Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp55476ybi; Sat, 29 Jun 2019 05:34:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqymTzFXSMAiexEQB9v2nZjZq6CiT4V1BKawHhpsaRRCbplvpJnu6aBSq6IlqrQJWTvLOc0o X-Received: by 2002:a17:90a:5d0a:: with SMTP id s10mr19126308pji.94.1561811670649; Sat, 29 Jun 2019 05:34:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561811670; cv=none; d=google.com; s=arc-20160816; b=uxOiVWkCNHe/6xMg1Gk1HYZ8SvleN+X5vVGceztGE2G5R41/J14P4TMfnwTHlbWV1t 7hZTOCD/rXkbRpwmH8cHzb4nD+c/LtjP9K9jUZcrwCqWnKoGcIp5r2PVwkeUVMEo4WlN 6kvGv0QomahczDMTpI1apkYtNmTVpAzdHcWDugDF/VoN2QUTVbH+4n2FVyIvPusucvnY 8Pe24HvhkwoY6v/YqxCLUnDfUgKr30iNERos96q6e2sY0gpBVisOcIfRJFdNsoFoTrsw C8kxkjlOAubnMKBnlAAM0+rZolWUEjpuf1dOiaeYB+D0T8lNakQxG9WTJzMMfk5KoSX9 A+yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=xMjEpeaUO204nb859FRdjPWAoyHMaQ5tuvCe0LzYcoQ=; b=g5IX8m2HXEPI8dj8l/lPPAPUr/sgCMwf4Vrpj/y3VfMc2GFVpVKD2fWWtwdIk4bFV1 x5jnLv39JSABz4q53cyzWiGlHOw8wXGrqB2eGWyNEr/rNGfkpDjth5PbnfSPq1qpEGy7 NCAaTqRJfm8zxivN6A0gf3HkeJnmilifhBaW1a6IFfnRfXtmzurETBQ2qQrXk3X2WzrH VMVSzuL/Ic9wfFl1jT9IUzQLY/7LC4zCQNbWz19g0Jkb4UtAQ5EHCUZ0Ehg+AQhVihDM AegTR7K/UxalBVe+qjxsOONyed1IRuE6cjqAYooBSpjDXjDQlqxOiHD/dgQ9ntTMlJcl Ve0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=w8LDL54p; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c12si4451061pgq.533.2019.06.29.05.34.26; Sat, 29 Jun 2019 05:34:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=w8LDL54p; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726909AbfF2MeZ (ORCPT + 11 others); Sat, 29 Jun 2019 08:34:25 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:38856 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1726906AbfF2MeZ (ORCPT ); Sat, 29 Jun 2019 08:34:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=MIME-Version:Message-Id:Date:Subject:To:From: user-agent:in-reply-to; bh=xMjEpeaUO204nb859FRdjPWAoyHMaQ5tuvCe0LzYcoQ=; b=w8 LDL54peC/SBfeGxcfth158MdhzKPNPtMUZVvyGPo75I6IRoIgBecyMui6t7lvDlBWMhLB/8dnUKg2 R88vAsGfmIt7LaGmQh2jZrmLmNrT9BAjP3Q36Y2Zs3OZ6uBq+zBIKPicq+vLSFt7BDcHONp6AndUO rs9Yyzn4XHUIezw=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hhCYd-0004j1-MZ (envelope-from ); Sat, 29 Jun 2019 15:34:20 +0300 Received: from alex-desktop.home ([10.24.17.100]) by mail.millerson.name with ESMTPSA id cfHAJstaF131RgAAXPwaFA (envelope-from ); Sat, 29 Jun 2019 15:34:19 +0300 From: Alexander Miroshnichenko To: selinux-refpolicy@vger.kernel.org Cc: Alexander Miroshnichenko Subject: [PATCH] Add support for openrc-init Date: Sat, 29 Jun 2019 15:33:58 +0300 Message-Id: <20190629123358.18284-1-alex@millerson.name> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-GIT-Signature: 8c0efe3d5e0bf275d304263d226769f4 X-Spam-Score: 0.9 (/) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Alexander Miroshnichenko --- policy/modules/admin/shutdown.fc | 2 ++ policy/modules/admin/shutdown.te | 2 ++ policy/modules/system/init.fc | 2 ++ policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 2 ++ 5 files changed, 26 insertions(+) diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc index 03a2230c6766..9d2e1b8acff2 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc @@ -4,6 +4,8 @@ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/openrc-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te index 2168d03fcf63..c504fadb6dc9 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -52,6 +52,8 @@ auth_use_nsswitch(shutdown_t) auth_write_login_records(shutdown_t) init_rw_utmp(shutdown_t) +# Search for init.ctl in /run/openrc by openrc-shutdown +init_search_state_data(shutdown_t) init_stream_connect(shutdown_t) init_telinit(shutdown_t) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 11a6ce93a040..48c78b8c6241 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -41,6 +41,7 @@ ifdef(`distro_gentoo',` /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` @@ -60,6 +61,7 @@ ifdef(`distro_redhat',` /run/initctl -p gen_context(system_u:object_r:initctl_t,s0) /run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/openrc/init.ctl -p gen_context(system_u:object_r:initctl_t,s0) /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 2415bb771080..2a7262b325a6 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1870,6 +1870,24 @@ interface(`init_startstop_all_script_services',` allow $1 init_script_file_type:service { start status stop }; ') +######################################## +## +## Search in a initrc_state_t directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_state_data',` + gen_require(` + type initrc_state_t; + ') + + allow $1 initrc_state_t:dir search_dir_perms; +') + ######################################## ## ## Read the process state (/proc/pid) of init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f4d27bff3ea2..cb0f5f03d946 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -146,6 +146,8 @@ allow init_t init_var_run_t:file manage_lnk_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) files_pid_filetrans(init_t, initctl_t, fifo_file) +# Allow openrc-init to create /run/openrc/init.ctl pipe. +filetrans_add_pattern(init_t, initrc_state_t, initctl_t, fifo_file, "init.ctl" ) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; -- 2.21.0