From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 08 Jun 2015 13:24:54 +0200 Subject: [refpolicy] [PATCH v2] Add openrc support to init_startstop_service In-Reply-To: <1432749702-6895-1-git-send-email-jason@perfinion.com> References: <1432749702-6895-1-git-send-email-jason@perfinion.com> Message-ID: <55757B86.9030306@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/27/2015 08:01 PM, Jason Zaman wrote: > Adds the openrc rules in ifdef distro_gentoo to transition > to run_init correctly. > --- > policy/modules/system/init.if | 15 +++++--- > policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 85 insertions(+), 5 deletions(-) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index f39437e..94d9761 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -993,11 +993,16 @@ interface(`init_startstop_service',` > ') > > ifndef(`direct_sysadm_daemon',` > - # rules for sysvinit / upstart > - init_labeled_script_domtrans($1, $4) > - domain_system_change_exemption($1) > - role_transition $2 $4 system_r; > - allow $2 system_r; > + ifdef(`distro_gentoo',` > + # for OpenRC > + seutil_labeled_init_script_run_runinit($1, $2, $4) > + ',` > + # rules for sysvinit / upstart > + init_labeled_script_domtrans($1, $4) > + domain_system_change_exemption($1) > + role_transition $2 $4 system_r; > + allow $2 system_r; > + ') > ') > ') > > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if > index 129a6e0..bcb4330 100644 > --- a/policy/modules/system/selinuxutil.if > +++ b/policy/modules/system/selinuxutil.if > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',` > > ######################################## > ## > +## Execute file in the run_init domain. > +## > +## > +##

> +## Execute file in the run_init domain. > +## This is used for the Gentoo integrated run_init. > +##

> +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Type of entry file. > +## > +## > +# > +interface(`seutil_labeled_init_script_domtrans_runinit',` > + gen_require(` > + type run_init_t; > + ') > + > + domain_entry_file(run_init_t, $2) > + domain_auto_transition_pattern($1, $2, run_init_t) > + > + allow run_init_t $1:fd use; > + allow run_init_t $1:fifo_file rw_file_perms; > + allow run_init_t $1:process sigchld; > +') > + > +######################################## > +## > ## Execute init scripts in the run_init domain. > ## > ## > @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',` > > ######################################## > ## > +## Execute specified file in the run_init domain, and > +## allow the specified role the run_init domain, > +## and use the caller's terminal. > +## > +## > +##

> +## Execute specified file in the run_init domain, and > +## allow the specified role the run_init domain, > +## and use the caller's terminal. > +##

> +##

> +## This is used for the Gentoo integrated run_init. > +##

> +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## Type of init script. > +## > +## > +# > +interface(`seutil_labeled_init_script_run_runinit',` > + gen_require(` > + attribute_role run_init_roles; > + ') > + > + seutil_labeled_init_script_domtrans_runinit($1, $3) > + roleattribute $2 run_init_roles; > +') > + > +######################################## > +## > ## Inherit and use run_init file descriptors. > ## > ## > We will apply these changes also in Fedora. Thinking about systemd integration. The point is there is foo_unit_file_t type in the game. We call allow $1 foo_unit_file_t:service manage_service_perms; interfaces in foo_admin() as a part of foo_systemctl(). -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.