[selinux-policy: 1614/3172] change transition from run_init to initrc to spec.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:24:39 UTC 2010 

commit 93ddc66983f3ef1c66014511944b86f27f0d5353
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 9 18:52:19 2006 +0000

    change transition from run_init to initrc to spec.

 policy/modules/system/init.if        |   33 +++++++++++-
 policy/modules/system/init.te        |    2 +-
 policy/modules/system/selinuxutil.te |   95 ++++++++++++++++-----------------
 3 files changed, 79 insertions(+), 51 deletions(-)
---
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 892cf02..bfb4eaa 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -579,7 +579,38 @@ interface(`init_script_file_entry_type',`
 
 ########################################
 ## <summary>
-##	Execute init scripts with a domain transition.
+##	Execute init scripts with a specified domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_spec_domtrans_script',`
+	gen_require(`
+		type initrc_t, initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domain_trans($1,initrc_exec_t,initrc_t)
+	allow $1 self:process setexec;
+	allow initrc_t $1:fd use;
+	allow initrc_t $1:fifo_file rw_file_perms;
+	allow initrc_t $1:process sigchld;
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute init scripts with an automatic domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b63bcdb..6192b8e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.28)
+policy_module(init,1.3.29)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 601ad2e..286015a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.16)
+policy_module(selinuxutil,1.2.17)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -480,73 +480,70 @@ optional_policy(`
 # Run_init local policy
 #
 
-selinux_get_fs_mount(run_init_t)
-selinux_validate_context(run_init_t)
-selinux_compute_access_vector(run_init_t)
-selinux_compute_create_context(run_init_t)
-selinux_compute_relabel_context(run_init_t)
-selinux_compute_user_contexts(run_init_t)
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+allow run_init_t self:fifo_file rw_file_perms;
+allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
-mls_rangetrans_source(run_init_t)
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
 
-ifdef(`direct_sysadm_daemon',`',`
-	ifdef(`distro_gentoo',`
-		# Gentoo integrated run_init:
-		init_script_file_entry_type(run_init_t)
-	')
-')
+fs_getattr_xattr_fs(run_init_t)
 
-ifdef(`targeted_policy',`',`
-	allow run_init_t self:process setexec;
-	allow run_init_t self:capability setuid;
-	allow run_init_t self:fifo_file rw_file_perms;
-	allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+dev_dontaudit_list_all_dev_nodes(run_init_t)
 
-	# often the administrator runs such programs from a directory that is owned
-	# by a different user or has restrictive SE permissions, do not want to audit
-	# the failed access to the current directory
-	dontaudit run_init_t self:capability { dac_override dac_read_search };
+term_dontaudit_list_ptys(run_init_t)
 
-	fs_getattr_xattr_fs(run_init_t)
+auth_domtrans_chk_passwd(run_init_t)
+auth_dontaudit_read_shadow(run_init_t)
 
-	dev_dontaudit_list_all_dev_nodes(run_init_t)
+corecmd_exec_bin(run_init_t)
+corecmd_exec_shell(run_init_t)
 
-	term_dontaudit_list_ptys(run_init_t)
+domain_use_interactive_fds(run_init_t)
 
-	auth_domtrans_chk_passwd(run_init_t)
-	auth_dontaudit_read_shadow(run_init_t)
+files_read_etc_files(run_init_t)
+files_dontaudit_search_all_dirs(run_init_t)
 
-	corecmd_exec_bin(run_init_t)
-	corecmd_exec_shell(run_init_t)
-
-	domain_use_interactive_fds(run_init_t)
+selinux_get_fs_mount(run_init_t)
+selinux_validate_context(run_init_t)
+selinux_compute_access_vector(run_init_t)
+selinux_compute_create_context(run_init_t)
+selinux_compute_relabel_context(run_init_t)
+selinux_compute_user_contexts(run_init_t)
 
-	files_read_etc_files(run_init_t)
-	files_dontaudit_search_all_dirs(run_init_t)
+mls_rangetrans_source(run_init_t)
 
-	init_domtrans_script(run_init_t)
-	# for utmp
-	init_rw_utmp(run_init_t)
+init_spec_domtrans_script(run_init_t)
+# for utmp
+init_rw_utmp(run_init_t)
 
-	libs_use_ld_so(run_init_t)
-	libs_use_shared_libs(run_init_t)
+libs_use_ld_so(run_init_t)
+libs_use_shared_libs(run_init_t)
 
-	seutil_read_config(run_init_t)
-	seutil_read_default_contexts(run_init_t)
+seutil_read_config(run_init_t)
+seutil_read_default_contexts(run_init_t)
 
-	miscfiles_read_localization(run_init_t)
+miscfiles_read_localization(run_init_t)
 
-	logging_send_syslog_msg(run_init_t)
+logging_send_syslog_msg(run_init_t)
 
-	optional_policy(`
-		daemontools_domtrans_start(run_init_t)
+ifndef(`direct_sysadm_daemon',`
+	ifdef(`distro_gentoo',`
+		# Gentoo integrated run_init:
+		init_script_file_entry_type(run_init_t)
 	')
+')
 
-	optional_policy(`
-		nscd_socket_use(run_init_t)
-	')	
+optional_policy(`
+	daemontools_domtrans_start(run_init_t)
+')
 
-') dnl end ifdef targeted policy
+optional_policy(`
+	nscd_socket_use(run_init_t)
+')	
 
 ########################################
 #

More information about the scm-commits mailing list