[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Thu, 02 Mar 2017 02:18:17 -0800 

commit:     9ae8da19583774e0eccb52e8108e89dfaa513bd7
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 20 13:24:56 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar  2 10:16:45 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae8da19

update init_ACTION_all_units

When with systemd a program does not ship a systemd unit file but only a init 
script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute 
init_script_file_type to the init_ACTION_all_units interfaces.

Useful for monit.

 policy/modules/system/init.if | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6a067ab2..195c5fa3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2843,11 +2843,11 @@ interface(`init_reload_generic_units',`
 #
 interface(`init_get_all_units_status',`
        gen_require(`
-               attribute systemdunit;
+               attribute init_script_file_type, systemdunit;
                class service status;
        ')
 
-       allow $1 systemdunit:service status;
+       allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
 ########################################
@@ -2862,11 +2862,11 @@ interface(`init_get_all_units_status',`
 #
 interface(`init_start_all_units',`
        gen_require(`
-               attribute systemdunit;
+               attribute init_script_file_type, systemdunit;
                class service start;
        ')
 
-       allow $1 systemdunit:service start;
+       allow $1 { init_script_file_type systemdunit }:service start;
 ')
 
 ########################################
@@ -2881,11 +2881,11 @@ interface(`init_start_all_units',`
 #
 interface(`init_stop_all_units',`
        gen_require(`
-               attribute systemdunit;
+               attribute init_script_file_type, systemdunit;
                class service stop;
        ')
 
-       allow $1 systemdunit:service stop;
+       allow $1 { init_script_file_type systemdunit }:service stop;
 ')
 
 #######################################
@@ -2900,9 +2900,9 @@ interface(`init_stop_all_units',`
 #
 interface(`init_reload_all_units',`
        gen_require(`
-               attribute systemdunit;
+               attribute init_script_file_type, systemdunit;
                class service reload;
        ')
 
-       allow $1 systemdunit:service reload;
+       allow $1 { init_script_file_type systemdunit }:service reload;
 ')

Reply via email to