From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 02 Jan 2017 22:11:32 +0100
Subject: [refpolicy] [PATCH v5] init: support sysvinit
In-Reply-To: <1483315479.3723.1.camel@trentalancia.net>
References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it>
	<20161227233846.6ed0ebf0@gentp.lnet>
	<1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it>
	<20161228000230.798bf64d@gentp.lnet>
	<1482957927.2738.12.camel@trentalancia.net>
	<1483213929.9440.0.camel@trentalancia.net>
	<1483315479.3723.1.camel@trentalancia.net>
Message-ID: <1483391492.6917.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.

Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
 
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/init.te |    5 +++++
 1 file changed, 5 insertions(+)

diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te	2017-01-02 21:08:19.963436591 +0100
@@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again when using the initramfs
+selinux_get_fs_mount(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)