From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 14 Jan 2014 08:56:37 -0500 Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc In-Reply-To: <1386691021.18689.75.camel@d30> References: <1386691021.18689.75.camel@d30> Message-ID: <52D54215.3040707@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/10/13 10:57, Dominick Grift wrote: > I have not tested this yet and it is a theory > > I was not there when that type attribute was implemented so i do not > know the rationale behind the decision to implement it. > > Would be nice if anyone could shed some light on that and would be even > better if this fix is acknowledged It seems like it would probably work, but definitely needs to be tested. >> From fc51afbd178dd6321f51d54939e73b1a94172fb9 Tue, 10 Dec 2013 16:53:08 +0100 >> From: Dominick Grift >> Date: Tue, 10 Dec 2013 16:51:46 +0100 >> Subject: [PATCH] Get rid of direct_init_entry: >> >> >> This thing breaks direct_initrc >> >> This type attribute was associated to domain entry files and used for >> role transitions to system_r >> >> The transition shouldnt happem on the domain entry file though it should >> happen on the init script executable files >> >> This was breaking direct_initrc because some executables can be run as >> system service and session service. By using the domain entry file init >> the init_daemon_domain interface and associating direct init entry with >> it and using direct init entry for the role transitions you force >> daemons to use system_r whether they are system or session daemon. >> >> >> >> >> Signed-off-by: Dominick Grift >> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if >> index 79a45f6..5a7df5e 100644 >> --- a/policy/modules/system/init.if >> +++ b/policy/modules/system/init.if >> @@ -191,7 +191,7 @@ >> # >> interface(`init_daemon_domain',` >> gen_require(` >> - attribute direct_run_init, direct_init, direct_init_entry; >> + attribute direct_run_init, direct_init; >> type initrc_t; >> role system_r; >> attribute daemon; >> @@ -220,7 +220,6 @@ >> allow direct_run_init $1:process { noatsecure siginh rlimitinh }; >> >> typeattribute $1 direct_init; >> - typeattribute $2 direct_init_entry; >> >> userdom_dontaudit_use_user_terminals($1) >> ') >> @@ -982,12 +981,12 @@ >> # >> interface(`init_run_daemon',` >> gen_require(` >> - attribute direct_run_init, direct_init, direct_init_entry; >> + attribute direct_run_init, init_script_file_type; >> role system_r; >> ') >> >> typeattribute $1 direct_run_init; >> - role_transition $2 direct_init_entry system_r; >> + role_transition $2 init_script_file_type system_r; >> ') >> >> ######################################## >> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te >> index d9d9f5d..116e37a 100644 >> --- a/policy/modules/system/init.te >> +++ b/policy/modules/system/init.te >> @@ -27,7 +27,6 @@ >> # by admin domains >> attribute direct_run_init; >> attribute direct_init; >> -attribute direct_init_entry; >> >> attribute init_script_domain_type; >> attribute init_script_file_type; > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com