Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
---
policy/modules/system/init.if | 14 ++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f39437e..29c9955 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -993,11 +993,15 @@ interface(`init_startstop_service',`
')
ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ seutil_spec_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_spec_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
--
2.3.6
On 5/25/2015 6:02 AM, Jason Zaman wrote:
> Adds the openrc rules in ifdef distro_gentoo to transition
> to run_init correctly.
I'm fine with this set except one note below.
> ---
> policy/modules/system/init.if | 14 ++++---
> policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 84 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f39437e..29c9955 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -993,11 +993,15 @@ interface(`init_startstop_service',`
> ')
>
> ifndef(`direct_sysadm_daemon',`
> - # rules for sysvinit / upstart
> - init_labeled_script_domtrans($1, $4)
> - domain_system_change_exemption($1)
> - role_transition $2 $4 system_r;
> - allow $2 system_r;
> + ifdef(`distro_gentoo',`
> + seutil_spec_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> ')
> ')
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 129a6e0..e69f279 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>
> ########################################
> ## <summary>
> +## Execute file in the run_init domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute file in the run_init domain.
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of entry file.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_spec_domtrans_runinit',`
"spec" means setexeccon(), instead of type_transition, so this should
drop the "spec" from the name. Same thing in the caller below.
> + gen_require(`
> + type run_init_t;
> + ')
> +
> + domain_entry_file(run_init_t, $2)
> + domain_auto_transition_pattern($1, $2, run_init_t)
> +
> + allow run_init_t $1:fd use;
> + allow run_init_t $1:fifo_file rw_file_perms;
> + allow run_init_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init scripts in the run_init domain.
> ## </summary>
> ## <desc>
> @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
>
> ########################################
> ## <summary>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </p>
> +## <p>
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of init script.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_spec_run_runinit',`
> + gen_require(`
> + attribute_role run_init_roles;
> + ')
> +
> + seutil_spec_domtrans_runinit($1, $3)
> + roleattribute $2 run_init_roles;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit and use run_init file descriptors.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, May 27, 2015 at 12:48:18PM -0400, Christopher J. PeBenito wrote:
> On 5/25/2015 6:02 AM, Jason Zaman wrote:
> > Adds the openrc rules in ifdef distro_gentoo to transition
> > to run_init correctly.
>
> I'm fine with this set except one note below.
>
<snip>
>
> "spec" means setexeccon(), instead of type_transition, so this should
> drop the "spec" from the name. Same thing in the caller below.
>
Just a quick comment from an innocent bystander:
I appreciate that it is what it is, but i don't find it intuitive and in my personal policy i use "automatic versus manual" transition
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150527/74aa6ca9/attachment.bin
On 5/27/2015 12:51 PM, Dominick Grift wrote:
> On Wed, May 27, 2015 at 12:48:18PM -0400, Christopher J. PeBenito wrote:
>> On 5/25/2015 6:02 AM, Jason Zaman wrote:
>>> Adds the openrc rules in ifdef distro_gentoo to transition
>>> to run_init correctly.
>>
>> I'm fine with this set except one note below.
>>
>
> <snip>
>
>>
>> "spec" means setexeccon(), instead of type_transition, so this should
>> drop the "spec" from the name. Same thing in the caller below.
>>
>
> Just a quick comment from an innocent bystander:
>
> I appreciate that it is what it is, but i don't find it intuitive and in my personal policy i use "automatic versus manual" transition
It's so infrequently used that I haven't thought about it much. I'm
open to considering naming changes as long as it doesn't require
changing a ton of interfaces. i.e. "domtrans" by itself would have to
continue to mean domain transition via type_transition. There's not
even an official naming convention for dyntransition interfaces since
none exist (that is, none that only do dyntransition).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, May 27, 2015 at 01:04:37PM -0400, Christopher J. PeBenito wrote:
> On 5/27/2015 12:51 PM, Dominick Grift wrote:
> > On Wed, May 27, 2015 at 12:48:18PM -0400, Christopher J. PeBenito wrote:
> >> On 5/25/2015 6:02 AM, Jason Zaman wrote:
> >>> Adds the openrc rules in ifdef distro_gentoo to transition
> >>> to run_init correctly.
