From: jason@perfinion.com (Jason Zaman)
Date: Mon, 8 Jun 2015 19:33:51 +0400
Subject: [refpolicy] [PATCH v2] Add openrc support to
 init_startstop_service
In-Reply-To: <55757B86.9030306@redhat.com>
References: <1432749702-6895-1-git-send-email-jason@perfinion.com>
	<55757B86.9030306@redhat.com>
Message-ID: <20150608153351.GB32501@meriadoc.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 08, 2015 at 01:24:54PM +0200, Miroslav Grepl wrote:
> On 05/27/2015 08:01 PM, Jason Zaman wrote:
> > Adds the openrc rules in ifdef distro_gentoo to transition
> > to run_init correctly.
> > ---
> >  policy/modules/system/init.if        | 15 +++++---
> >  policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> >  2 files changed, 85 insertions(+), 5 deletions(-)
> > 
> > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> > index f39437e..94d9761 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> >  	')
> >  
> >  	ifndef(`direct_sysadm_daemon',`
> > -		# rules for sysvinit / upstart
> > -		init_labeled_script_domtrans($1, $4)
> > -		domain_system_change_exemption($1)
> > -		role_transition $2 $4 system_r;
> > -		allow $2 system_r;
> > +		ifdef(`distro_gentoo',`
> > +			# for OpenRC
> > +			seutil_labeled_init_script_run_runinit($1, $2, $4)
> > +		',`
> > +			# rules for sysvinit / upstart
> > +			init_labeled_script_domtrans($1, $4)
> > +			domain_system_change_exemption($1)
> > +			role_transition $2 $4 system_r;
> > +			allow $2 system_r;
> > +		')
> >  	')
> >  ')
> >  
> > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> > index 129a6e0..bcb4330 100644
> > --- a/policy/modules/system/selinuxutil.if
> > +++ b/policy/modules/system/selinuxutil.if
> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
> >  
> >  ########################################
> >  ## <summary>
> > +##	Execute file in the run_init domain.
> > +## </summary>
> > +## <desc>
> > +##	<p>
> > +##	Execute file in the run_init domain.
> > +##	This is used for the Gentoo integrated run_init.
> > +##	</p>
> > +## </desc>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed to transition.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Type of entry file.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_domtrans_runinit',`
> > +	gen_require(`
> > +		type run_init_t;
> > +	')
> > +
> > +	domain_entry_file(run_init_t, $2)
> > +	domain_auto_transition_pattern($1, $2, run_init_t)
> > +
> > +	allow run_init_t $1:fd use;
> > +	allow run_init_t $1:fifo_file rw_file_perms;
> > +	allow run_init_t $1:process sigchld;
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Execute init scripts in the run_init domain.
> >  ## </summary>
> >  ## <desc>
> > @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
> >  
> >  ########################################
> >  ## <summary>
> > +##	Execute specified file in the run_init domain, and
> > +##	allow the specified role the run_init domain,
> > +##	and use the caller's terminal.
> > +## </summary>
> > +## <desc>
> > +##	<p>
> > +##	Execute specified file in the run_init domain, and
> > +##	allow the specified role the run_init domain,
> > +##	and use the caller's terminal.
> > +##	</p>
> > +##	<p>
> > +##	This is used for the Gentoo integrated run_init.
> > +##	</p>
> > +## </desc>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed to transition.
> > +##	</summary>
> > +## </param>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Type of init script.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_run_runinit',`
> > +	gen_require(`
> > +		attribute_role run_init_roles;
> > +	')
> > +
> > +	seutil_labeled_init_script_domtrans_runinit($1, $3)
> > +	roleattribute $2 run_init_roles;
> > +')
> > +
> > +########################################
> > +## <summary>
> >  ##	Inherit and use run_init file descriptors.
> >  ## </summary>
> >  ## <param name="domain">
> > 
> 
> We will apply these changes also in Fedora.
> 
> Thinking about systemd integration.
> 
> The point is there is foo_unit_file_t type in the game. We call
> 
> allow $1 foo_unit_file_t:service manage_service_perms;
> 
> interfaces in foo_admin() as a part of foo_systemctl().

That would be great, init_startstop_service has the extra param that
isnt used in the interface, its intention was to be used for systemd.

I dont know enough about systemd to do it, but could you send a patch
that does the allow rules in an ifdef inside init_startstop_service,
then refpol would be closer to supporting systemd too. We get people
asking in gentoo too once in a while when it will have support.

When I did the change to init_startstop_service I the param uses the
domain's type, if systemd uses a foo_unit_file_t then lots of the
_admin interfaces will have to change that too it looks like. I wonder
if that would have to wait till after the basic stuff for systemd is
merged into refpol from chris' fork.

-- Jason