2015-05-27 18:01:42

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Add openrc support to init_startstop_service

Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
---
policy/modules/system/init.if | 15 +++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f39437e..94d9761 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -993,11 +993,16 @@ interface(`init_startstop_service',`
')

ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ # for OpenRC
+ seutil_labeled_init_script_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..bcb4330 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`

########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`

########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_labeled_init_script_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
--
2.3.6


2015-05-27 18:51:31

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Add openrc support to init_startstop_service

On 5/27/2015 2:01 PM, Jason Zaman wrote:
> Adds the openrc rules in ifdef distro_gentoo to transition
> to run_init correctly.

Merged.


> ---
> policy/modules/system/init.if | 15 +++++---
> policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 85 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f39437e..94d9761 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> ')
>
> ifndef(`direct_sysadm_daemon',`
> - # rules for sysvinit / upstart
> - init_labeled_script_domtrans($1, $4)
> - domain_system_change_exemption($1)
> - role_transition $2 $4 system_r;
> - allow $2 system_r;
> + ifdef(`distro_gentoo',`
> + # for OpenRC
> + seutil_labeled_init_script_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> ')
> ')
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 129a6e0..bcb4330 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>
> ########################################
> ## <summary>
> +## Execute file in the run_init domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute file in the run_init domain.
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of entry file.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_domtrans_runinit',`
> + gen_require(`
> + type run_init_t;
> + ')
> +
> + domain_entry_file(run_init_t, $2)
> + domain_auto_transition_pattern($1, $2, run_init_t)
> +
> + allow run_init_t $1:fd use;
> + allow run_init_t $1:fifo_file rw_file_perms;
> + allow run_init_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init scripts in the run_init domain.
> ## </summary>
> ## <desc>
> @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
>
> ########################################
> ## <summary>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </p>
> +## <p>
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of init script.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_run_runinit',`
> + gen_require(`
> + attribute_role run_init_roles;
> + ')
> +
> + seutil_labeled_init_script_domtrans_runinit($1, $3)
> + roleattribute $2 run_init_roles;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit and use run_init file descriptors.
> ## </summary>
> ## <param name="domain">
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2015-06-08 11:24:54

by mgrepl

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Add openrc support to init_startstop_service

On 05/27/2015 08:01 PM, Jason Zaman wrote:
> Adds the openrc rules in ifdef distro_gentoo to transition
> to run_init correctly.
> ---
> policy/modules/system/init.if | 15 +++++---
> policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 85 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f39437e..94d9761 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> ')
>
> ifndef(`direct_sysadm_daemon',`
> - # rules for sysvinit / upstart
> - init_labeled_script_domtrans($1, $4)
> - domain_system_change_exemption($1)
> - role_transition $2 $4 system_r;
> - allow $2 system_r;
> + ifdef(`distro_gentoo',`
> + # for OpenRC
> + seutil_labeled_init_script_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> ')
> ')
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 129a6e0..bcb4330 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>
> ########################################
> ## <summary>
> +## Execute file in the run_init domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute file in the run_init domain.
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of entry file.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_domtrans_runinit',`
> + gen_require(`
> + type run_init_t;
> + ')
> +
> + domain_entry_file(run_init_t, $2)
> + domain_auto_transition_pattern($1, $2, run_init_t)
> +
> + allow run_init_t $1:fd use;
> + allow run_init_t $1:fifo_file rw_file_perms;
> + allow run_init_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init scripts in the run_init domain.
> ## </summary>
> ## <desc>
> @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
>
> ########################################
> ## <summary>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </p>
> +## <p>
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of init script.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_run_runinit',`
> + gen_require(`
> + attribute_role run_init_roles;
> + ')
> +
> + seutil_labeled_init_script_domtrans_runinit($1, $3)
> + roleattribute $2 run_init_roles;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit and use run_init file descriptors.
> ## </summary>
> ## <param name="domain">
>

We will apply these changes also in Fedora.

Thinking about systemd integration.

The point is there is foo_unit_file_t type in the game. We call

allow $1 foo_unit_file_t:service manage_service_perms;

interfaces in foo_admin() as a part of foo_systemctl().


--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

2015-06-08 15:33:51

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Add openrc support to init_startstop_service

On Mon, Jun 08, 2015 at 01:24:54PM +0200, Miroslav Grepl wrote:
> On 05/27/2015 08:01 PM, Jason Zaman wrote:
> > Adds the openrc rules in ifdef distro_gentoo to transition
> > to run_init correctly.
> > ---
> > policy/modules/system/init.if | 15 +++++---
> > policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> > 2 files changed, 85 insertions(+), 5 deletions(-)
> >
> > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> > index f39437e..94d9761 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> > ')
> >
> > ifndef(`direct_sysadm_daemon',`
> > - # rules for sysvinit / upstart
> > - init_labeled_script_domtrans($1, $4)
> > - domain_system_change_exemption($1)
> > - role_transition $2 $4 system_r;
> > - allow $2 system_r;
> > + ifdef(`distro_gentoo',`
> > + # for OpenRC
> > + seutil_labeled_init_script_run_runinit($1, $2, $4)
> > + ',`
> > + # rules for sysvinit / upstart
> > + init_labeled_script_domtrans($1, $4)
> > + domain_system_change_exemption($1)
> > + role_transition $2 $4 system_r;
> > + allow $2 system_r;
> > + ')
> > ')
> > ')
> >
> > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> > index 129a6e0..bcb4330 100644
> > --- a/policy/modules/system/selinuxutil.if
> > +++ b/policy/modules/system/selinuxutil.if
> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute file in the run_init domain.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute file in the run_init domain.
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of entry file.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_domtrans_runinit',`
> > + gen_require(`
> > + type run_init_t;
> > + ')
> > +
> > + domain_entry_file(run_init_t, $2)
> > + domain_auto_transition_pattern($1, $2, run_init_t)
> > +
> > + allow run_init_t $1:fd use;
> > + allow run_init_t $1:fifo_file rw_file_perms;
> > + allow run_init_t $1:process sigchld;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Execute init scripts in the run_init domain.
> > ## </summary>
> > ## <desc>
> > @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </p>
> > +## <p>
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of init script.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_run_runinit',`
> > + gen_require(`
> > + attribute_role run_init_roles;
> > + ')
> > +
> > + seutil_labeled_init_script_domtrans_runinit($1, $3)
> > + roleattribute $2 run_init_roles;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Inherit and use run_init file descriptors.
> > ## </summary>
> > ## <param name="domain">
> >
>
> We will apply these changes also in Fedora.
>
> Thinking about systemd integration.
>
> The point is there is foo_unit_file_t type in the game. We call
>
> allow $1 foo_unit_file_t:service manage_service_perms;
>
> interfaces in foo_admin() as a part of foo_systemctl().

That would be great, init_startstop_service has the extra param that
isnt used in the interface, its intention was to be used for systemd.

I dont know enough about systemd to do it, but could you send a patch
that does the allow rules in an ifdef inside init_startstop_service,
then refpol would be closer to supporting systemd too. We get people
asking in gentoo too once in a while when it will have support.

When I did the change to init_startstop_service I the param uses the
domain's type, if systemd uses a foo_unit_file_t then lots of the
_admin interfaces will have to change that too it looks like. I wonder
if that would have to wait till after the basic stuff for systemd is
merged into refpol from chris' fork.

-- Jason