From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 3 Sep 2011 16:19:27 +0200 Subject: [refpolicy] [PATCHv2 1/8] Introduce rc_exec_t as file entry for initrc_t In-Reply-To: <20110903141833.GA25374@siphos.be> References: <20110903141833.GA25374@siphos.be> Message-ID: <20110903141927.GB25374@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all its functions, be it executing init scripts, managing runlevels, checking state, etc. This binary is not allowed to be labeled initrc_exec_t as that would trigger domain transitions where this isn't necessary (or even allowed). A suggested solution is to use a separate type declaration for /sbin/rc (rc_exec_t) which transitions where necessary. This patch includes support for the /sbin/rc rc_exec_t type and declares the init_rc_exec() interface which allows domains to execute the binary without transitioning. Signed-off-by: Sven Vermeulen --- policy/modules/system/init.fc | 2 +- policy/modules/system/init.if | 37 +++++++++++++++++++++++++++++++++++++ policy/modules/system/init.te | 8 ++++++++ 3 files changed, 46 insertions(+), 1 deletions(-) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 354ce93..c2021e3 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -38,7 +38,7 @@ ifdef(`distro_gentoo', ` /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) /sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) /sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 94fd8dd..8d45ef7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -455,6 +455,36 @@ interface(`init_exec',` ######################################## ## +## Execute the rc application in the caller domain. +## +## +##

+## This is only applicable to Gentoo or distributions that use the OpenRC +## init system. +##

+##

+## The OpenRC /sbin/rc binary is used for both init scripts as well as +## management applications and tools. When used for management purposes, +## calling /sbin/rc should never cause a transition to initrc_t. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`init_rc_exec',` + gen_require(` + type rc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rc_exec_t) +') + +######################################## +## ## Get the process group of init. ## ## @@ -779,6 +809,13 @@ interface(`init_spec_domtrans_script',` files_list_etc($1) spec_domtrans_pattern($1, initrc_exec_t, initrc_t) + ifdef(`distro_gentoo',` + gen_require(` + type rc_exec_t; + ') + domtrans_pattern($1, rc_exec_t, initrc_t) + ') + ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 157e844..585a77e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -77,10 +77,16 @@ files_tmp_file(initrc_tmp_t) type initrc_var_run_t; files_pid_file(initrc_var_run_t) +ifdef(`distro_gentoo',` + type rc_exec_t; + domain_entry_file(initrc_t, rc_exec_t) +') + ifdef(`enable_mls',` kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh) ') + ######################################## # # Init local policy @@ -170,6 +176,8 @@ miscfiles_read_localization(init_t) ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; + + init_rc_exec(initrc_t) ') ifdef(`distro_redhat',` -- 1.7.3.4