> >>
> >> I'm fine with this set except one note below.
> >>
> >
> > <snip>
> >
> >>
> >> "spec" means setexeccon(), instead of type_transition, so this should
> >> drop the "spec" from the name. Same thing in the caller below.
> >>
> >
> > Just a quick comment from an innocent bystander:
> >
> > I appreciate that it is what it is, but i don't find it intuitive and in my personal policy i use "automatic versus manual" transition
>
> It's so infrequently used that I haven't thought about it much. I'm
> open to considering naming changes as long as it doesn't require
> changing a ton of interfaces. i.e. "domtrans" by itself would have to
> continue to mean domain transition via type_transition. There's not
> even an official naming convention for dyntransition interfaces since
> none exist (that is, none that only do dyntransition).
Nah, I don't think its worth the change, because it would require that everything is changed for consistency.
I was just mentioning it.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150527/6c0ad6ef/attachment.bin
On 27 May 2015 20:48, "Christopher J. PeBenito" <[email protected]>
wrote:
>
> On 5/25/2015 6:02 AM, Jason Zaman wrote:
> > Adds the openrc rules in ifdef distro_gentoo to transition
> > to run_init correctly.
>
> I'm fine with this set except one note below.
>
> > ---
> > policy/modules/system/init.if | 14 ++++---
> > policy/modules/system/selinuxutil.if | 75
++++++++++++++++++++++++++++++++++++
> > 2 files changed, 84 insertions(+), 5 deletions(-)
> >
> > diff --git a/policy/modules/system/init.if
b/policy/modules/system/init.if
> > index f39437e..29c9955 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -993,11 +993,15 @@ interface(`init_startstop_service',`
> > ')
> >
> > ifndef(`direct_sysadm_daemon',`
> > - # rules for sysvinit / upstart
> > - init_labeled_script_domtrans($1, $4)
> > - domain_system_change_exemption($1)
> > - role_transition $2 $4 system_r;
> > - allow $2 system_r;
> > + ifdef(`distro_gentoo',`
> > + seutil_spec_run_runinit($1, $2, $4)
> > + ',`
> > + # rules for sysvinit / upstart
> > + init_labeled_script_domtrans($1, $4)
> > + domain_system_change_exemption($1)
> > + role_transition $2 $4 system_r;
> > + allow $2 system_r;
> > + ')
> > ')
> > ')
> >
> > diff --git a/policy/modules/system/selinuxutil.if
b/policy/modules/system/selinuxutil.if
> > index 129a6e0..e69f279 100644
> > --- a/policy/modules/system/selinuxutil.if
> > +++ b/policy/modules/system/selinuxutil.if
> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute file in the run_init domain.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute file in the run_init domain.
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of entry file.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_spec_domtrans_runinit',`
>
> "spec" means setexeccon(), instead of type_transition, so this should
> drop the "spec" from the name. Same thing in the caller below.
>
Oh, I always thought it meant specified.
But I can't drop _spec because seutil_domtrans_runinit() already exists for
plain initrc_exec_t.
This new interface is basically one that can take the foo_initrc_exec_t as
a param.
Suggestions? Seutil_prefixed_domtrans_runinit()?
>
> > + gen_require(`
> > + type run_init_t;
> > + ')
> > +
> > + domain_entry_file(run_init_t, $2)
> > + domain_auto_transition_pattern($1, $2, run_init_t)
> > +
> > + allow run_init_t $1:fd use;
> > + allow run_init_t $1:fifo_file rw_file_perms;
> > + allow run_init_t $1:process sigchld;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Execute init scripts in the run_init domain.
