Add init_spec_daemon_domain interface
We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2] We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case. [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar
Chris PeBenito
parent
487de20913
commit
bc94acf133
|
|
@ -136,6 +136,63 @@ interface(`init_domain',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Setup a domain which can be manually transitioned to from init.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create a domain used for systemd services where the SELinuxContext
|
||||||
|
## option is specified in the .service file. This allows for the
|
||||||
|
## manual transition from systemd into the new domain. This is used
|
||||||
|
## when automatic transitions won't work. Used for the case where the
|
||||||
|
## same binary is used for multiple target domains.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type to be used as a domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="entry_point">
|
||||||
|
## <summary>
|
||||||
|
## Type of the program being executed when starting this domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_spec_daemon_domain',`
|
||||||
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
|
role system_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_type($1)
|
||||||
|
domain_entry_file($1, $2)
|
||||||
|
|
||||||
|
role system_r types $1;
|
||||||
|
|
||||||
|
spec_domtrans_pattern(init_t, $2, $1)
|
||||||
|
|
||||||
|
ifdef(`init_systemd',`
|
||||||
|
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
|
||||||
|
|
||||||
|
allow init_t $1:process2 { nnp_transition nosuid_transition };
|
||||||
|
')
|
||||||
|
|
||||||
|
# daemons started from init will
|
||||||
|
# inherit fds from init for the console
|
||||||
|
init_dontaudit_use_fds($1)
|
||||||
|
term_dontaudit_use_console($1)
|
||||||
|
|
||||||
|
# init script ptys are the stdin/out/err
|
||||||
|
# when using run_init
|
||||||
|
init_use_script_ptys($1)
|
||||||
|
|
||||||
|
ifdef(`direct_sysadm_daemon',`
|
||||||
|
userdom_dontaudit_use_user_terminals($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create a domain which can be started by init,
|
## Create a domain which can be started by init,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue