Package: selinux-policy-default
Version: 2:2.20140421-4
Followup-For: Bug #756729
Hello!
After some more reading (and some more understanding ;-) ) of the refpolicy
I'm pretty sure that the reported problem is a result of a missing allow-rule.
Therefore I prepared the attached patch which adds the missing rule.
The patch is against
https://alioth.debian.org/anonscm/git/selinux/refpolicy.git
commit 242a27cb910e7035d01347bea209010d51c2b727
which is (as the time of this writing) the master HEAD.
I changed the already available patches 0050-systemd and 0080-misc-daemon
to limit the number of patches.
This is the first time sending a patch. Therefore I'm not sure if the
formal things are correct. If you need another format or a patch
against another version, just give notice.
If you are interested, I can also try to provide a patch for Wheezy.
Kind regards
Andre
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3
ii libselinux1 2.3-1
ii libsepol1 2.3-1
ii policycoreutils 2.3-1
ii python 2.7.8-1
ii selinux-utils 2.3-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
diff --git a/debian/changelog b/debian/changelog
index 84e0a65..22e0a1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+refpolicy (2:2.20140421-5) unstable; urgency=medium
+
+ [ Andreas Florath ]
+ * Allow udev_t to use systemd_unit_file_t to initialize, shutdown
+ and retreive status of devices. (Closes: #756729)
+
+ -- To Be Filled In <t...@example.com> Sun, 10 Aug 2014 08:17:19 +0200
+
refpolicy (2:2.20140421-4) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/0050-systemd b/debian/patches/0050-systemd
index 5d989a6..3700d5a 100644
--- a/debian/patches/0050-systemd
+++ b/debian/patches/0050-systemd
@@ -2002,7 +2002,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20140421/policy/modules/system/systemd.if
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,739 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -2631,6 +2631,25 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.if
+ allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
++########################################
++## <summary>
++## Allow the specified domain to access start, stop and status
++## service perms for all unit files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_config_sss_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service { stop start status };
++')
++
+
+########################################
+## <summary>
@@ -2762,7 +2781,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.te
--- /dev/null
+++ refpolicy-2.20140421/policy/modules/system/systemd.te
@@ -0,0 +1,417 @@
-+policy_module(systemd, 1.0.0)
++policy_module(systemd, 1.0.1)
+
+#######################################
+#
@@ -2811,7 +2830,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.te
+# type for systemd unit files
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
-+allow init_t systemd_unit_file_t:service { stop start status };
++systemd_config_sss_services(init_t)
+
+# executable for systemctl
+type systemd_systemctl_exec_t;
diff --git a/debian/patches/0080-misc-daemon b/debian/patches/0080-misc-daemon
index 9398ef9..a5c115f 100644
--- a/debian/patches/0080-misc-daemon
+++ b/debian/patches/0080-misc-daemon
@@ -133,7 +133,22 @@ Index: refpolicy-2.20140421/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/udev.te
+++ refpolicy-2.20140421/policy/modules/system/udev.te
-@@ -329,6 +329,7 @@ optional_policy(`
+@@ -1,4 +1,4 @@
+-policy_module(udev, 1.17.1)
++policy_module(udev, 1.17.2)
+
+ ########################################
+ #
+@@ -87,6 +87,8 @@ files_read_kernel_modules(udev_t)
+ init_search_pid_dirs(udev_t)
+ # for hdparm init script run by udev
+ initrc_service_status(udev_t)
++# for (hotplug) scripts run by udev
++systemd_config_sss_services(udev_t)
+
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+@@ -329,6 +331,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