> > ## </summary>
> > ## <desc>
> > @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </p>
> > +## <p>
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of init script.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_spec_run_runinit',`
> > + gen_require(`
> > + attribute_role run_init_roles;
> > + ')
> > +
> > + seutil_spec_domtrans_runinit($1, $3)
> > + roleattribute $2 run_init_roles;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Inherit and use run_init file descriptors.
> > ## </summary>
> > ## <param name="domain">
> >
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150527/76ea03d0/attachment-0001.html
On 5/27/2015 1:22 PM, Jason Zaman wrote:
>
> On 27 May 2015 20:48, "Christopher J. PeBenito" <[email protected]
> <mailto:[email protected]>> wrote:
>>
>> On 5/25/2015 6:02 AM, Jason Zaman wrote:
>> > Adds the openrc rules in ifdef distro_gentoo to transition
>> > to run_init correctly.
>>
>> I'm fine with this set except one note below.
>>
>> > ---
>> > policy/modules/system/init.if | 14 ++++---
>> > policy/modules/system/selinuxutil.if | 75
> ++++++++++++++++++++++++++++++++++++
>> > 2 files changed, 84 insertions(+), 5 deletions(-)
>> >
>> > diff --git a/policy/modules/system/init.if
> b/policy/modules/system/init.if
>> > index f39437e..29c9955 100644
>> > --- a/policy/modules/system/init.if
>> > +++ b/policy/modules/system/init.if
>> > @@ -993,11 +993,15 @@ interface(`init_startstop_service',`
>> > ')
>> >
>> > ifndef(`direct_sysadm_daemon',`
>> > - # rules for sysvinit / upstart
>> > - init_labeled_script_domtrans($1, $4)
>> > - domain_system_change_exemption($1)
>> > - role_transition $2 $4 system_r;
>> > - allow $2 system_r;
>> > + ifdef(`distro_gentoo',`
>> > + seutil_spec_run_runinit($1, $2, $4)
>> > + ',`
>> > + # rules for sysvinit / upstart
>> > + init_labeled_script_domtrans($1, $4)
>> > + domain_system_change_exemption($1)
>> > + role_transition $2 $4 system_r;
>> > + allow $2 system_r;
>> > + ')
>> > ')
>> > ')
>> >
>> > diff --git a/policy/modules/system/selinuxutil.if
> b/policy/modules/system/selinuxutil.if
>> > index 129a6e0..e69f279 100644
>> > --- a/policy/modules/system/selinuxutil.if
>> > +++ b/policy/modules/system/selinuxutil.if
>> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>> >
>> > ########################################
>> > ## <summary>
>> > +## Execute file in the run_init domain.
>> > +## </summary>
>> > +## <desc>
>> > +## <p>
>> > +## Execute file in the run_init domain.
>> > +## This is used for the Gentoo integrated run_init.
>> > +## </p>
>> > +## </desc>
>> > +## <param name="domain">
>> > +## <summary>
>> > +## Domain allowed to transition.
>> > +## </summary>
>> > +## </param>
>> > +## <param name="domain">
>> > +## <summary>
>> > +## Type of entry file.
>> > +## </summary>
>> > +## </param>
>> > +#
>> > +interface(`seutil_spec_domtrans_runinit',`
>>
>> "spec" means setexeccon(), instead of type_transition, so this should
>> drop the "spec" from the name. Same thing in the caller below.
>>
>
> Oh, I always thought it meant specified.
That is what my intent was, except that I meant the parent domain
specified what the transition was via setexec. Perhaps we should change
"spec" to "setexec" to make it clear.
> But I can't drop _spec because seutil_domtrans_runinit() already exists
> for plain initrc_exec_t.
> This new interface is basically one that can take the foo_initrc_exec_t
> as a param.
>
> Suggestions? Seutil_prefixed_domtrans_runinit()?
It should probably be something like
seutil_labeled_init_script_domtrans_runinit(), but that's really long.
