From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 23 Aug 2011 15:40:44 +0200 Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t In-Reply-To: <20110823133643.GA857@siphos.be> References: <20110823133643.GA857@siphos.be> Message-ID: <20110823134044.GD857@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all its functions, be it executing init scripts, managing runlevels, checking state, etc. This binary is not allowed to be labeled initrc_exec_t as that would trigger domain transitions where this isn't necessary (or even allowed). A suggested solution is to use a separate type declaration for /sbin/rc (rc_exec_t) which transitions where necessary. This patch includes support for the /sbin/rc rc_exec_t type and declares the init_rc_exec() interface which allows domains to execute the binary without transitioning. Signed-off-by: Sven Vermeulen --- policy/modules/system/init.fc | 2 +- policy/modules/system/init.if | 23 ++++++++++++++++++++++- policy/modules/system/init.te | 4 ++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 354ce93..c2021e3 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -38,7 +38,7 @@ ifdef(`distro_gentoo', ` /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) /sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 94fd8dd..b8b3337 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -455,6 +455,26 @@ interface(`init_exec',` ######################################## ## +## Execute the rc program in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_rc_exec',` + gen_require(` + type rc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rc_exec_t) +') + +######################################## +## ## Get the process group of init. ## ## @@ -800,11 +820,12 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t, initrc_exec_t, rc_exec_t; ') files_list_etc($1) domtrans_pattern($1, initrc_exec_t, initrc_t) + domtrans_pattern($1, rc_exec_t, initrc_t) ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 157e844..00586c6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -56,8 +56,10 @@ mls_trusted_object(initctl_t) type initrc_t, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; +type rc_exec_t; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) +domain_entry_file(initrc_t, rc_exec_t) role system_r types initrc_t; # should be part of the true block # of the below init_upstart tunable @@ -381,6 +383,8 @@ auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) +init_rc_exec(initrc_t) + libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) libs_exec_ld_so(initrc_t) -- 1.7.3.4