From: errno13@gmail.com (Dominick Grift)
Date: Sat, 7 Dec 2013 20:21:04 +0100
Subject: [refpolicy] [PATCH 5/5] Make direct_sysadm_daemon apply to
	unconfined_t
Message-ID: <20131207192102.GA19262@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Currently init_run_daemon is called unconditionally for unconfined_t.
Yet unconfined_u is not associated with system_r.

It is also a little inconsistent do make unconfined_t automatically
transition to initrc by default because first of all its an oxomoron in
that unconfined_t should be unrestricted in essence, and second of all
why would direct_sysadm_daemon apply to only sysadm_t and not
unconfined_t

If distribution maintainers want general purpose administrators
(sysadm_t, unconfined_t) to automatically domain transition to init
script domains then they can toggle "direct_sysadm_daemon", else their
users need to use run_init

This only applies to init_run_daemon so it might not change anything for
Gentoo and their openrc solution.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/unconfined.te | 14 ++++++++++----
 policy/users                        |  6 +++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 667f2a0..ee90fc0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
-init_run_daemon(unconfined_t, unconfined_r)
-
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
@@ -49,9 +47,17 @@ unconfined_domain(unconfined_t)
 
 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 
+ifdef(`direct_sysadm_daemon',`
+	optional_policy(`
+		init_run_daemon(unconfined_t, unconfined_r)
+	')
+')
+
 ifdef(`distro_gentoo',`
-	seutil_run_runinit(unconfined_t, unconfined_r)
-	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+	optional_policy(`
+		seutil_run_runinit(unconfined_t, unconfined_r)
+		seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+	gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+	gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
 
 #
 # The following users correspond to Unix identities.
-- 
1.8.4.2