From: jason@perfinion.com (Jason Zaman)
Date: Mon, 25 May 2015 14:02:45 +0400
Subject: [refpolicy] [PATCH] Add openrc support to init_startstop_service
Message-ID: <1432548165-19277-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
---
 policy/modules/system/init.if        | 14 ++++---
 policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f39437e..29c9955 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -993,11 +993,15 @@ interface(`init_startstop_service',`
 	')
 
 	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
+		ifdef(`distro_gentoo',`
+			seutil_spec_run_runinit($1, $2, $4)
+		',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
 	')
 ')
 
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
 
 ########################################
 ## <summary>
+##	Execute file in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute file in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of entry file.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	domain_entry_file(run_init_t, $2)
+	domain_auto_transition_pattern($1, $2, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute init scripts in the run_init domain.
 ## </summary>
 ## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
 
 ########################################
 ## <summary>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of init script.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_spec_domtrans_runinit($1, $3)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
 ##	Inherit and use run_init file descriptors.
 ## </summary>
 ## <param name="domain">
-- 
2.3.6


