We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.if | 57 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 285a104e..8fb96b42 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -138,6 +138,63 @@ interface(`init_domain',`
########################################
## <summary>
+## Setup a domain which can be manually transitioned to from init.
+## </summary>
+## <desc>
+## <p>
+## Create a domain used for systemd services where the SELinuxContext
+## option is specified in the .service file. This allows for the
+## manual transition from systemd into the new domain. This is used
+## when automatic transitions won't work. Used for the case where the
+## same binary is used for multiple target domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program being executed when starting this domain.
+## </summary>
+## </param>
+#
+interface(`init_spec_daemon_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ spec_domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+
+ allow init_t $1:process2 { nnp_transition nosuid_transition };
+ ')
+
+ # daemons started from init will
+ # inherit fds from init for the console
+ init_dontaudit_use_fds($1)
+ term_dontaudit_use_console($1)
+
+ # init script ptys are the stdin/out/err
+ # when using run_init
+ init_use_script_ptys($1)
+
+ ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_user_terminals($1)
+ ')
+')
+
+########################################
+## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
--
2.13.5
On 09/11/2017 10:52 PM, David Sugar via refpolicy wrote:
> We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo at .service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo at .service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
>
> We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
>
> We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
>
> [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Merged.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.if | 57 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 57 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 285a104e..8fb96b42 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -138,6 +138,63 @@ interface(`init_domain',`
>
> ########################################
> ## <summary>
> +## Setup a domain which can be manually transitioned to from init.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain used for systemd services where the SELinuxContext
> +## option is specified in the .service file. This allows for the
> +## manual transition from systemd into the new domain. This is used
> +## when automatic transitions won't work. Used for the case where the
> +## same binary is used for multiple target domains.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program being executed when starting this domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_spec_daemon_domain',`
> + gen_require(`
> + type init_t;
> + role system_r;
> + ')
> +
> + domain_type($1)
> + domain_entry_file($1, $2)
> +
> + role system_r types $1;
> +
> + spec_domtrans_pattern(init_t, $2, $1)
> +
> + ifdef(`init_systemd',`
> + allow $1 init_t:unix_stream_socket { getattr read write ioctl };
> +
> + allow init_t $1:process2 { nnp_transition nosuid_transition };
> + ')
> +
> + # daemons started from init will
> + # inherit fds from init for the console
> + init_dontaudit_use_fds($1)
> + term_dontaudit_use_console($1)
> +
> + # init script ptys are the stdin/out/err
> + # when using run_init
> + init_use_script_ptys($1)
> +
> + ifdef(`direct_sysadm_daemon',`
> + userdom_dontaudit_use_user_terminals($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> ## Create a domain which can be started by init,
> ## with a range transition.
> ## </summary>
>
--
Chris PeBenito