Merge pull request #551 from dsugar100/fapolicyd_fixes

Fapolicyd fixes
2022-10-08 12:31:58 -04:00 · 2022-10-08 12:31:58 -04:00 · f8dabbe48c
parent e94bd845d9 847cffd32e
commit f8dabbe48c
3 changed files with 60 additions and 30 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -63,33 +63,60 @@ jobs:

      matrix:
        build-opts:
-          - {type: standard, distro: redhat, monolithic: y, systemd: y}
-          - {type: standard, distro: redhat, monolithic: n, systemd: y}
-          - {type: standard, distro: debian, monolithic: y, systemd: y}
-          - {type: standard, distro: debian, monolithic: n, systemd: y}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n}
-          - {type: standard, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y}
-          - {type: mcs, distro: redhat, monolithic: n, systemd: y}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y}
-          - {type: mcs, distro: debian, monolithic: n, systemd: y}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mcs, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y}
-          - {type: mls, distro: redhat, monolithic: n, systemd: y}
-          - {type: mls, distro: debian, monolithic: y, systemd: y}
-          - {type: mls, distro: debian, monolithic: n, systemd: y}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mls, distro: gentoo, monolithic: n, systemd: n}
-          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}

    steps:
    - uses: actions/checkout@v3
@ -124,6 +151,7 @@ jobs:
        echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
        echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
        echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
+        echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
        echo "WERROR=y" >> $GITHUB_ENV

    - name: Build toolchain
@ -144,7 +172,7 @@ jobs:
    - name: Build refpolicy
      run: |
        # Drop build.conf settings to listen to env vars
-        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
+        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf

        make bare
        make conf
--- a/policy/modules/admin/fapolicyd.if
+++ b/policy/modules/admin/fapolicyd.if
@ -152,6 +152,8 @@ interface(`fapolicyd_admin',`
 	files_search_runtime($1)
 	admin_pattern($1, fapolicyd_runtime_t)

-	fapolicyd_run_fagenrules($1, $2)
+	ifndef(`direct_sysadm_daemon',`
+		fapolicyd_run_fagenrules($1, $2)
+	')
 	fapolicyd_run_cli($1, $2)
 ')
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@ -93,7 +93,7 @@ optional_policy(`
 # fagenrules local policy
 #

-allow fagenrules_t self:capability { fsetid kill };
+allow fagenrules_t self:capability { chown fsetid kill };
 allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;