I'm not sure what to do to get that down to something reasonable.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, May 27, 2015 at 01:33:43PM -0400, Christopher J. PeBenito wrote:
> On 5/27/2015 1:22 PM, Jason Zaman wrote:
> >
> > On 27 May 2015 20:48, "Christopher J. PeBenito" <[email protected]
> > <mailto:[email protected]>> wrote:
> >>
> >> On 5/25/2015 6:02 AM, Jason Zaman wrote:
> >> > Adds the openrc rules in ifdef distro_gentoo to transition
> >> > to run_init correctly.
> >>
> >> I'm fine with this set except one note below.
> >>
> >> > ---
> >> > policy/modules/system/init.if | 14 ++++---
> >> > policy/modules/system/selinuxutil.if | 75
> > ++++++++++++++++++++++++++++++++++++
> >> > 2 files changed, 84 insertions(+), 5 deletions(-)
> >> >
> >> > diff --git a/policy/modules/system/init.if
> > b/policy/modules/system/init.if
> >> > index f39437e..29c9955 100644
> >> > --- a/policy/modules/system/init.if
> >> > +++ b/policy/modules/system/init.if
> >> > @@ -993,11 +993,15 @@ interface(`init_startstop_service',`
> >> > ')
> >> >
> >> > ifndef(`direct_sysadm_daemon',`
> >> > - # rules for sysvinit / upstart
> >> > - init_labeled_script_domtrans($1, $4)
> >> > - domain_system_change_exemption($1)
> >> > - role_transition $2 $4 system_r;
> >> > - allow $2 system_r;
> >> > + ifdef(`distro_gentoo',`
> >> > + seutil_spec_run_runinit($1, $2, $4)
> >> > + ',`
> >> > + # rules for sysvinit / upstart
> >> > + init_labeled_script_domtrans($1, $4)
> >> > + domain_system_change_exemption($1)
> >> > + role_transition $2 $4 system_r;
> >> > + allow $2 system_r;
> >> > + ')
> >> > ')
> >> > ')
> >> >
> >> > diff --git a/policy/modules/system/selinuxutil.if
> > b/policy/modules/system/selinuxutil.if
> >> > index 129a6e0..e69f279 100644
> >> > --- a/policy/modules/system/selinuxutil.if
> >> > +++ b/policy/modules/system/selinuxutil.if
> >> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
> >> >
> >> > ########################################
> >> > ## <summary>
> >> > +## Execute file in the run_init domain.
> >> > +## </summary>
> >> > +## <desc>
> >> > +## <p>
> >> > +## Execute file in the run_init domain.
> >> > +## This is used for the Gentoo integrated run_init.
> >> > +## </p>
> >> > +## </desc>
> >> > +## <param name="domain">
> >> > +## <summary>
> >> > +## Domain allowed to transition.
> >> > +## </summary>
> >> > +## </param>
> >> > +## <param name="domain">
> >> > +## <summary>
> >> > +## Type of entry file.
> >> > +## </summary>
> >> > +## </param>
> >> > +#
> >> > +interface(`seutil_spec_domtrans_runinit',`
> >>
> >> "spec" means setexeccon(), instead of type_transition, so this should
> >> drop the "spec" from the name. Same thing in the caller below.
> >>
> >
> > Oh, I always thought it meant specified.
>
> That is what my intent was, except that I meant the parent domain
> specified what the transition was via setexec. Perhaps we should change
> "spec" to "setexec" to make it clear.
Ah I understand now.
>
> > But I can't drop _spec because seutil_domtrans_runinit() already exists
> > for plain initrc_exec_t.
> > This new interface is basically one that can take the foo_initrc_exec_t
> > as a param.
> >
> > Suggestions? Seutil_prefixed_domtrans_runinit()?
>
> It should probably be something like
> seutil_labeled_init_script_domtrans_runinit(), but that's really long.
> I'm not sure what to do to get that down to something reasonable.
Thats good enough, I'll send a new version in a bit. Its long but at
least its clear. and its not used much so its not terrible.
-- Jason