2016-12-30 21:08:04

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] plymouth: use the correct running domain for the client

The plymouth client needs a domain for short running processes
which are started by init scripts instead of an application
domain.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/plymouthd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
--- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
+++ b/policy/modules/contrib/plymouthd.te 2016-12-30 21:58:06.300261216 +0100
@@ -7,7 +7,7 @@ policy_module(plymouthd, 1.3.1)

type plymouth_t;
type plymouth_exec_t;
-application_domain(plymouth_t, plymouth_exec_t)
+init_system_domain(plymouth_t, plymouth_exec_t)
role system_r types plymouth_t;

type plymouthd_t;


2016-12-30 21:11:15

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] plymouth: use the correct running domain for the client

On 12/30/2016 10:08 PM, Guido Trentalancia via refpolicy wrote:
> The plymouth client needs a domain for short running processes
> which are started by init scripts instead of an application
> domain.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/plymouthd.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
> --- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
> +++ b/policy/modules/contrib/plymouthd.te 2016-12-30 21:58:06.300261216 +0100
> @@ -7,7 +7,7 @@ policy_module(plymouthd, 1.3.1)
>
> type plymouth_t;
> type plymouth_exec_t;
> -application_domain(plymouth_t, plymouth_exec_t)
> +init_system_domain(plymouth_t, plymouth_exec_t)
> role system_r types plymouth_t;

You should probably be able to drop the role system_r types plymouth_t
as that is probably already part of init_system_domain() and is thus
redundant

>
> type plymouthd_t;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/a6c7da7d/attachment-0001.bin

2016-12-30 21:23:19

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] plymouth: use the correct running domain for the client

The plymouth client needs a domain for short running processes
which are started by init scripts instead of an application
domain.

Also add the ability to inherit init file descriptors (for the
console) and use it.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/plymouthd.te | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
--- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
+++ b/policy/modules/contrib/plymouthd.te 2016-12-30 22:17:18.458090959 +0100
@@ -7,8 +7,7 @@ policy_module(plymouthd, 1.3.1)

type plymouth_t;
type plymouth_exec_t;
-application_domain(plymouth_t, plymouth_exec_t)
-role system_r types plymouth_t;
+init_system_domain(plymouth_t, plymouth_exec_t)

type plymouthd_t;
type plymouthd_exec_t;
@@ -115,12 +114,15 @@ domain_use_interactive_fds(plymouth_t)

files_read_etc_files(plymouth_t)

-term_use_ptmx(plymouth_t)
+init_use_fds(plymouth_t)

miscfiles_read_localization(plymouth_t)

sysnet_read_config(plymouth_t)

+term_use_console(plymouth_t)
+term_use_ptmx(plymouth_t)
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
hal_dontaudit_write_log(plymouth_t)

2016-12-31 15:52:04

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] plymouth: use the correct running domain for the client

On 12/30/16 16:23, Guido Trentalancia via refpolicy wrote:
> The plymouth client needs a domain for short running processes
> which are started by init scripts instead of an application
> domain.
>
> Also add the ability to inherit init file descriptors (for the
> console) and use it.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/plymouthd.te | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
> --- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
> +++ b/policy/modules/contrib/plymouthd.te 2016-12-30 22:17:18.458090959 +0100
> @@ -7,8 +7,7 @@ policy_module(plymouthd, 1.3.1)
>
> type plymouth_t;
> type plymouth_exec_t;
> -application_domain(plymouth_t, plymouth_exec_t)
> -role system_r types plymouth_t;
> +init_system_domain(plymouth_t, plymouth_exec_t)
>
> type plymouthd_t;
> type plymouthd_exec_t;
> @@ -115,12 +114,15 @@ domain_use_interactive_fds(plymouth_t)
>
> files_read_etc_files(plymouth_t)
>
> -term_use_ptmx(plymouth_t)

Actually, this is the correct location of the term lines. They
shouldn't be moved down.

> +init_use_fds(plymouth_t)
>
> miscfiles_read_localization(plymouth_t)
>
> sysnet_read_config(plymouth_t)
>
> +term_use_console(plymouth_t)
> +term_use_ptmx(plymouth_t)
> +
> ifdef(`hide_broken_symptoms',`
> optional_policy(`
> hal_dontaudit_write_log(plymouth_t)



--
Chris PeBenito

2016-12-31 15:58:53

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] plymouth: use the correct running domain for the client

The plymouth client needs a domain for short running processes
which are started by init scripts instead of an application
domain.

Also add the ability to inherit init file descriptors (for the
console) and use it.

Compared to the previous version (v2), this one simply moves
the terminal interfaces to the right location.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/plymouthd.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
--- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
+++ b/policy/modules/contrib/plymouthd.te 2016-12-31 16:54:47.796736709 +0100
@@ -7,8 +7,7 @@ policy_module(plymouthd, 1.3.1)

type plymouth_t;
type plymouth_exec_t;
-application_domain(plymouth_t, plymouth_exec_t)
-role system_r types plymouth_t;
+init_system_domain(plymouth_t, plymouth_exec_t)

type plymouthd_t;
type plymouthd_exec_t;
@@ -115,8 +114,11 @@ domain_use_interactive_fds(plymouth_t)

files_read_etc_files(plymouth_t)

+term_use_console(plymouth_t)
term_use_ptmx(plymouth_t)

+init_use_fds(plymouth_t)
+
miscfiles_read_localization(plymouth_t)

sysnet_read_config(plymouth_t)

2016-12-31 16:27:29

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] plymouth: use the correct running domain for the client

On 12/31/16 10:58, Guido Trentalancia via refpolicy wrote:
> The plymouth client needs a domain for short running processes
> which are started by init scripts instead of an application
> domain.
>
> Also add the ability to inherit init file descriptors (for the
> console) and use it.
>
> Compared to the previous version (v2), this one simply moves
> the terminal interfaces to the right location.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/plymouthd.te | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff -pru a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
> --- a/policy/modules/contrib/plymouthd.te 2016-12-22 23:12:59.391081860 +0100
> +++ b/policy/modules/contrib/plymouthd.te 2016-12-31 16:54:47.796736709 +0100
> @@ -7,8 +7,7 @@ policy_module(plymouthd, 1.3.1)
>
> type plymouth_t;
> type plymouth_exec_t;
> -application_domain(plymouth_t, plymouth_exec_t)
> -role system_r types plymouth_t;
> +init_system_domain(plymouth_t, plymouth_exec_t)
>
> type plymouthd_t;
> type plymouthd_exec_t;
> @@ -115,8 +114,11 @@ domain_use_interactive_fds(plymouth_t)
>
> files_read_etc_files(plymouth_t)
>
> +term_use_console(plymouth_t)
> term_use_ptmx(plymouth_t)
>
> +init_use_fds(plymouth_t)
> +
> miscfiles_read_localization(plymouth_t)
>
> sysnet_read_config(plymouth_t)

Merged.

--
Chris PeBenito