From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 25 Aug 2011 07:40:23 -0400 Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t In-Reply-To: <20110823134044.GD857@siphos.be> References: <20110823133643.GA857@siphos.be> <20110823134044.GD857@siphos.be> Message-ID: <4E5634A7.5060102@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/23/11 09:40, Sven Vermeulen wrote: > Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all > its functions, be it executing init scripts, managing runlevels, checking state, > etc. This binary is not allowed to be labeled initrc_exec_t as that would > trigger domain transitions where this isn't necessary (or even allowed). > > A suggested solution is to use a separate type declaration for /sbin/rc > (rc_exec_t) which transitions where necessary. > > This patch includes support for the /sbin/rc rc_exec_t type and declares > the init_rc_exec() interface which allows domains to execute the binary > without transitioning. I think the overall implementation is fine, except everything in this patch should be in distro_gentoo blocks, except for the init_rc_exec() implementation. > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/init.fc | 2 +- > policy/modules/system/init.if | 23 ++++++++++++++++++++++- > policy/modules/system/init.te | 4 ++++ > 3 files changed, 27 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc > index 354ce93..c2021e3 100644 > --- a/policy/modules/system/init.fc > +++ b/policy/modules/system/init.fc > @@ -38,7 +38,7 @@ ifdef(`distro_gentoo', ` > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > ifdef(`distro_gentoo', ` > -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) > +/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) > /sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0) > /sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) > /sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 94fd8dd..b8b3337 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -455,6 +455,26 @@ interface(`init_exec',` > > ######################################## > ## > +## Execute the rc program in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_rc_exec',` > + gen_require(` > + type rc_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, rc_exec_t) > +') > + > +######################################## > +## > ## Get the process group of init. > ## > ## > @@ -800,11 +820,12 @@ interface(`init_spec_domtrans_script',` > # > interface(`init_domtrans_script',` > gen_require(` > - type initrc_t, initrc_exec_t; > + type initrc_t, initrc_exec_t, rc_exec_t; > ') > > files_list_etc($1) > domtrans_pattern($1, initrc_exec_t, initrc_t) > + domtrans_pattern($1, rc_exec_t, initrc_t) > > ifdef(`enable_mcs',` > range_transition $1 initrc_exec_t:process s0; > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 157e844..00586c6 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -56,8 +56,10 @@ mls_trusted_object(initctl_t) > > type initrc_t, init_script_domain_type, init_run_all_scripts_domain; > type initrc_exec_t, init_script_file_type; > +type rc_exec_t; > domain_type(initrc_t) > domain_entry_file(initrc_t, initrc_exec_t) > +domain_entry_file(initrc_t, rc_exec_t) > role system_r types initrc_t; > # should be part of the true block > # of the below init_upstart tunable > @@ -381,6 +383,8 @@ auth_delete_pam_pid(initrc_t) > auth_delete_pam_console_data(initrc_t) > auth_use_nsswitch(initrc_t) > > +init_rc_exec(initrc_t) > + > libs_rw_ld_so_cache(initrc_t) > libs_exec_lib_files(initrc_t) > libs_exec_ld_so(initrc_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com