From: dsugar@tresys.com (David Sugar) Date: Tue, 12 Sep 2017 02:52:14 +0000 Subject: [refpolicy] [PATCH-v2 1/1] Add init_spec_daemon_domain interface Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B59CF4@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2] We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case. [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html Signed-off-by: Dave Sugar --- policy/modules/system/init.if | 57 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 285a104e..8fb96b42 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -138,6 +138,63 @@ interface(`init_domain',` ######################################## ## +## Setup a domain which can be manually transitioned to from init. +## +## +##

+## Create a domain used for systemd services where the SELinuxContext +## option is specified in the .service file. This allows for the +## manual transition from systemd into the new domain. This is used +## when automatic transitions won't work. Used for the case where the +## same binary is used for multiple target domains. +##

+## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program being executed when starting this domain. +## +## +# +interface(`init_spec_daemon_domain',` + gen_require(` + type init_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + spec_domtrans_pattern(init_t, $2, $1) + + ifdef(`init_systemd',` + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + + allow init_t $1:process2 { nnp_transition nosuid_transition }; + ') + + # daemons started from init will + # inherit fds from init for the console + init_dontaudit_use_fds($1) + term_dontaudit_use_console($1) + + # init script ptys are the stdin/out/err + # when using run_init + init_use_script_ptys($1) + + ifdef(`direct_sysadm_daemon',` + userdom_dontaudit_use_user_terminals($1) + ') +') + +######################################## +## ## Create a domain which can be started by init, ## with a range transition. ## -- 2.13.5