From 493ca67e54e455f65aa8350c88764e730336e6fc Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 15 Jan 2014 16:13:18 +0100 Subject: [PATCH] Apply direct_initrc to unconfined_r:unconfined_t Make it consistent with sysadm_r:sysadm_t. If you build targeted policy then consider direct_initrc=y If you build with direct_initrc=n then both unconfined_r:unconfined_t, as well as sysadm_r:sysadm_t rely on run_init for running services on behalf of the system. Signed-off-by: Dominick Grift --- policy/modules/system/unconfined.te | 14 +++++++++----- policy/users | 6 +++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 667f2a048..1d928addf 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t) mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) -init_run_daemon(unconfined_t, unconfined_r) - libs_run_ldconfig(unconfined_t, unconfined_r) logging_send_syslog_msg(unconfined_t) @@ -49,9 +47,15 @@ unconfined_domain(unconfined_t) userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) -ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) +ifdef(`direct_sysadm_daemon',` + optional_policy(` + init_run_daemon(unconfined_t, unconfined_r) + ') +',` + ifdef(`distro_gentoo',` + seutil_run_runinit(unconfined_t, unconfined_r) + seutil_init_script_run_runinit(unconfined_t, unconfined_r) + ') ') optional_policy(` diff --git a/policy/users b/policy/users index c4ebc7e43..ca203758c 100644 --- a/policy/users +++ b/policy/users @@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +ifdef(`direct_sysadm_daemon',` + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +',` + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +') # # The following users correspond to Unix identities.