Add systemd access vectors.

author: Chris PeBenito <cpebenito@tresys.com> 2015-10-20 11:29:11 -0400
committer: Jason Zaman <jason@perfinion.com> 2015-10-26 11:35:39 +0800
commit: 968134591ae36b6064488b8ed9d7082aad03101b (patch)
tree: acfdc81dad034d2ef92a0aaf474a0c32b4c715c9 /policy/flask
parent: Add systemd build option. (diff)
download: hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.tar.gz
hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.tar.bz2
hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.zip
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 056cdd7c..3fe2bb96 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,17 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+
+	# these are overloaded userspace
+	# permissions from systemd
+	halt
+	reboot
+	status
+	start
+	stop
+	enable
+	disable
+	reload
 }
 
 #
@@ -910,3 +921,13 @@ inherits database
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8bc5d4ed..8b6f1ed3 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -145,4 +145,6 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
 
+class service			# userspace
+
 # FLASK
author	Chris PeBenito <cpebenito@tresys.com>	2015-10-20 11:29:11 -0400
committer	Jason Zaman <jason@perfinion.com>	2015-10-26 11:35:39 +0800
commit	968134591ae36b6064488b8ed9d7082aad03101b (patch)
tree	acfdc81dad034d2ef92a0aaf474a0c32b4c715c9 /policy/flask
parent	Add systemd build option. (diff)
download	hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.tar.gz hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.tar.bz2 hardened-refpolicy-968134591ae36b6064488b8ed9d7082aad03101b.zip