Refined SELinux policy

Relates to: #883

When enforcing the SELinux policy of BlueChi, the calls from
bluechi-agent to systemd are blocked. The missing privileges
of bluechi_agent_t (source context) on the systemd types (e.g.
systemd_unit_file_t) and init type have been added.

Signed-off-by: Michael Engel <[email protected]>

selinux/bluechi.te

@@ -25,10 +25,6 @@ corenet_port(bluechi_port_t)
 type bluechi_agent_port_t;
 corenet_port(bluechi_agent_port_t)
 
-permissive bluechi_t;
-permissive bluechi_agent_t;
-
-
 ########################################
 #
 # bluechi local policy
@@ -71,6 +67,14 @@ allow bluechi_agent_t self:fifo_file rw_fifo_file_perms;
 allow bluechi_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow bluechi_agent_t self:unix_dgram_socket create_socket_perms;
 
+systemd_start_all_services(bluechi_agent_t)
+systemd_start_systemd_services(bluechi_agent_t)
+systemd_stop_systemd_services(bluechi_agent_t)
+systemd_status_systemd_services(bluechi_agent_t)
+systemd_reload_all_services(bluechi_agent_t)
+systemd_reload_systemd_services(bluechi_agent_t)
+init_reload_services(bluechi_agent_t)
+
 kernel_dgram_send(bluechi_agent_t)
 
 domain_use_interactive_fds(bluechi_agent_t)