This patchset contains a few updates needed for Gentoo's init system (openrc) to
further handle /run related matters.
Sven Vermeulen (4):
Allow init to set attributes on device_t
Introduce files_manage_all_pids interface
Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
Update files_manage_generic_locks with directory permissions
policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
policy/modules/system/init.te | 3 +++
2 files changed, 25 insertions(+), 0 deletions(-)
--
1.7.8.6
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2a8729c..1b32148 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,6 +86,7 @@ files_pid_file(initrc_var_run_t)
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
+
')
ifdef(`enable_mls',`
@@ -458,6 +459,7 @@ ifdef(`distro_gentoo',`
# early init
dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
+ dev_setattr_generic_dirs(initrc_t)
# allow bootmisc to create /var/lock/.keep.
files_manage_generic_locks(initrc_t)
--
1.7.8.6
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 54c6dbd..7c4b4ae 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6191,6 +6191,27 @@ interface(`files_dontaudit_getattr_all_pids',`
########################################
## <summary>
+## Create, read, write and delete all
+## var_run (pid) content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1, pidfile, pidfile)
+ manage_files_pattern($1, pidfile, pidfile)
+ manage_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
--
1.7.8.6
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".
When done, it will create symlinks in /var towards the new locations.
As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1b32148..106d6be 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,7 +86,6 @@ files_pid_file(initrc_var_run_t)
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
-
')
ifdef(`enable_mls',`
@@ -461,8 +460,10 @@ ifdef(`distro_gentoo',`
dev_delete_generic_dirs(initrc_t)
dev_setattr_generic_dirs(initrc_t)
+ files_manage_all_pids(initrc_t)
# allow bootmisc to create /var/lock/.keep.
files_manage_generic_locks(initrc_t)
+ files_manage_var_symlinks(initrc_t)
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
# openrc uses tmpfs for its state data
--
1.7.8.6
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.
This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:
* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7c4b4ae..1f0c6f8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5818,6 +5818,7 @@ interface(`files_manage_generic_locks',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ manage_dirs_pattern($1, var_lock_t, var_lock_t)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
--
1.7.8.6
On 10/30/12 17:51, Sven Vermeulen wrote:
> This patchset contains a few updates needed for Gentoo's init system (openrc) to
> further handle /run related matters.
>
> Sven Vermeulen (4):
> Allow init to set attributes on device_t
> Introduce files_manage_all_pids interface
> Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
> Update files_manage_generic_locks with directory permissions
>
> policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
> policy/modules/system/init.te | 3 +++
> 2 files changed, 25 insertions(+), 0 deletions(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com