Issue OwlCyberDefense#86: Get CLIP RHEL7 booting in Enforcing

- Separate systemd-service forks into their own contexts - Use existing policy for the following: contrib/readahead (systemd-readahead) contrib/shutdown (systemd-shutdown) system/fstools (systemd-fsck) system/hostname (systemd-hostname) system/logging (systemd-journald) - Add some file_contexts.subs_dist mappings - Label some unlabeled files - Make semanage_t an init_system_domain, so initrc_t can transition to semanage and run genhomedircon. - Begin labeling unit files
mpalmi · Feb 14, 2015 · 849fec2 · 849fec2
1 parent 3d556c1
commit 849fec2
Show file tree

Hide file tree

Showing 25 changed files with 311 additions and 42 deletions.
diff --git a/packages/clip-selinux-policy/20140512.zip b/packages/clip-selinux-policy/20140512.zip
diff --git a/packages/clip-selinux-policy/clip-selinux-policy.spec b/packages/clip-selinux-policy/clip-selinux-policy.spec
@@ -128,7 +128,7 @@ fi
 
 %define loadpolicy() \
 . %{_sysconfdir}/selinux/config; \
-( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
+( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 | /bin/tee /tmp/load_policy.log ); \
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -246,12 +246,13 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
 packages=`cat /usr/share/selinux/clip/modules.lst`
 if [ $1 -eq 1 ]; then
    %loadpolicy clip $packages
-   restorecon -R /root /var/log /var/run 2> /dev/null
+   restorecon -R /root /var/log /var/run
 else
 #   semodule -n -s clip 2>/dev/null
    %loadpolicy clip $packages
    %relabel clip
 fi
+
 touch /.autorelabel
 exit 0
 

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/Makefile b/packages/clip-selinux-policy/clip-selinux-policy/Makefile
@@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
 	gennetfilter += -c
 endif
 
-# enable systemd policy
-ifeq "$(INIT)" "systemd"
-        M4PARAM += -D init_systemd
-endif
-
 # enable distribution-specific policy
 ifneq ($(DISTRO),)
 	M4PARAM += -D distro_$(DISTRO)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/build.conf b/packages/clip-selinux-policy/clip-selinux-policy/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = redhat
 
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist b/packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist
@@ -9,6 +9,7 @@
 # example, but aliasing.
 # 
 /etc/init.d /etc/rc.d/init.d
+/etc/systemd/system /usr/lib/systemd/system
 /lib/systemd /usr/lib/systemd
 /lib32 /lib
 /lib64 /lib
@@ -20,3 +21,5 @@
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
 /var/run/lock /var/lock
+/usr/bin /bin
+/usr/sbin /sbin
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf
@@ -1007,7 +1007,7 @@ cgroup = off
 #
 # Chrony NTP background daemon
 # 
-chronyd = off
+chronyd = module
 
 # Layer: services
 # Module: cipe
@@ -1147,7 +1147,7 @@ dbskk = off
 #
 # Desktop messaging bus
 # 
-dbus = off
+dbus = module
 
 # Layer: services
 # Module: dcc
@@ -1182,7 +1182,7 @@ devicekit = off
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
-dhcp = off
+dhcp = module
 
 # Layer: services
 # Module: dictd
@@ -2351,6 +2351,12 @@ hotplug = off
 # 
 init = base
 
+# Layer: system
+# Module: systemd
+# 
+# Policy for systemd
+systemd = base
+
 # Layer: system
 # Module: ipsec
 #
@@ -2491,3 +2497,9 @@ userdomain = base
 # 
 xen = off
 
+# Layer: contrib
+# Module: firewalld
+#
+# Policy for firewalld.
+firewalld = module
+
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,8 @@
 
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
+/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te
@@ -33,11 +33,17 @@ files_pid_file(chronyd_var_run_t)
 #
 
 allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+#uncomment this if it works after testing in enforcing
+#dontaudit chronyd_t self:capability fsetid;
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
 allow chronyd_t chronyd_keys_t:file read_file_perms;
+# allow chronyd to create key if not present
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+# allow chronyd to change perms to not be world readable
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -61,6 +67,10 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
+kernel_read_crypto_sysctls(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
 
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc
@@ -1,8 +1,13 @@
+/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+
 /etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
 /etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
+/sbin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
+/sbin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
+
 /usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
+/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
 /usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc
@@ -2,7 +2,9 @@
 
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
 
-/usr/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)
+/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/usr/sbin/firewalld	    --	gen_context(system_u:object_r:firewalld_exec_t,s0)
 
 /var/log/firewalld.*	--	gen_context(system_u:object_r:firewalld_var_log_t,s0)
 

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc
@@ -2,6 +2,8 @@
 
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 
+/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 
 /var/run/readahead.*	gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc
@@ -6,6 +6,8 @@
 
 /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
+/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
 /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc
@@ -234,7 +234,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/services/ssh.fc
@@ -1,8 +1,12 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
+/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
 
