Currently init_run_daemon is called unconditionally for unconfined_t.
Yet unconfined_u is not associated with system_r.
It is also a little inconsistent do make unconfined_t automatically
transition to initrc by default because first of all its an oxomoron in
that unconfined_t should be unrestricted in essence, and second of all
why would direct_sysadm_daemon apply to only sysadm_t and not
unconfined_t
If distribution maintainers want general purpose administrators
(sysadm_t, unconfined_t) to automatically domain transition to init
script domains then they can toggle "direct_sysadm_daemon", else their
users need to use run_init
This only applies to init_run_daemon so it might not change anything for
Gentoo and their openrc solution.
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 14 ++++++++++----
policy/users | 6 +++++-
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 667f2a0..ee90fc0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
-init_run_daemon(unconfined_t, unconfined_r)
-
libs_run_ldconfig(unconfined_t, unconfined_r)
logging_send_syslog_msg(unconfined_t)
@@ -49,9 +47,17 @@ unconfined_domain(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(unconfined_t, unconfined_r)
+ ')
+')
+
ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ optional_policy(`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ ')
')
optional_policy(`
diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
#
# The following users correspond to Unix identities.
--
1.8.4.2
On Sat, 2013-12-07 at 20:21 +0100, Dominick Grift wrote:
> ifdef(`distro_gentoo',`
> - seutil_run_runinit(unconfined_t, unconfined_r)
> - seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> + optional_policy(`
> + seutil_run_runinit(unconfined_t, unconfined_r)
> + seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> + ')
> ')
Ignore this patch. I should not have made this optional.. copy and paste
error. will resubmit
On Sat, 2013-12-07 at 20:21 +0100, Dominick Grift wrote:
> Currently init_run_daemon is called unconditionally for unconfined_t.
> Yet unconfined_u is not associated with system_r.
Probably best to get rid of direct_initrc and init_run_daemon altogether
as i causes fundamental problems with executables that can be run both
by the system as well as users
I hit this issue before with recently with git-daemon, and pulseaudio
suffers the same problems
With systemd we dont have that issue anymore of having to role
transition to system_r if we want to start a service on behalf of the
system