Add openrc support to init_startstop_service

Adds the openrc rules in ifdef distro_gentoo to transition to run_init correctly.
2015-05-27 22:01:42 +04:00 · 2015-05-27 22:01:42 +04:00 · dd21231043
commit dd21231043
parent 45b281db62
2 changed files with 85 additions and 5 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -993,11 +993,16 @@ interface(`init_startstop_service',`
 	')

 	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
+		ifdef(`distro_gentoo',`
+			# for OpenRC
+			seutil_labeled_init_script_run_runinit($1, $2, $4)
+		',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
 	')
 ')

--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@ -377,6 +377,40 @@ interface(`seutil_domtrans_runinit',`
 	domtrans_pattern($1, run_init_exec_t, run_init_t)
 ')

+########################################
+## <summary>
+##	Execute file in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute file in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of entry file.
+##	</summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	domain_entry_file(run_init_t, $2)
+	domain_auto_transition_pattern($1, $2, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Execute init scripts in the run_init domain.
@ -468,6 +502,47 @@ interface(`seutil_init_script_run_runinit',`
 	roleattribute $2 run_init_roles;
 ')

+########################################
+## <summary>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of init script.
+##	</summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_labeled_init_script_domtrans_runinit($1, $3)
+	roleattribute $2 run_init_roles;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use run_init file descriptors.