From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 20:27:32 -0400 Subject: [refpolicy] [PATCH 1/1] Add init_spec_daemon_domtrans interface In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4F8B6@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B4F8B6@Exchange10.columbia.tresys.com> Message-ID: <49a77346-a04d-ce8f-5a2d-a142602235c6@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/09/2017 10:00 AM, David Sugar via refpolicy wrote: > > We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2] > > We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t > > We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case. > > [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html > [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html > > Signed-off-by: Dave Sugar > --- > policy/modules/system/init.if | 57 +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 57 insertions(+) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 285a104e..5573c045 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -138,6 +138,63 @@ interface(`init_domain',` > > ######################################## > ## > +## Setup a domain which can be manually transitioned to from init. > +## > +## > +##

> +## Create a domain used for systemd services where the SELinuxContext > +## option is specified in the .service file. This allows for the > +## manual transition from systemd into the new domain. This is used > +## when automatic transitions won't work. Used for the case where the > +## same binary is used for multiple target domains. > +##

> +##
> +## > +## > +## Type to be used as a domain. > +## > +## > +## > +## > +## Type of the program being executed when starting this domain. > +## > +## > +# > +interface(`init_spec_daemon_domtrans',` I don't like that we need this interface, but I see java as being the primary driver of something like this. The interface name should be init_spec_daemon_domain. > + gen_require(` > + type init_t; > + role system_r; > + ') > + > + domain_type($1) > + domain_entry_file($1, $2) > + > + role system_r types $1; > + > + spec_domtrans_pattern(init_t, $2, $1) > + > + ifdef(`init_systemd',` > + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; > + > + allow init_t $1:process2 { nnp_transition nosuid_transition }; > + ') > + > + # daemons started from init will > + # inherit fds from init for the console > + init_dontaudit_use_fds($1) > + term_dontaudit_use_console($1) > + > + # init script ptys are the stdin/out/err > + # when using run_init > + init_use_script_ptys($1) > + > + ifdef(`direct_sysadm_daemon',` > + userdom_dontaudit_use_user_terminals($1) > + ') > +') > + > +######################################## > +## > ## Create a domain which can be started by init, > ## with a range transition. > ## > -- Chris PeBenito