+/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
+
 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/clock.fc
@@ -1,5 +1,5 @@
 
 /etc/adjtime		--	gen_context(system_u:object_r:adjtime_t,s0)
 
-/sbin/hwclock		--	gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock		--	gen_context(system_u:object_r:hwclock_exec_t,s0)
 
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/fstools.fc
@@ -48,6 +48,8 @@
 /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/usr/lib/systemd/systemd-fsck	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
 /usr/sbin/addpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/delpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/hostname.fc
@@ -1,2 +1,3 @@
 
 /bin/hostname		--	gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te
@@ -209,6 +209,9 @@ ifdef(`init_systemd',`
 
 	selinux_compute_create_context(init_t)
 	selinux_compute_access_vector(init_t)
+	seutil_read_file_contexts(init_t)
+
+	systemd_read_unitfile_files(init_t)
 
 	logging_send_audit_msgs(init_t)
 
@@ -488,6 +491,9 @@ modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
+seutil_domtrans_setfiles(initrc_t)
+logging_domtrans_auditd(initrc_t)
+logging_domtrans_auditctl(initrc_t)
 
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/lvm.fc
@@ -45,7 +45,10 @@ ifdef(`distro_gentoo',`
 /sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvm\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmconf       --  gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmdiskscan	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmdump   	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmetad       --  gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -92,6 +95,8 @@ ifdef(`distro_gentoo',`
 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
 #
 # /var
 #

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.fc
@@ -1,5 +1,11 @@
 # SELinux userland utilities
 
+#
+# /bin
+#
+/bin/checkpolicy		--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
+
 #
 # /etc
 #
@@ -24,8 +30,11 @@
 #
 /sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
 /sbin/restorecon		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-
+/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 #
 # /usr
 #

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/selinuxutil.te
@@ -97,6 +97,7 @@ role run_init_roles types run_init_t;
 type semanage_t;
 type semanage_exec_t;
 application_domain(semanage_t, semanage_exec_t)
+init_system_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 role semanage_roles types semanage_t;
 

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.fc
@@ -2,12 +2,42 @@
 
 /usr/bin/systemd-tmpfiles	--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 
-/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
-/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
-/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
-/usr/lib/systemd/systemd-logind	-- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-/usr/lib/systemd/systemd-update-utmp -- gen_context(system_u:object_r:systemd_utmp_exec_t,s0)
-/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/catalog(/.*)?              gen_context(system_u:object_r:systemd_log_t,s0)
+/usr/lib/systemd/rhel-.*        --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system(/.*)?     gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system-generators(/.*)?    gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-shutdown(/.*)?    gen_context(system_u:object_r:systemd_shutdown_t,s0)
+/usr/lib/systemd/system-preset(/.*)?      gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/sshd.* --      gen_context(system_u:object_r:sshd_unit_file_t,s0)
+/usr/lib/systemd/system/ip6?tables.*  --  gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/user-generators(/.*)?    gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-preset(/.*)?      gen_context(system_u:object_r:systemd_unit_file_t,s0)
+
+
+/usr/lib/systemd/systemd-cgroups-agent  -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-localed        -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind         -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-update-utmp    -- gen_context(system_u:object_r:systemd_utmp_exec_t,s0)
+/usr/lib/systemd/systemd-coredump       -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-initctl        -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0)
+/usr/lib/systemd/systemd-machined       -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-modules-load   -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
+/usr/lib/systemd/systemd-multi-seat-x   -- gen_context(system_u:object_r:systemd_multi_seat_x_exec_t,s0)
+/usr/lib/systemd/systemd-quotacheck     -- gen_context(system_u:object_r:systemd_quotacheck_exec_t,s0)
+/usr/lib/systemd/systemd-random-seed    -- gen_context(system_u:object_r:systemd_random_seed_exec_t,s0)
+/usr/lib/systemd/systemd-remount-fs     -- gen_context(system_u:object_r:systemd_remount_fs_exec_t,s0)
+/usr/lib/systemd/systemd-reply-password -- gen_context(system_u:object_r:systemd_reply_password_exec_t,s0)
+/usr/lib/systemd/systemd-shutdownd      -- gen_context(system_u:object_r:systemd_shutdownd_exec_t,s1)
+/usr/lib/systemd/systemd-sleep          -- gen_context(system_u:object_r:systemd_sleep_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl         -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
+/usr/lib/systemd/systemd-timedated      -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
+/usr/lib/systemd/systemd-user-sessions  -- gen_context(system_u:object_r:systemd_user_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-vconsole-setup -- gen_context(system_u:object_r:systemd_vconsole_setup_exec_t,s0)
+/usr/lib/systemd/systemd-ac-power       -- gen_context(system_u:object_r:systemd_ac_power_exec_t,s0)
+/usr/lib/systemd/systemd-activate       -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight      -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt         -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-bootchart      -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0)
 
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
Original file line number	Diff line number	Diff line change
		@@ -1,2 +1,3 @@

		/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
		/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:hostname_exec_t,s0)