[selinux-policy: 1238/3172] add gentoo integrated run init
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:52:09 UTC 2010
commit 2283dc74e20b2d466bf50981624a1a99e9138faf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Feb 21 15:57:49 2006 +0000
add gentoo integrated run init
refpolicy/policy/modules/system/init.if | 53 +++++++++++++++++
refpolicy/policy/modules/system/selinuxutil.if | 73 ++++++++++++++++++++++++
refpolicy/policy/modules/system/selinuxutil.te | 15 ++---
refpolicy/policy/modules/system/userdomain.te | 6 ++
4 files changed, 139 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e04bdb8..11109a2 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -339,6 +339,25 @@ interface(`init_udp_send',`
')
########################################
+## <summary>
+## Make init scripts an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which init scripts are an entrypoint.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ domain_entry_file($1,initrc_exec_t)
+')
+
+########################################
#
# init_domtrans_script(domain)
#
@@ -358,6 +377,40 @@ interface(`init_domtrans_script',`
########################################
## <summary>
+## Execute a init script in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_trans($1,initrc_exec_t,$2)
+')
+
+########################################
+## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 357c888..bb82023 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -364,6 +364,35 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute init scripts in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ init_script_file_domtrans($1,run_init_t)
+
+ allow $1 run_init_t:fd use;
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
@@ -397,6 +426,50 @@ interface(`seutil_run_runinit',`
')
########################################
+## <summary>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the run_init domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the run_init domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+ type run_init_t;
+ role system_r;
+ ')
+
+ seutil_init_script_domtrans_runinit($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file rw_term_perms;
+ allow $2 system_r;
+')
+
+########################################
#
# seutil_use_runinit_fds(domain)
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7e54792..3e18e2a 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -410,6 +410,13 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
+ifdef(`direct_sysadm_daemon',`',`
+ ifdef(`distro_gentoo',`
+ # Gentoo integrated run_init:
+ init_script_file_entry_type(run_init_t)
+ ')
+')
+
ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
@@ -457,14 +464,6 @@ ifdef(`targeted_policy',`',`
')
') dnl end ifdef targeted policy
-ifdef(`TODO',`
-ifdef(`distro_gentoo', `
- # Gentoo integrated run_init+open_init_pty-runscript:
- domain_entry_file(run_init_t,initrc_exec_t)
- domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-')
-') dnl end TODO
-
########################################
#
# Setfiles local policy
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 33ef4fc..61b0826 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -162,6 +162,12 @@ ifdef(`targeted_policy',`
optional_policy(`init',`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
+ ',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`selinuxutil',`
+ seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
')
ifdef(`enable_mls',`
More information about the scm-commits
mailing list