Add init_spec_daemon_domain interface

We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option  to specify a context for the service being started.  The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each.  The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0)  [2]

We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t

We have created the following interface (in init.if) to meet our needs.  The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.

[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar 2017-09-12 02:52:14 +00:00 committed by Chris PeBenito
parent 487de20913
commit bc94acf133

View File

@ -136,6 +136,63 @@ interface(`init_domain',`
') ')
') ')
########################################
## <summary>
## Setup a domain which can be manually transitioned to from init.
## </summary>
## <desc>
## <p>
## Create a domain used for systemd services where the SELinuxContext
## option is specified in the .service file. This allows for the
## manual transition from systemd into the new domain. This is used
## when automatic transitions won't work. Used for the case where the
## same binary is used for multiple target domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program being executed when starting this domain.
## </summary>
## </param>
#
interface(`init_spec_daemon_domain',`
gen_require(`
type init_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
spec_domtrans_pattern(init_t, $2, $1)
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_user_terminals($1)
')
')
######################################## ########################################
## <summary> ## <summary>
## Create a domain which can be started by init, ## Create a domain which can be started by init,