Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy for allowing starting/stopping of services #190

Closed
9 of 12 tasks
ghost opened this issue Aug 2, 2015 · 4 comments
Closed
9 of 12 tasks

Policy for allowing starting/stopping of services #190

ghost opened this issue Aug 2, 2015 · 4 comments
Labels
High Priority selinux
Milestone
RHEL_7-Beta

Comments

@ghost
Copy link

ghost commented Aug 2, 2015

This is the parent issue for systemctl policy. To see enabled services, run
systemctl list-unit-files -t service|grep enabled

The following services exist, and if checked, don't need or already have valid policy.
@ghost ghost added this to the RHEL_7-Beta milestone Aug 2, 2015
@mpalmi mpalmi changed the title Policy for allowing starting/stoping of services Policy for allowing starting/stopping of services Aug 3, 2015
@mpalmi mpalmi mentioned this issue Aug 5, 2015
Closed
mpalmi added a commit to mpalmi/clip that referenced this issue Aug 5, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
f9578cb 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
mpalmi added a commit to mpalmi/clip that referenced this issue Aug 7, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
a2d2e1f 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
mpalmi added a commit to mpalmi/clip that referenced this issue Aug 7, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
e1ac60a 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
@mpalmi mpalmi mentioned this issue Aug 7, 2015
Closed
@mpalmi
Copy link
Contributor

mpalmi commented Aug 7, 2015

Updated subtickets as appropriate.
All services seem to start/stop without issue, with the exception of firewalld and sshd.

Some notes:

  • firewalld still seems to stop/start (verified with systemctl status firewalld.service), but appears to do so with errors in Enforcing.
  • We may not want to write policy for sshd, since the package will not be in a Production build.
  • I am able to run systemctl status foo.service as well.
  • I am currently unable to run systemctl list-units. Additionally, I do not get denials when running systemctl list-units in Permissive (which works), even after rebuilding a non-dontaudit policy semodule -DB. I do not see any "suppressed" messages, and have attempted flushing out the policy, in the event that the denial was hitting the cache and just not displaying.
  • Testing was done on a Permissive build by first sudoing and then switching to Enforcing.
  • We are still not able to sudo in Enforcing.

@ghost
Copy link
Author

ghost commented Aug 8, 2015

Thanks @mpalmi. And I agree about sshd, I will close that issue out now.

@ghost
Copy link
Author

ghost commented Aug 28, 2015

@mpalmi Should we check for any denials on boot with systemd-readahead*?

@mpalmi
Copy link
Contributor

mpalmi commented Aug 28, 2015

@ykhodorkovskiy yeah, I don't think I saw any for drop, but I'm not sure about start/status. Worth a check.

mpalmi added a commit to mpalmi/clip that referenced this issue Aug 28, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
6ac0f5d 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
mpalmi added a commit to mpalmi/clip that referenced this issue Sep 2, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
eddd52f 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
mpalmi added a commit to mpalmi/clip that referenced this issue Sep 2, 2015
@mpalmi
Issue OwlCyberDefense#190 - Fix up service-related policy
2d68e30 
- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus
@ghost ghost closed this as completed Sep 2, 2015
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
High Priority selinux
Projects
None yet
Milestone
RHEL_7-Beta
Development

No branches or pull requests
1 participant
@mpalmi