[selinux-policy: 183/3172] move run_init to selinux, as it is part of policycoreutils
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:20:48 UTC 2010
commit 8623d5b854e6489008590dd3f7276e1a1264d915
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed May 18 16:03:54 2005 +0000
move run_init to selinux, as it is part of policycoreutils
refpolicy/policy/modules/system/init.fc | 1 -
refpolicy/policy/modules/system/init.if | 32 ---------
refpolicy/policy/modules/system/init.te | 87 ------------------------
refpolicy/policy/modules/system/selinux.fc | 1 +
refpolicy/policy/modules/system/selinux.if | 34 +++++++++-
refpolicy/policy/modules/system/selinux.te | 84 +++++++++++++++++++++++
refpolicy/policy/modules/system/selinuxutil.fc | 1 +
refpolicy/policy/modules/system/selinuxutil.if | 34 +++++++++-
refpolicy/policy/modules/system/selinuxutil.te | 84 +++++++++++++++++++++++
refpolicy/policy/modules/system/sysnetwork.te | 9 ++-
10 files changed, 241 insertions(+), 126 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 90c61fe..7d63f25 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -41,7 +41,6 @@ ifdef(`distro_gentoo', `
#
# /usr
#
-/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
#
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 52b51e5..37d3fac 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -354,35 +354,3 @@ define(`init_script_ignore_modify_runtime_data_depend',`
type initrc_var_run_t;
class file { getattr read write append };
')
-
-########################################
-#
-# init_run_init_transition(domain)
-#
-define(`init_run_init_transition',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_exec_t:file { getattr read execute };
-allow $1 run_init_t:process transition;
-type_transition $1 run_init_exec_t:file run_init_t;
-dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
-')
-
-define(`init_run_init_transition_depend',`
-type run_init_t, run_init_exec_t;
-class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
-')
-
-########################################
-#
-# init_run_init_use_file_descriptors(domain)
-#
-define(`init_run_init_use_file_descriptors',`
-requires_block_template(`$0'_depend)
-allow $1 run_init_t:fd use;
-')
-
-define(`init_run_init_use_file_descriptors_depend',`
-type run_init_t;
-class fd use;
-')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 92e6db7..eedd038 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -58,12 +58,6 @@ files_make_file(initrc_state_t)
type initrc_tmp_t;
files_make_temporary_file(initrc_tmp_t)
-type run_init_t;
-domain_make_domain(run_init_t)
-
-type run_init_exec_t;
-domain_make_entrypoint_file(run_init_t,run_init_exec_t)
-
########################################
#
# Init local policy
@@ -362,84 +356,3 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
') dnl end TODO
-
-#################################
-#
-# Run_init local policy
-#
-
-kernel_get_selinuxfs_mount_point(run_init_t)
-kernel_validate_selinux_context(run_init_t)
-kernel_compute_selinux_access_vector(run_init_t)
-kernel_compute_selinux_create_context(run_init_t)
-kernel_compute_selinux_relabel_context(run_init_t)
-kernel_compute_selinux_reachable_user_contexts(run_init_t)
-
-tunable_policy(`targeted_policy',`
-# targeted/unconfined stuff
-',`
-allow run_init_t initrc_t:process transition;
-allow run_init_t initrc_exec_t:file { getattr read execute };
-dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
-
-# for utmp
-allow run_init_t initrc_var_run_t:file { getattr read write };
-
-allow run_init_t self:process setexec;
-allow run_init_t self:capability setuid;
-
-allow run_init_t self:fifo_file { getattr read write };
-
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_init_t self:capability { dac_override dac_read_search };
-files_ignore_search_all_directories(run_init_t)
-
-filesystem_get_persistent_filesystem_attributes(run_init_t)
-
-devices_ignore_list_device_nodes(run_init_t)
-
-terminal_ignore_list_pseudoterminals(run_init_t)
-
-domain_use_widely_inheritable_file_descriptors(run_init_t)
-
-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
-
-files_read_general_system_config(run_init_t)
-
-libraries_use_dynamic_loader(run_init_t)
-libraries_use_shared_libraries(run_init_t)
-
-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
-
-authlogin_ignore_read_shadow_passwords(run_init_t)
-
-miscfiles_read_localization(run_init_t)
-
-logging_send_system_log_message(run_init_t)
-') dnl end ifdef targeted policy
-
-
-ifdef(`TODO',`
-
-tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-', `
-domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
-role sysadm_r types run_init_t;
-domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-allow run_init_t admin_tty_type:chr_file rw_file_perms;
-') dnl endif targeted policy
-
-tunable_policy(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-domain_make_entrypoint_file(run_init_t,initrc_exec_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/selinux.fc b/refpolicy/policy/modules/system/selinux.fc
index 596f6a9..2f20d78 100644
--- a/refpolicy/policy/modules/system/selinux.fc
+++ b/refpolicy/policy/modules/system/selinux.fc
@@ -33,6 +33,7 @@
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
+/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
ifdef(`distro_debian', `
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index ff61c82..1df3c3e 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -80,7 +80,7 @@ class file { getattr read };
#######################################
#
-# newrole_transition(domain)
+# selinux_newrole_transition(domain)
#
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
@@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans };
')
+########################################
+#
+# selinux_run_init_transition(domain)
+#
+define(`selinux_run_init_transition',`
+requires_block_template(`$0'_depend)
+allow $1 run_init_exec_t:file { getattr read execute };
+allow $1 run_init_t:process transition;
+type_transition $1 run_init_exec_t:file run_init_t;
+dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`selinux_run_init_transition_depend',`
+type run_init_t, run_init_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# selinux_run_init_use_file_descriptors(domain)
+#
+define(`selinux_run_init_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+allow $1 run_init_t:fd use;
+')
+
+define(`selinux_run_init_use_file_descriptors_depend',`
+type run_init_t;
+class fd use;
+')
+
#######################################
#
# selinux_setfiles_transition(domain)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 8f9b472..fb0ba1d 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
+type run_init_t;
+domain_make_domain(run_init_t)
+
+type run_init_exec_t;
+domain_make_entrypoint_file(run_init_t,run_init_exec_t)
+
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write };
') dnl endif TODO
+#################################
+#
+# Run_init local policy
+#
+
+kernel_get_selinuxfs_mount_point(run_init_t)
+kernel_validate_selinux_context(run_init_t)
+kernel_compute_selinux_access_vector(run_init_t)
+kernel_compute_selinux_create_context(run_init_t)
+kernel_compute_selinux_relabel_context(run_init_t)
+kernel_compute_selinux_reachable_user_contexts(run_init_t)
+
+tunable_policy(`targeted_policy',`
+# targeted/unconfined stuff
+',`
+
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+
+allow run_init_t self:fifo_file { getattr read write };
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+filesystem_get_persistent_filesystem_attributes(run_init_t)
+
+devices_ignore_list_device_nodes(run_init_t)
+
+terminal_ignore_list_pseudoterminals(run_init_t)
+
+authlogin_ignore_read_shadow_passwords(run_init_t)
+
+corecommands_execute_general_programs(run_init_t)
+corecommands_execute_shell(run_init_t)
+
+domain_use_widely_inheritable_file_descriptors(run_init_t)
+
+files_read_general_system_config(run_init_t)
+files_ignore_search_all_directories(run_init_t)
+
+init_script_transition(run_init_t)
+# for utmp
+init_script_modify_runtime_data(run_init_t)
+
+libraries_use_dynamic_loader(run_init_t)
+libraries_use_shared_libraries(run_init_t)
+
+selinux_read_config(run_init_t)
+selinux_read_default_contexts(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+logging_send_system_log_message(run_init_t)
+') dnl end ifdef targeted policy
+
+ifdef(`TODO',`
+
+tunable_policy(`targeted_policy', `
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+', `
+domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
+role sysadm_r types run_init_t;
+domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
+allow run_init_t admin_tty_type:chr_file rw_file_perms;
+') dnl endif targeted policy
+
+tunable_policy(`distro_gentoo', `
+# Gentoo integrated run_init+open_init_pty-runscript:
+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+')
+') dnl end TODO
+
########################################
#
# Setfiles local policy
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
index 596f6a9..2f20d78 100644
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -33,6 +33,7 @@
/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
+/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
ifdef(`distro_debian', `
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index ff61c82..1df3c3e 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -80,7 +80,7 @@ class file { getattr read };
