From: jason@perfinion.com (Jason Zaman) Date: Wed, 27 May 2015 21:51:45 +0400 Subject: [refpolicy] [PATCH] Add openrc support to init_startstop_service In-Reply-To: <5565FFF7.5090400@tresys.com> References: <1432548165-19277-1-git-send-email-jason@perfinion.com> <5565F552.2070007@tresys.com> <5565FFF7.5090400@tresys.com> Message-ID: <20150527175145.GA13460@meriadoc.Home> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, May 27, 2015 at 01:33:43PM -0400, Christopher J. PeBenito wrote: > On 5/27/2015 1:22 PM, Jason Zaman wrote: > > > > On 27 May 2015 20:48, "Christopher J. PeBenito" > > wrote: > >> > >> On 5/25/2015 6:02 AM, Jason Zaman wrote: > >> > Adds the openrc rules in ifdef distro_gentoo to transition > >> > to run_init correctly. > >> > >> I'm fine with this set except one note below. > >> > >> > --- > >> > policy/modules/system/init.if | 14 ++++--- > >> > policy/modules/system/selinuxutil.if | 75 > > ++++++++++++++++++++++++++++++++++++ > >> > 2 files changed, 84 insertions(+), 5 deletions(-) > >> > > >> > diff --git a/policy/modules/system/init.if > > b/policy/modules/system/init.if > >> > index f39437e..29c9955 100644 > >> > --- a/policy/modules/system/init.if > >> > +++ b/policy/modules/system/init.if > >> > @@ -993,11 +993,15 @@ interface(`init_startstop_service',` > >> > ') > >> > > >> > ifndef(`direct_sysadm_daemon',` > >> > - # rules for sysvinit / upstart > >> > - init_labeled_script_domtrans($1, $4) > >> > - domain_system_change_exemption($1) > >> > - role_transition $2 $4 system_r; > >> > - allow $2 system_r; > >> > + ifdef(`distro_gentoo',` > >> > + seutil_spec_run_runinit($1, $2, $4) > >> > + ',` > >> > + # rules for sysvinit / upstart > >> > + init_labeled_script_domtrans($1, $4) > >> > + domain_system_change_exemption($1) > >> > + role_transition $2 $4 system_r; > >> > + allow $2 system_r; > >> > + ') > >> > ') > >> > ') > >> > > >> > diff --git a/policy/modules/system/selinuxutil.if > > b/policy/modules/system/selinuxutil.if > >> > index 129a6e0..e69f279 100644 > >> > --- a/policy/modules/system/selinuxutil.if > >> > +++ b/policy/modules/system/selinuxutil.if > >> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',` > >> > > >> > ######################################## > >> > ## > >> > +## Execute file in the run_init domain. > >> > +## > >> > +## > >> > +##

> >> > +## Execute file in the run_init domain. > >> > +## This is used for the Gentoo integrated run_init. > >> > +##

> >> > +##
> >> > +## > >> > +## > >> > +## Domain allowed to transition. > >> > +## > >> > +## > >> > +## > >> > +## > >> > +## Type of entry file. > >> > +## > >> > +## > >> > +# > >> > +interface(`seutil_spec_domtrans_runinit',` > >> > >> "spec" means setexeccon(), instead of type_transition, so this should > >> drop the "spec" from the name. Same thing in the caller below. > >> > > > > Oh, I always thought it meant specified. > > That is what my intent was, except that I meant the parent domain > specified what the transition was via setexec. Perhaps we should change > "spec" to "setexec" to make it clear. Ah I understand now. > > > But I can't drop _spec because seutil_domtrans_runinit() already exists > > for plain initrc_exec_t. > > This new interface is basically one that can take the foo_initrc_exec_t > > as a param. > > > > Suggestions? Seutil_prefixed_domtrans_runinit()? > > It should probably be something like > seutil_labeled_init_script_domtrans_runinit(), but that's really long. > I'm not sure what to do to get that down to something reasonable. Thats good enough, I'll send a new version in a bit. Its long but at least its clear. and its not used much so its not terrible. -- Jason