commit: 7a7d862ad99304dbe93e2feb668088b4966db74d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 20:01:41 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d862a
Add openrc support to init_startstop_service
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
policy/modules/system/init.if | 14 ++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..7b17c5c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,11 +998,15 @@ interface(`init_startstop_service',`
')
ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ seutil_spec_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')
diff --git a/policy/modules/system/selinuxutil.if
b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_spec_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
