init: Revise init_startstop_service() build option blocks.

Revise to use ifelse to have a clear set of criteria for enabling the various options. Additionally, if no options are enabled, run_init permissions are provided as a default. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-23 16:11:06 -04:00 · 2020-07-23 16:11:06 -04:00 · 4c7926a3c0
commit 4c7926a3c0
parent e167e1a4d4
1 changed files with 21 additions and 19 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -2047,25 +2047,7 @@ interface(`init_get_script_status',`
 ## </param>
 #
 interface(`init_startstop_service',`
-	gen_require(`
+	ifelse(`init_systemd',`true',`
 		role system_r;
 	')
 	# sysvinit/upstart systems will need to use run_init
 	# if not using direct_sysadm_daemon.
 	ifdef(`direct_sysadm_daemon',`
 		init_labeled_script_domtrans($1, $4)
 		domain_system_change_exemption($1)
 		role_transition $2 $4 system_r;
 		allow $2 system_r;
 	')
 	ifdef(`distro_gentoo',`
 		# for OpenRC
 		seutil_labeled_init_script_run_runinit($1, $2, $4)
 	')
 	ifdef(`init_systemd',`
 		# This ifelse condition is temporary, until
 		# all callers are updated to provide unit files.
 		ifelse(`$5',`',`',`
@ -2075,6 +2057,26 @@ interface(`init_startstop_service',`
 			allow $1 $5:service { start status stop };
 		')
 	',`distro_gentoo',`true',`
 		# for OpenRC
 		seutil_labeled_init_script_run_runinit($1, $2, $4)
 	',`direct_sysadm_daemon',`true',`
 		gen_require(`
 			role system_r;
 		')
 		# rules for sysvinit / upstart
 		init_labeled_script_domtrans($1, $4)
 		domain_system_change_exemption($1)
 		role_transition $2 $4 system_r;
 		allow $2 system_r;
 	',` dnl else
 		optional_policy(`
 			seutil_run_runinit($1, $2)
 		')
 	')
 ')