From 6cc3f35635c73a0a135ad0b32142f27d19b2d889 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 29 Aug 2008 19:00:02 +0000 Subject: [PATCH] trunk: first part of init script labeling support. --- Changelog | 1 + policy/modules/system/init.if | 162 ++++++++++++++++++++++++++++++---- policy/modules/system/init.te | 12 ++- 3 files changed, 153 insertions(+), 22 deletions(-) diff --git a/Changelog b/Changelog index 382ac7a6f..9497a31fe 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Init script file and domain support. - Glibc 2.7 fix from Vaclav Ovsik. - Samba/winbind update from Mike Edenfield. - Policy size optimization with a non-security file attribute from James diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index c923e6fb9..3cdd56a70 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,72 @@ ## System initialization programs (init and init scripts). +######################################## +## +## Create a file type used for init scripts. +## +## +##

+## Create a file type used for init scripts. +## Can not be used in conjunction with +## init_script_domain(). +##

+##
+## +## +## Type of the script file used as an entry point to this domain. +## +## +# +interface(`init_script_file',` + gen_require(` + type initrc_t; + attribute init_script_file_type, init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_file_type; + + domain_entry_file(initrc_t, $1) + + domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) +') + +######################################## +## +## Create a domain used for init scripts. +## +## +##

+## Create a domain used for init scripts. +## Can not be used in conjunction with +## init_script_file(). +##

+##
+## +## +## Type to be used as an init script domain. +## +## +## +## +## Type of the script file used as an entry point to this domain. +## +## +# +interface(`init_script_domain',` + gen_require(` + attribute init_script_domain_type, init_script_file_type; + attribute init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_domain_type; + typeattribute $2 init_script_file_type; + + domain_type($1) + domain_entry_file($1, $2) + + domtrans_pattern(init_run_all_scripts_domain, $2, $1) +') + ######################################## ## ## Create a domain which can be started by init. @@ -701,6 +768,25 @@ interface(`init_getattr_script_files',` allow $1 initrc_exec_t:file getattr; ') +######################################## +## +## Read init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_files',` + gen_require(` + type initrc_exec_t; + ') + + files_search_etc($1) + allow $1 initrc_exec_t:file read_file_perms; +') + ######################################## ## ## Execute init scripts in the caller domain. @@ -720,6 +806,63 @@ interface(`init_exec_script_files',` can_exec($1,initrc_exec_t) ') +######################################## +## +## Get the attribute of all init script entrypoint files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + allow $1 init_script_file_type:file getattr; +') + +######################################## +## +## Read all init script files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_search_etc($1) + allow $1 init_script_file_type:file read_file_perms; +') + +######################################## +## +## Execute all init scripts in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_exec_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + can_exec($1, init_script_file_type) +') + ######################################## ## ## Read the process state (/proc/pid) of the init scripts. @@ -1028,25 +1171,6 @@ interface(`init_dontaudit_use_script_ptys',` dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') -######################################## -## -## Read init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_script_files',` - gen_require(` - type initrc_exec_t; - ') - - files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; -') - ######################################## ## ## Get the attributes of init script diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 51b714c66..ebc586d41 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -23,6 +23,10 @@ attribute direct_run_init; attribute direct_init; attribute direct_init_entry; +attribute init_script_domain_type; +attribute init_script_file_type; +attribute init_run_all_scripts_domain; + # Mark process types as daemons attribute daemon; @@ -51,8 +55,8 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) -type initrc_t; -type initrc_exec_t; +type initrc_t, init_script_domain_type, init_run_all_scripts_domain; +type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t,initrc_exec_t) role system_r types initrc_t; @@ -217,7 +221,9 @@ term_create_pty(initrc_t,initrc_devpts_t) # Going to single user mode init_exec(initrc_t) -can_exec(initrc_t,initrc_exec_t) +can_exec(initrc_t, init_script_file_type) + +domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)