add gentoo integrated run init
This commit is contained in:
Chris PeBenito
parent
4ca6d0d28f
commit
2283dc74e2
|
|
@ -338,6 +338,25 @@ interface(`init_udp_send',`
|
|||
allow init_t $1:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make init scripts an entry point for
|
||||
## the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The domain for which init scripts are an entrypoint.
|
||||
## </summary>
|
||||
## </param>
|
||||
# cjp: added for gentoo integrated run_init
|
||||
interface(`init_script_file_entry_type',`
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1,initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_domtrans_script(domain)
|
||||
|
|
@ -356,6 +375,40 @@ interface(`init_domtrans_script',`
|
|||
allow initrc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a init script in a specified domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Execute a init script in a specified domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## No interprocess communication (signals, pipes,
|
||||
## etc.) is provided by this interface since
|
||||
## the domains are not owned by this module.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="source_domain">
|
||||
## <summary>
|
||||
## Domain to transition from.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## <summary>
|
||||
## Domain to transition to.
|
||||
## </summary>
|
||||
## </param>
|
||||
# cjp: added for gentoo integrated run_init
|
||||
interface(`init_script_file_domtrans',`
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
domain_auto_trans($1,initrc_exec_t,$2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start and stop daemon programs directly.
|
||||
|
|
|
|||
|
|
@ -362,6 +362,35 @@ interface(`seutil_domtrans_runinit',`
|
|||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute init scripts in the run_init domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Execute init scripts in the run_init domain.
|
||||
## This is used for the Gentoo integrated run_init.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_init_script_domtrans_runinit',`
|
||||
gen_require(`
|
||||
type run_init_t;
|
||||
')
|
||||
|
||||
init_script_file_domtrans($1,run_init_t)
|
||||
|
||||
allow $1 run_init_t:fd use;
|
||||
allow run_init_t $1:fd use;
|
||||
allow run_init_t $1:fifo_file rw_file_perms;
|
||||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute run_init in the run_init domain, and
|
||||
|
|
@ -396,6 +425,50 @@ interface(`seutil_run_runinit',`
|
|||
allow $2 system_r;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute init scripts in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
## and use the caller's terminal.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Execute init scripts in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
## and use the caller's terminal.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is used for the Gentoo integrated run_init.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the run_init domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the run_init domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_init_script_run_runinit',`
|
||||
gen_require(`
|
||||
type run_init_t;
|
||||
role system_r;
|
||||
')
|
||||
|
||||
seutil_init_script_domtrans_runinit($1)
|
||||
role $2 types run_init_t;
|
||||
allow run_init_t $3:chr_file rw_term_perms;
|
||||
allow $2 system_r;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# seutil_use_runinit_fds(domain)
|
||||
|
|
|
|||
|
|
@ -410,6 +410,13 @@ selinux_compute_create_context(run_init_t)
|
|||
selinux_compute_relabel_context(run_init_t)
|
||||
selinux_compute_user_contexts(run_init_t)
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`',`
|
||||
ifdef(`distro_gentoo',`
|
||||
# Gentoo integrated run_init:
|
||||
init_script_file_entry_type(run_init_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
|
|
@ -457,14 +464,6 @@ ifdef(`targeted_policy',`',`
|
|||
')
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_entry_file(run_init_t,initrc_exec_t)
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
|
|
|
|||
|
|
@ -162,6 +162,12 @@ ifdef(`targeted_policy',`
|
|||
optional_policy(`init',`
|
||||
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
',`
|
||||
ifdef(`distro_gentoo',`
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
|
|
|
|||
Loading…
Reference in New Issue