From: jason@perfinion.com (Jason Zaman) Date: Mon, 25 May 2015 14:02:45 +0400 Subject: [refpolicy] [PATCH] Add openrc support to init_startstop_service Message-ID: <1432548165-19277-1-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Adds the openrc rules in ifdef distro_gentoo to transition to run_init correctly. --- policy/modules/system/init.if | 14 ++++--- policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 5 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index f39437e..29c9955 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -993,11 +993,15 @@ interface(`init_startstop_service',` ') ifndef(`direct_sysadm_daemon',` - # rules for sysvinit / upstart - init_labeled_script_domtrans($1, $4) - domain_system_change_exemption($1) - role_transition $2 $4 system_r; - allow $2 system_r; + ifdef(`distro_gentoo',` + seutil_spec_run_runinit($1, $2, $4) + ',` + # rules for sysvinit / upstart + init_labeled_script_domtrans($1, $4) + domain_system_change_exemption($1) + role_transition $2 $4 system_r; + allow $2 system_r; + ') ') ') diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 129a6e0..e69f279 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',` ######################################## ## +## Execute file in the run_init domain. +## +## +##

+## Execute file in the run_init domain. +## This is used for the Gentoo integrated run_init. +##

+##
+## +## +## Domain allowed to transition. +## +## +## +## +## Type of entry file. +## +## +# +interface(`seutil_spec_domtrans_runinit',` + gen_require(` + type run_init_t; + ') + + domain_entry_file(run_init_t, $2) + domain_auto_transition_pattern($1, $2, run_init_t) + + allow run_init_t $1:fd use; + allow run_init_t $1:fifo_file rw_file_perms; + allow run_init_t $1:process sigchld; +') + +######################################## +## ## Execute init scripts in the run_init domain. ## ## @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',` ######################################## ## +## Execute specified file in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +## +## +##

+## Execute specified file in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +##

+##

+## This is used for the Gentoo integrated run_init. +##

+##
+## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +## +## Type of init script. +## +## +# +interface(`seutil_spec_run_runinit',` + gen_require(` + attribute_role run_init_roles; + ') + + seutil_spec_domtrans_runinit($1, $3) + roleattribute $2 run_init_roles; +') + +######################################## +## ## Inherit and use run_init file descriptors. ## ## -- 2.3.6