diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index e04bdb822..11109a29e 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -338,6 +338,25 @@ interface(`init_udp_send',` allow init_t $1:udp_socket recvfrom; ') +######################################## +## +## Make init scripts an entry point for +## the specified domain. +## +## +## +## The domain for which init scripts are an entrypoint. +## +## +# cjp: added for gentoo integrated run_init +interface(`init_script_file_entry_type',` + gen_require(` + type initrc_exec_t; + ') + + domain_entry_file($1,initrc_exec_t) +') + ######################################## # # init_domtrans_script(domain) @@ -356,6 +375,40 @@ interface(`init_domtrans_script',` allow initrc_t $1:process sigchld; ') +######################################## +## +## Execute a init script in a specified domain. +## +## +##

+## Execute a init script in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Domain to transition from. +## +## +## +## +## Domain to transition to. +## +## +# cjp: added for gentoo integrated run_init +interface(`init_script_file_domtrans',` + gen_require(` + type initrc_exec_t; + ') + + files_list_etc($1) + domain_auto_trans($1,initrc_exec_t,$2) +') + ######################################## ## ## Start and stop daemon programs directly. diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 357c88825..bb820236f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -362,6 +362,35 @@ interface(`seutil_domtrans_runinit',` allow run_init_t $1:process sigchld; ') +######################################## +## +## Execute init scripts in the run_init domain. +## +## +##

+## Execute init scripts in the run_init domain. +## This is used for the Gentoo integrated run_init. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`seutil_init_script_domtrans_runinit',` + gen_require(` + type run_init_t; + ') + + init_script_file_domtrans($1,run_init_t) + + allow $1 run_init_t:fd use; + allow run_init_t $1:fd use; + allow run_init_t $1:fifo_file rw_file_perms; + allow run_init_t $1:process sigchld; +') + ######################################## ## ## Execute run_init in the run_init domain, and @@ -396,6 +425,50 @@ interface(`seutil_run_runinit',` allow $2 system_r; ') +######################################## +## +## Execute init scripts in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +## +## +##

+## Execute init scripts in the run_init domain, and +## allow the specified role the run_init domain, +## and use the caller's terminal. +##

+##

+## This is used for the Gentoo integrated run_init. +##

+##
+## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the run_init domain. +## +## +## +## +## The type of the terminal allow the run_init domain to use. +## +## +# +interface(`seutil_init_script_run_runinit',` + gen_require(` + type run_init_t; + role system_r; + ') + + seutil_init_script_domtrans_runinit($1) + role $2 types run_init_t; + allow run_init_t $3:chr_file rw_term_perms; + allow $2 system_r; +') + ######################################## # # seutil_use_runinit_fds(domain) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 7e547923e..3e18e2a40 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -410,6 +410,13 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) +ifdef(`direct_sysadm_daemon',`',` + ifdef(`distro_gentoo',` + # Gentoo integrated run_init: + init_script_file_entry_type(run_init_t) + ') +') + ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; @@ -457,14 +464,6 @@ ifdef(`targeted_policy',`',` ') ') dnl end ifdef targeted policy -ifdef(`TODO',` -ifdef(`distro_gentoo', ` - # Gentoo integrated run_init+open_init_pty-runscript: - domain_entry_file(run_init_t,initrc_exec_t) - domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -') -') dnl end TODO - ######################################## # # Setfiles local policy diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 33ef4fc55..61b0826d7 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -162,6 +162,12 @@ ifdef(`targeted_policy',` optional_policy(`init',` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) ') + ',` + ifdef(`distro_gentoo',` + optional_policy(`selinuxutil',` + seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) + ') + ') ') ifdef(`enable_mls',`