Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp86290ybi;
        Sat, 29 Jun 2019 06:12:53 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy8E/Lp6EcSAdgSxHo64zEPVpiOdsxvLdVpHH5KSJKb1nUkX6q62dygEAejTe+8/2p0RaTC
X-Received: by 2002:a17:902:9a06:: with SMTP id v6mr17213536plp.71.1561813973725;
        Sat, 29 Jun 2019 06:12:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561813973; cv=none;
        d=google.com; s=arc-20160816;
        b=eu21nwCDnN25+ogC9um4CVyj76qJtX8KJrSdyvYcigFhldaaweDXbLZKkG8L0aGDd3
         Vm316yMDXEAan3n4xhBgHFwy0mQY9ZeyRTQAdGD/ETJ7HoxdAph9bPZJoF//YextW2e5
         rE7k9jbPWVdy6iu2GI3FzFqBaTuFYFBgqA1UuXD5DR7tWjb70egmkTwqDEru8jEWcNnL
         z3gn8Zvh7dTaODs203aqC9a79DprI7l6L5ax/cH5AXoXDOpzVloIRaUF/K1h7URsdf+z
         qwYmK7RO9SETbOfSgFjqNTJaaqaeKfCfDvVmwZEC5VQcRWMHOAED/61RmmQzRAuFiFiH
         2FCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=GCIQg5ZwkitNmCWT9ljVciahWTDiXRaVSFWXT2qxHDM=;
        b=AF7RZbiPep2bbBsrCnn+2Z5hIeGTzPDoMHeXFqydoyLq4oSZjoePva3+spTEDsM/Yq
         ItoRFc3wxSkvaxw4swTd2BEOkzw4y9v+No4T8+saTZyFCLTabyjVFwdo3SEHmtoYHoKX
         4gubk331KwtZld+Kh46NwVcfiSeehw9ogLs3ozpzFKrsyRSiQqESo8Rc1qjGAt1imN4r
         rYEFZjOR+GTX9WvjhVtoImeKVvpCaXaCRmQvYEzwDI7W3KqCoFUcSkHgKWXgZYQfO+jz
         7vIomXB7t5TKhMOIAnZnmN/a+aj/pKIcPXXkiOHFWGqcgsJ1MQD3ahAd9LOnQlY/nD+i
         gNcQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="o/LkWV8T";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a2si4581017pgq.298.2019.06.29.06.12.50;
        Sat, 29 Jun 2019 06:12:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="o/LkWV8T";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726770AbfF2NMt (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Sat, 29 Jun 2019 09:12:49 -0400
Received: from mail-ed1-f65.google.com ([209.85.208.65]:34902 "EHLO
        mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726723AbfF2NMt (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 29 Jun 2019 09:12:49 -0400
Received: by mail-ed1-f65.google.com with SMTP id w20so15811404edd.2
        for <selinux-refpolicy@vger.kernel.org>; Sat, 29 Jun 2019 06:12:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=GCIQg5ZwkitNmCWT9ljVciahWTDiXRaVSFWXT2qxHDM=;
        b=o/LkWV8TxPvm5d5OM7X5HpDNLrquM8ZLigwgFztGZFMhBwVPxZoz8BM9EkS0W8kUuQ
         bd9cBea9uY1OCSsCuVKcTqwXijx/DLGt5cZrqiDNazOaugda63lfQC3fE1jBTYEnwo8+
         bwc7blDYbKP43KRectiGApznUqPXuzRA7K9AiM8kPNnwumJAz3M/GbigeXIrD1P9yROX
         E1QXPxIb1ukHj/jUZGYaBphIgfSgj9bxx0FJKfHa7Ujz//thhTJ9dQhorLfwebEe/xRh
         pSJtj+ic7gohHTraibZlsog9N1SDpYS4kbRmG6JrJRoz6DYETrtOQTf3/6GH4nvmT0L6
         B6XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=GCIQg5ZwkitNmCWT9ljVciahWTDiXRaVSFWXT2qxHDM=;
        b=eodFGyaGRJlViv7t/4CZ2qbo63xGUEW1JDj5fLQ+ihpfHEfVkcTMS8zDQJJGTsjCn2
         64K10bIvzOk+BfUS0s7M0Wp9KvH06UUwRO6ujVS8nst7l1OaxM+xDVK+GCmoqxcZZhWV
         bDrCJGVE8TnCsSx103OzdM4tjzYY/B01155qXSvLfKJ7gLfmIot9dydsvSyT/sXe3rdW
         O3JGA9CureB9EipojN15M3Qtzs3pT0XhxNLq5v79+zeHWQka2i65yprN7cHLQYV7aF2t
         CJ04voMNzDvnKzh+xbVYeA2u4YS6SfP5Zf5gzrRM68U7f6l/S+xh5QYM52SmyFmVax6Q
         c84Q==
X-Gm-Message-State: APjAAAV7rHXhadYTOH5fsCu96oZ3HVM5cDECoa/ITuioYhd3+lmvlrcN
        zC+Jz6fSjGYIt2Xhqd0YZR0wnJqh
X-Received: by 2002:aa7:d888:: with SMTP id u8mr17506232edq.264.1561813967500;
        Sat, 29 Jun 2019 06:12:47 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id g16sm1638243edc.76.2019.06.29.06.12.45
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Sat, 29 Jun 2019 06:12:46 -0700 (PDT)
Date:   Sat, 29 Jun 2019 15:12:43 +0200
From:   Dominick Grift <dac.override@gmail.com>
To:     Alexander Miroshnichenko <alex@millerson.name>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] Add support for openrc-init
Message-ID: <20190629131243.GA18602@brutus.lan>
Mail-Followup-To: Alexander Miroshnichenko <alex@millerson.name>,
        selinux-refpolicy@vger.kernel.org
References: <20190629123358.18284-1-alex@millerson.name>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq"
Content-Disposition: inline
In-Reply-To: <20190629123358.18284-1-alex@millerson.name>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jun 29, 2019 at 03:33:58PM +0300, Alexander Miroshnichenko wrote:
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>  policy/modules/admin/shutdown.fc |  2 ++
>  policy/modules/admin/shutdown.te |  2 ++
>  policy/modules/system/init.fc    |  2 ++
>  policy/modules/system/init.if    | 18 ++++++++++++++++++
>  policy/modules/system/init.te    |  2 ++
>  5 files changed, 26 insertions(+)
>=20

