From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 10 Jan 2011 11:32:41 -0500
Subject: [refpolicy] [PATCH 1/2] udev create lnk files in openrc dirs
In-Reply-To: <1293603610-2195-1-git-send-email-gizmo@giz-works.com>
References: <1293603610-2195-1-git-send-email-gizmo@giz-works.com>
Message-ID: <4D2B34A9.9000602@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/29/10 01:20, Chris Richards wrote:
> When starting and stopping dhcpcd, some scripts are fired off by udev as the
> result of devices being hotplugged (net.eth0).  These scripts update status
> information for openrc, specifically with respect to started or stopoed
> services, as well as information regarding the hotplugged or scheduled state.
> They also need to be able to read information regarding the current runlevel
> of the system, also maintained by openrc.

It seems like the best course of action would actually be to have a
transition to initrc_t if its running init scripts.

> Add interfaces to init.if
> 
> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
>  policy/modules/system/init.if |   43 +++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 43 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index ed152c4..940b91f 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1461,6 +1467,25 @@ interface(`init_getattr_script_status_files',`
>  
>  ########################################
>  ## <summary>
> +##	Read init script status files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_read_script_status_files',`
> +	gen_require(`
> +		type initrc_state_t;
> +	')
> +
> +	list_dirs_pattern($1, initrc_state_t, initrc_state_t)
> +	read_files_pattern($1, initrc_state_t, initrc_state_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts to read init script
>  ##	status files.
>  ## </summary>
> @@ -1481,6 +1506,24 @@ interface(`init_dontaudit_read_script_status_files',`
>  
>  ########################################
>  ## <summary>
> +##	Manage init script status link files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_manage_script_status_lnk_files',`
> +	gen_require(`
> +		type initrc_state_t;
> +	')
> +
> +	manage_lnk_files_pattern($1, initrc_state_t, initrc_state_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read init script temporary data.
>  ## </summary>
>  ## <param name="domain">


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com