Add init_spec_daemon_domain interface

We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2] We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case. [1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html [2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-12 02:52:14 +00:00 · 2017-09-12 02:52:14 +00:00 · bc94acf133
parent 487de20913
commit bc94acf133
1 changed files with 57 additions and 0 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -136,6 +136,63 @@ interface(`init_domain',`
 	')
 ')

+########################################
+## <summary>
+##	Setup a domain which can be manually transitioned to from init.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain used for systemd services where the SELinuxContext
+##  option is specified in the .service file.  This allows for the
+##  manual transition from systemd into the new domain.  This is used
+##  when automatic transitions won't work.  Used for the case where the
+##  same binary is used for multiple target domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program being executed when starting this domain.
+##	</summary>
+## </param>
+#
+interface(`init_spec_daemon_domain',`
+	gen_require(`
+		type init_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	spec_domtrans_pattern(init_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+
+		allow init_t $1:process2 { nnp_transition nosuid_transition };
+	')
+
+	# daemons started from init will
+	# inherit fds from init for the console
+	init_dontaudit_use_fds($1)
+	term_dontaudit_use_console($1)
+
+	# init script ptys are the stdin/out/err
+	# when using run_init
+	init_use_script_ptys($1)
+
+	ifdef(`direct_sysadm_daemon',`
+		userdom_dontaudit_use_user_terminals($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Create a domain which can be started by init,