From: dominick.grift@gmail.com (Dominick Grift)
Date: Sat,  9 Nov 2013 10:44:58 +0100
Subject: [refpolicy] [PATCH 17/39] init: This should make transitions to
	init_script_domains() work for direct_sysadm_daemon
In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <1383990320-3340-17-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/init.if | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 79a45f6..bc49474 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -67,7 +67,8 @@ interface(`init_script_file',`
 interface(`init_script_domain',`
 	gen_require(`
 		attribute init_script_domain_type, init_script_file_type;
-		attribute init_run_all_scripts_domain;
+		attribute init_run_all_scripts_domain, direct_init, direct_init_entry;
+		attribute direct_run_init;
 	')
 
 	typeattribute $1 init_script_domain_type;
@@ -77,6 +78,16 @@ interface(`init_script_domain',`
 	domain_entry_file($1, $2)
 
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+
+	ifdef(`direct_sysadm_daemon',`
+		domtrans_pattern(direct_run_init, $2, $1)
+		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+		typeattribute $1 direct_init;
+		typeattribute $2 direct_init_entry;
+
+		userdom_dontaudit_use_user_terminals($1)
+	')
 ')
 
 ########################################
-- 
1.8.3.1