#######################################
#
-# newrole_transition(domain)
+# selinux_newrole_transition(domain)
#
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
@@ -170,6 +170,38 @@ type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans };
')
+########################################
+#
+# selinux_run_init_transition(domain)
+#
+define(`selinux_run_init_transition',`
+requires_block_template(`$0'_depend)
+allow $1 run_init_exec_t:file { getattr read execute };
+allow $1 run_init_t:process transition;
+type_transition $1 run_init_exec_t:file run_init_t;
+dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`selinux_run_init_transition_depend',`
+type run_init_t, run_init_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# selinux_run_init_use_file_descriptors(domain)
+#
+define(`selinux_run_init_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+allow $1 run_init_t:fd use;
+')
+
+define(`selinux_run_init_use_file_descriptors_depend',`
+type run_init_t;
+class fd use;
+')
+
#######################################
#
# selinux_setfiles_transition(domain)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 8f9b472..fb0ba1d 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -70,6 +70,12 @@ kernel_make_object_identity_change_constraint_exception(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
+type run_init_t;
+domain_make_domain(run_init_t)
+
+type run_init_exec_t;
+domain_make_entrypoint_file(run_init_t,run_init_exec_t)
+
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -353,6 +359,84 @@ allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write };
') dnl endif TODO
+#################################
+#
+# Run_init local policy
+#
+
+kernel_get_selinuxfs_mount_point(run_init_t)
+kernel_validate_selinux_context(run_init_t)
+kernel_compute_selinux_access_vector(run_init_t)
+kernel_compute_selinux_create_context(run_init_t)
+kernel_compute_selinux_relabel_context(run_init_t)
+kernel_compute_selinux_reachable_user_contexts(run_init_t)
+
+tunable_policy(`targeted_policy',`
+# targeted/unconfined stuff
+',`
+
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+
+allow run_init_t self:fifo_file { getattr read write };
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+filesystem_get_persistent_filesystem_attributes(run_init_t)
+
+devices_ignore_list_device_nodes(run_init_t)
+
+terminal_ignore_list_pseudoterminals(run_init_t)
+
+authlogin_ignore_read_shadow_passwords(run_init_t)
+
+corecommands_execute_general_programs(run_init_t)
+corecommands_execute_shell(run_init_t)
+
+domain_use_widely_inheritable_file_descriptors(run_init_t)
+
+files_read_general_system_config(run_init_t)
+files_ignore_search_all_directories(run_init_t)
+
+init_script_transition(run_init_t)
+# for utmp
+init_script_modify_runtime_data(run_init_t)
+
+libraries_use_dynamic_loader(run_init_t)
+libraries_use_shared_libraries(run_init_t)
+
+selinux_read_config(run_init_t)
+selinux_read_default_contexts(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+logging_send_system_log_message(run_init_t)
+') dnl end ifdef targeted policy
+
+ifdef(`TODO',`
+
+tunable_policy(`targeted_policy', `
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+', `
+domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
+role sysadm_r types run_init_t;
+domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
+allow run_init_t admin_tty_type:chr_file rw_file_perms;
+') dnl endif targeted policy
+
+tunable_policy(`distro_gentoo', `
+# Gentoo integrated run_init+open_init_pty-runscript:
+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+')
+') dnl end TODO
+
########################################
#
# Setfiles local policy
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index da15533..97fdab2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -257,14 +257,13 @@ filesystem_get_persistent_filesystem_attributes(ifconfig_t)
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
-init_use_file_descriptors(ifconfig_t)
-init_script_use_pseudoterminal(ifconfig_t)
-init_run_init_use_file_descriptors(ifconfig_t)
-
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
files_ignore_read_rootfs_file(ifconfig_t)
+init_use_file_descriptors(ifconfig_t)
+init_script_use_pseudoterminal(ifconfig_t)
+
libraries_use_dynamic_loader(ifconfig_t)
libraries_use_shared_libraries(ifconfig_t)
@@ -272,6 +271,8 @@ logging_send_system_log_message(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
+selinux_run_init_use_file_descriptors(ifconfig_t)
+
ifdef(`TODO',`
can_ypbind(ifconfig_t)
More information about the scm-commits
mailing list