From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C68891387B2 for ; Sun, 19 Jan 2014 19:01:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 432ECE0D14; Sun, 19 Jan 2014 19:01:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B0A8AE0D17 for ; Sun, 19 Jan 2014 19:01:44 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 28DFC33F9AC for ; Sun, 19 Jan 2014 19:01:41 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 356F81872F for ; Sun, 19 Jan 2014 19:01:39 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1390157789.f284a7d9a477d5e167d5bdf619fd72a0ede11655.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/init.if policy/modules/system/init.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f284a7d9a477d5e167d5bdf619fd72a0ede11655 X-VCS-Branch: master Date: Sun, 19 Jan 2014 19:01:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 58d24775-d2cf-4cac-8198-82dfd044bb49 X-Archives-Hash: e813567798aa5c193cad39c0fd2553a6 commit: f284a7d9a477d5e167d5bdf619fd72a0ede11655 Author: Dominick Grift gmail com> AuthorDate: Wed Jan 15 15:04:31 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Jan 19 18:56:29 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f284a7d9 Change behavior of init_run_daemon() Callers on init_run_daemon() role and domain transition on all init_script_file_type to system_r and initrc_t respectively. The old behavior of role and domain transitioning on init daemon entry files was causing problems with programs that can be run both by system and session. Signed-off-by: Dominick Grift gmail.com> --- policy/modules/system/init.if | 15 ++++----------- policy/modules/system/init.te | 6 ------ 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index fa19e41..62a86ec 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -193,7 +193,6 @@ interface(`init_ranged_domain',` # interface(`init_daemon_domain',` gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; attribute daemon; @@ -218,12 +217,6 @@ interface(`init_daemon_domain',` init_use_script_ptys($1) ifdef(`direct_sysadm_daemon',` - domtrans_pattern(direct_run_init, $2, $1) - allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - - typeattribute $1 direct_init; - typeattribute $2 direct_init_entry; - userdom_dontaudit_use_user_terminals($1) ') @@ -987,14 +980,14 @@ interface(`init_all_labeled_script_domtrans',` # interface(`init_run_daemon',` gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; + attribute init_script_file_type; role system_r; ') - typeattribute $1 direct_run_init; - allow $2 system_r; - role_transition $2 direct_init_entry system_r; + + init_all_labeled_script_domtrans($1) + role_transition $2 init_script_file_type system_r; ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index dce9cd0..aa97e04 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,12 +16,6 @@ gen_require(` ## gen_tunable(init_upstart, false) -# used for direct running of init scripts -# by admin domains -attribute direct_run_init; -attribute direct_init; -attribute direct_init_entry; - attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain;