From 4c7926a3c012b6b564831a1cdd93cb30ba100484 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 23 Jul 2020 16:11:06 -0400 Subject: [PATCH] init: Revise init_startstop_service() build option blocks. Revise to use ifelse to have a clear set of criteria for enabling the various options. Additionally, if no options are enabled, run_init permissions are provided as a default. Signed-off-by: Chris PeBenito --- policy/modules/system/init.if | 40 ++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index ab24b5d9b..66482eb35 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -2047,25 +2047,7 @@ interface(`init_get_script_status',` ## # interface(`init_startstop_service',` - gen_require(` - role system_r; - ') - - # sysvinit/upstart systems will need to use run_init - # if not using direct_sysadm_daemon. - ifdef(`direct_sysadm_daemon',` - init_labeled_script_domtrans($1, $4) - domain_system_change_exemption($1) - role_transition $2 $4 system_r; - allow $2 system_r; - ') - - ifdef(`distro_gentoo',` - # for OpenRC - seutil_labeled_init_script_run_runinit($1, $2, $4) - ') - - ifdef(`init_systemd',` + ifelse(`init_systemd',`true',` # This ifelse condition is temporary, until # all callers are updated to provide unit files. ifelse(`$5',`',`',` @@ -2075,6 +2057,26 @@ interface(`init_startstop_service',` allow $1 $5:service { start status stop }; ') + + ',`distro_gentoo',`true',` + # for OpenRC + seutil_labeled_init_script_run_runinit($1, $2, $4) + + ',`direct_sysadm_daemon',`true',` + gen_require(` + role system_r; + ') + + # rules for sysvinit / upstart + init_labeled_script_domtrans($1, $4) + domain_system_change_exemption($1) + role_transition $2 $4 system_r; + allow $2 system_r; + + ',` dnl else + optional_policy(` + seutil_run_runinit($1, $2) + ') ') ')