Some observations:

What maintains (creates) /run/openrc, and why is it labeled initrc_state_t?=
 There is no FC spec for it (there should be a FC spec for /run/openrc).
Why is /run/openrc not labeled init_var_run_t?

The init_search_state_data() interface you created is redundant and its nam=
e is misleading (it would have been init_search_script_state())
However access to 'initctl' can be provided via init_rw_initctl(), and init=
_telinit() should call init_rw_initctl(). Then "shutdown" will be able to a=
ccess it automatically.
init_getattr_initctl() and init_write_initctl() should also be updated to a=
llow traversal of /run/openrc.

The period in the spec for /run/openrc/init.ctl should be escaped (/run/ope=
nrc/init\.ctl)

> diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shut=
down.fc
> index 03a2230c6766..9d2e1b8acff2 100644
> --- a/policy/modules/admin/shutdown.fc
> +++ b/policy/modules/admin/shutdown.fc
> @@ -4,6 +4,8 @@
> =20
>  /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec=
_t,s0)
> =20
> +/usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:shutdown_exec=
_t,s0)
> +
>  /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
> =20
>  /run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s=
0)
> diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shut=
down.te
> index 2168d03fcf63..c504fadb6dc9 100644
> --- a/policy/modules/admin/shutdown.te
> +++ b/policy/modules/admin/shutdown.te
> @@ -52,6 +52,8 @@ auth_use_nsswitch(shutdown_t)
>  auth_write_login_records(shutdown_t)
> =20
>  init_rw_utmp(shutdown_t)
> +# Search for init.ctl in /run/openrc by openrc-shutdown
> +init_search_state_data(shutdown_t)
>  init_stream_connect(shutdown_t)
>  init_telinit(shutdown_t)
> =20
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index 11a6ce93a040..48c78b8c6241 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -41,6 +41,7 @@ ifdef(`distro_gentoo',`
> =20
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s=
0)
> +/usr/sbin/openrc-init   --      gen_context(system_u:object_r:init_exec_=
t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> =20
>  ifdef(`distro_gentoo', `
> @@ -60,6 +61,7 @@ ifdef(`distro_redhat',`
>  /run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
>  /run/kerneloops\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s=
0)
>  /run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/openrc/init.ctl	-p	gen_context(system_u:object_r:initctl_t,s0)
>  /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 2415bb771080..2a7262b325a6 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1870,6 +1870,24 @@ interface(`init_startstop_all_script_services',`
>  	allow $1 init_script_file_type:service { start status stop };
>  ')
> =20
> +########################################
> +## <summary>
> +##      Search in a initrc_state_t directory.
> +## </summary>
> +## <param name=3D"domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`init_search_state_data',`
> +        gen_require(`
> +                type initrc_state_t;
> +        ')
> +
> +	allow $1 initrc_state_t:dir search_dir_perms;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Read the process state (/proc/pid) of init.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index f4d27bff3ea2..cb0f5f03d946 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -146,6 +146,8 @@ allow init_t init_var_run_t:file manage_lnk_file_perm=
s;
>  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
>  dev_filetrans(init_t, initctl_t, fifo_file)
>  files_pid_filetrans(init_t, initctl_t, fifo_file)
> +# Allow openrc-init to create /run/openrc/init.ctl pipe.
> +filetrans_add_pattern(init_t, initrc_state_t, initctl_t, fifo_file, "ini=
t.ctl" )
> =20
>  # Modify utmp.
>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> --=20
> 2.21.0
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl0XY8cACgkQJXSOVTf5
R2l/Hwv/dJz03BzUbieSPOqE5Vc/tQuduDFq/SVIIgl3TVgdc52ZCxlYR15ZAKw1
AcA8f1EkEPX/Q2DsCAojQm8FvFj5V84iWcZ+J6cOGCLNbd4SLnVyb85dt6m7gNIU
hYQiLC+i8ATr0hxIE2Pe8iurlhrwAHJrAHTPCEkgWpQGPYSuKGmUb7+s/D17j6Wk
bS+ZrOlWI8X/6vJ0scN5NH9XccHqGoMZMc3R7J7luJIN+cvZ5PRT40wXsTEZkWGg
A4zp3LqwXKphvpn7ekV9Y1Nn9DlRjN4Sxcawxc7ZeqaX1W+QQ6B6OMgC9qadV76V
fu7ZTZ14YWTSyQs2/FN9nsWkBixEaW0murvdUYMHIjW9w6pRbZB5H11Gv7+eoDZd
8bCWYAZwcmpvU3iP/OD0MEJuALeB//3ocpU1EjGt7mFAbncUaq1ydX77ZkkAqxx2
v3evIB32HxHb2AToVMfg5sGYhofxCkG7Ecgh5VC8Xm9kf6yhlhj2KmUkFd+4BjI7
IPso8jLL
=Fp1+
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--