From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-660837-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id C68891387B2
	for <garchives@archives.gentoo.org>; Sun, 19 Jan 2014 19:01:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 432ECE0D14;
	Sun, 19 Jan 2014 19:01:45 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B0A8AE0D17
	for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:44 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 28DFC33F9AC
	for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:41 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 356F81872F
	for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:39 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1390157789.f284a7d9a477d5e167d5bdf619fd72a0ede11655.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/init.if policy/modules/system/init.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: f284a7d9a477d5e167d5bdf619fd72a0ede11655
X-VCS-Branch: master
Date: Sun, 19 Jan 2014 19:01:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 58d24775-d2cf-4cac-8198-82dfd044bb49
X-Archives-Hash: e813567798aa5c193cad39c0fd2553a6

commit:     f284a7d9a477d5e167d5bdf619fd72a0ede11655
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Jan 15 15:04:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:56:29 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f284a7d9

Change behavior of init_run_daemon()

Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.if | 15 ++++-----------
 policy/modules/system/init.te |  6 ------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fa19e41..62a86ec 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -193,7 +193,6 @@ interface(`init_ranged_domain',`
 #
 interface(`init_daemon_domain',`
 	gen_require(`
-		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
 		attribute daemon;
@@ -218,12 +217,6 @@ interface(`init_daemon_domain',`
 	init_use_script_ptys($1)
 
 	ifdef(`direct_sysadm_daemon',`
-		domtrans_pattern(direct_run_init, $2, $1)
-		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
-
-		typeattribute $1 direct_init;
-		typeattribute $2 direct_init_entry;
-
 		userdom_dontaudit_use_user_terminals($1)
 	')
 
@@ -987,14 +980,14 @@ interface(`init_all_labeled_script_domtrans',`
 #
 interface(`init_run_daemon',`
 	gen_require(`
-		attribute direct_run_init, direct_init, direct_init_entry;
+                attribute init_script_file_type;
 		role system_r;
 	')
 
-	typeattribute $1 direct_run_init;
-
 	allow $2 system_r;
-	role_transition $2 direct_init_entry system_r;
+
+        init_all_labeled_script_domtrans($1)
+        role_transition $2 init_script_file_type system_r;
 ')
 
 ########################################

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dce9cd0..aa97e04 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,12 +16,6 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
-# used for direct running of init scripts
-# by admin domains
-attribute direct_run_init;
-attribute direct_init;
-attribute direct_init_entry;
-
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;