On 16/06/2016, 6:15 PM, "Miroslav Grepl" <mgrepl(a)redhat.com> wrote:
On 06/14/2016 02:52 AM, Douglas Brown wrote:
> Hi all,
>
> In the process of porting policies from RHEL 6 to 7, I’m having an issue
> with the shutdown_run interface.
>
> The trivial te file below compiles and loads fine on RHEL 6.7:
>
> policy_module(test, 0.1)
>
> require {
> role staff_r;
> type staff_t;
> }
>
> shutdown_run(staff_t, staff_r)
>
> However, there appears to be a bug in RHEL 7.2, because loading with
> semodule gives the error: "libsepol.print_missing_requirements: test's
> global requirements were not met: role shutdown_roles (No such file or
> directory)"
>
> After looking into this, curiously the interface has moved from
> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
> in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>
> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
> interface but it no longer exists because the shutdown binary has been
> replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being
used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write;
allow staff_t power_unit_file_t:service status;
Cheers,
Doug