From: errno13@gmail.com (Dominick Grift) Date: Sat, 7 Dec 2013 20:19:55 +0100 Subject: [refpolicy] [PATCH 3/5] init: in redhat derived distributions the kernel (systemd) dynamically transitions to init Message-ID: <20131207191952.GA19217@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I used the kernel_dyntrans_to() to stay consistent with the kernel_domtrans_to. I am not sure why this was done this way init: systemd wants to block suspend in distro_redhat Signed-off-by: Dominick Grift --- policy/modules/kernel/kernel.if | 53 +++++++++++++++++++++++++++++++++++++++++ policy/modules/system/init.fc | 2 ++ policy/modules/system/init.te | 23 ++++++++++++++++++ 3 files changed, 78 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index e100d88..15cd2a2 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -32,6 +32,25 @@ interface(`kernel_domtrans_to',` ######################################## ## +## Start userland processes by dynamically +## transitioning to the specified domain. +## +## +## +## The process type entered by kernel. +## +## +# +interface(`kernel_dyntrans_to',` + gen_require(` + type kernel_t; + ') + + dyntrans_pattern(kernel_t, $1) +') + +######################################## +## ## Allows to start userland processes ## by transitioning to the specified domain, ## with a range transition. @@ -71,6 +90,40 @@ interface(`kernel_ranged_domtrans_to',` ######################################## ## +## Start userland processes by dynamically +## transitioning to the specified domain, +## with a range transition. +## +## +## +## The process type entered by kernel. +## +## +## +## +## Range for the domain. +## +## +# +interface(`kernel_ranged_dyntrans_to',` + gen_require(` + type kernel_t; + ') + + kernel_dyntrans_to($1) + + ifdef(`enable_mcs',` + range_transition kernel_t $1:process $2; + ') + + ifdef(`enable_mls',` + range_transition kernel_t $1:process $2; + mls_rangetrans_target($1) + ') +') + +######################################## +## ## Allows the kernel to mount filesystems on ## the specified directory type. ## diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index bc0ffc8..71314a7 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -42,6 +42,8 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 17eda24..d9d9f5d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,13 @@ gen_require(` ## gen_tunable(init_upstart, false) +## +##

+## Enable support for systemd as the init program. +##

+## +gen_tunable(init_systemd, false) + # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -88,10 +95,22 @@ ifdef(`distro_gentoo',` domain_entry_file(initrc_t, rc_exec_t) ') +ifdef(`distro_redhat',` + tunable_policy(`init_systemd',` + kernel_dyntrans_to(init_t) + ') +') + ifdef(`enable_mls',` kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh) ') +ifdef(`enable_mls && distro_redhat',` + tunable_policy(`init_systemd',` + kernel_ranged_dyntrans_to(init_t, s0 - mls_systemhigh) + ') +') + ######################################## # # Init local policy @@ -189,6 +208,10 @@ ifdef(`distro_redhat',` fs_read_tmpfs_symlinks(init_t) fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) + + tunable_policy(`init_systemd',` + allow init_t self:capability2 block_suspend; + ') ') tunable_policy(`init_upstart',` -- 1.8.4.2