_noaudit',`
        files_unconfined($1)
        fs_unconfined($1)
        selinux_unconfined($1)
+       systemd_config_all_services($1)
 
        domain_mmap_low($1)
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b0955cf38bf5ffafc0e6a0831c795700dafc4f49..181ada4e37be33e9064113790e3be0ce76852d67 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1466,6 +1466,8 @@ template(`userdom_admin_user_template',`
        # But presently necessary for installing the file_contexts file.
        seutil_manage_bin_policy($1_t)
 
+       systemd_config_all_services($1_t)
+
        userdom_manage_user_home_content_dirs($1_t)
        userdom_manage_user_home_content_files($1_t)
        userdom_manage_user_home_content_symlinks($1_t)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 184f238e248ab4fd1a39407c9c007ba343760b1a..fb625552f69d880ff1b2a87faf7ea7239a4d869d 100644 (file)
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -334,4 +334,5 @@ define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid k
 define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
 define(`all_dbus_perms', `{ acquire_svc send_msg } ')
 define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_service_perms', `{ start stop status reload kill } ')
 define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')