[selinux-policy: 1238/3172] add gentoo integrated run init

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:52:09 UTC 2010 

commit 2283dc74e20b2d466bf50981624a1a99e9138faf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Feb 21 15:57:49 2006 +0000

    add gentoo integrated run init

 refpolicy/policy/modules/system/init.if        |   53 +++++++++++++++++
 refpolicy/policy/modules/system/selinuxutil.if |   73 ++++++++++++++++++++++++
 refpolicy/policy/modules/system/selinuxutil.te |   15 ++---
 refpolicy/policy/modules/system/userdomain.te  |    6 ++
 4 files changed, 139 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e04bdb8..11109a2 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -339,6 +339,25 @@ interface(`init_udp_send',`
 ')
 
 ########################################
+## <summary>
+##	Make init scripts an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which init scripts are an entrypoint.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	domain_entry_file($1,initrc_exec_t)
+')
+
+########################################
 #
 # init_domtrans_script(domain)
 #
@@ -358,6 +377,40 @@ interface(`init_domtrans_script',`
 
 ########################################
 ## <summary>
+##	Execute a init script in a specified domain.
+## </summary>
+## <desc>
+##      <p>
+##	Execute a init script in a specified domain.
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domain_auto_trans($1,initrc_exec_t,$2)
+')
+
+########################################
+## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
 ## <desc>
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 357c888..bb82023 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -364,6 +364,35 @@ interface(`seutil_domtrans_runinit',`
 
 ########################################
 ## <summary>
+##	Execute init scripts in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute init scripts in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_init_script_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	init_script_file_domtrans($1,run_init_t)
+
+	allow $1 run_init_t:fd use;
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute run_init in the run_init domain, and
 ##	allow the specified role the run_init domain,
 ##	and use the caller's terminal.
@@ -397,6 +426,50 @@ interface(`seutil_run_runinit',`
 ')
 
 ########################################
+## <summary>
+##	Execute init scripts in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute init scripts in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the run_init domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the run_init domain to use.
+##	</summary>
+## </param>
+#
+interface(`seutil_init_script_run_runinit',`
+	gen_require(`
+		type run_init_t;
+		role system_r;
+	')
+
+	seutil_init_script_domtrans_runinit($1)
+	role $2 types run_init_t;
+	allow run_init_t $3:chr_file rw_term_perms;
+	allow $2 system_r;
+')
+
+########################################
 #
 # seutil_use_runinit_fds(domain)
 #
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7e54792..3e18e2a 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -410,6 +410,13 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
+ifdef(`direct_sysadm_daemon',`',`
+	ifdef(`distro_gentoo',`
+		# Gentoo integrated run_init:
+		init_script_file_entry_type(run_init_t)
+	')
+')
+
 ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
@@ -457,14 +464,6 @@ ifdef(`targeted_policy',`',`
 	')
 ') dnl end ifdef targeted policy
 
-ifdef(`TODO',`
-ifdef(`distro_gentoo', `
-	# Gentoo integrated run_init+open_init_pty-runscript:
-	domain_entry_file(run_init_t,initrc_exec_t)
-	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # Setfiles local policy
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 33ef4fc..61b0826 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -162,6 +162,12 @@ ifdef(`targeted_policy',`
 		optional_policy(`init',`
 			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
 		')
+	',`
+		ifdef(`distro_gentoo',`
+			optional_policy(`selinuxutil',`
+				seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+			')
+		')
 	')
 
 	ifdef(`enable_mls',`

More information about the scm-commits mailing list