Apply direct_initrc to unconfined_r:unconfined_t

Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This commit is contained in:
Dominick Grift 2014-01-15 16:13:18 +01:00 committed by Chris PeBenito
parent 2be58db792
commit 493ca67e54
2 changed files with 14 additions and 6 deletions

View File

@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t, unconfined_r)
libs_run_ldconfig(unconfined_t, unconfined_r)
logging_send_syslog_msg(unconfined_t)
@ -49,9 +47,15 @@ unconfined_domain(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r)
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(unconfined_t, unconfined_r)
')
',`
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r)
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
')
')
optional_policy(`

View File

@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
ifdef(`direct_sysadm_daemon',`
gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
')
#
# The following users correspond to Unix identities.