From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 2 May 2018 17:23:12 -0400
Subject: [refpolicy] [PATCH v3] init: Add filetrans for /run/initctl
In-Reply-To: <20180430063223.6674-1-jason@perfinion.com>
References: <20180427063259.44005-1-jason@perfinion.com>
	<20180430063223.6674-1-jason@perfinion.com>
Message-ID: <21132299-08f6-083e-11e1-4999370bcede@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/30/2018 02:32 AM, Jason Zaman via refpolicy wrote:
> sysvinit 2.89 moved /dev/initctl to /run/initctl.
> 
> Reported-by: revel
> ---
>   policy/modules/system/init.if | 5 +++++
>   policy/modules/system/init.te | 1 +
>   2 files changed, 6 insertions(+)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 326581ec..bd5fe207 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
>   			type initctl_t;
>   		')
>   
> +		dev_list_all_dev_nodes($1)
> +		files_search_pids($1)
>   		allow $1 initctl_t:fifo_file getattr;
>   	')
>   ')
> @@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
>   	')
>   
>   	dev_list_all_dev_nodes($1)
> +	files_search_pids($1)
>   	allow $1 initctl_t:fifo_file write;
>   ')
>   
> @@ -1385,6 +1388,7 @@ interface(`init_telinit',`
>   	corecmd_exec_bin($1)
>   
>   	dev_list_all_dev_nodes($1)
> +	files_search_pids($1)
>   
>   	init_exec($1)
>   ')
> @@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
>   	')
>   
>   	dev_list_all_dev_nodes($1)
> +	files_search_pids($1)
>   	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
>   ')
>   
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8fabb0ea..02538ac7 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>   
>   allow init_t initctl_t:fifo_file manage_fifo_file_perms;
>   dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file)
>   
>   # Modify utmp.
>   allow init_t initrc_var_run_t:file { rw_file_perms setattr };

Merged.

-- 
Chris PeBenito