* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/
@ 2015-02-09 9:58 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-02-09 9:58 UTC (permalink / raw
To: gentoo-commits
commit: 0897e2ba7152ef4752b2fb292fe9bde72b88b465
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 09:20:21 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 9 09:54:18 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0897e2ba
add back the working parts of commit fe62598f2fb87
---
policy/modules/system/init.if | 74 ++++++++++++++++++++++---------------------
1 file changed, 38 insertions(+), 36 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7cdf3a8..1f897d2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
########################################
## <summary>
-## Mark the file type as a daemon pid file, allowing initrc_t
-## to create it
-## </summary>
-## <param name="filetype">
-## <summary>
-## Type to mark as a daemon pid file
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Class on which the type is applied
-## </summary>
-## </param>
-## <param name="filename">
-## <summary>
-## Filename of the file that the init script creates
-## </summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
- gen_require(`
- attribute daemonpidfile;
- type initrc_t;
- ')
-
- typeattribute $1 daemonpidfile;
-
- files_pid_file($1)
- files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
-## Mark the type as a daemon run dir
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which the type is applied
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+## Mark the file type as a daemon run dir, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
## <summary>
## Type to mark as a daemon run dir
## </summary>
## </param>
## <param name="filename">
## <summary>
-## Name of the run dir directory
+## Filename of the directory that the init script creates
## </summary>
## </param>
#
@@ -882,6 +883,7 @@ interface(`init_domtrans_script',`
gen_require(`
type rc_exec_t;
')
+
domtrans_pattern($1, rc_exec_t, initrc_t)
')
')
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/
2015-02-09 9:55 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-02-09 9:58 ` Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-02-09 9:58 UTC (permalink / raw
To: gentoo-commits
commit: 1d291587f6308317bfd3a37227a00d68092e9c40
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 08:40:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 9 09:52:54 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587
Revert "Reshuffle and update with upstream"
This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.
the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.
---
policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
1 file changed, 36 insertions(+), 46 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
########################################
## <summary>
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which the type is applied
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
-## Mark the file type as a daemon pid file, allowing initrc_t
-## to create it
+## Mark the type as a daemon run dir
## </summary>
-## <param name="filetype">
-## <summary>
-## Type to mark as a daemon pid file
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Class on which the type is applied
-## </summary>
-## </param>
-## <param name="filename">
-## <summary>
-## Filename of the file that the init script creates
-## </summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
- gen_require(`
- attribute daemonpidfile;
- type initrc_t;
- ')
-
- typeattribute $1 daemonpidfile;
-
- files_pid_file($1)
- files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-## Mark the file type as a daemon run dir, allowing initrc_t
-## to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
## <summary>
## Type to mark as a daemon run dir
## </summary>
## </param>
## <param name="filename">
## <summary>
-## Filename of the directory that the init script creates
+## Name of the run dir directory
## </summary>
## </param>
#
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
files_list_etc($1)
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
- ifdef(`distro_gentoo',`
- gen_require(`
- type rc_exec_t;
- ')
-
- domtrans_pattern($1, rc_exec_t, initrc_t)
- ')
-
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
gen_require(`
type rc_exec_t;
')
-
domtrans_pattern($1, rc_exec_t, initrc_t)
')
')
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/
@ 2015-05-16 11:32 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-05-16 11:32 UTC (permalink / raw
To: gentoo-commits
commit: 6334284140a5d1500e5de10cd1d59ad78bab91d5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue May 12 20:03:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 16:50:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63342841
Introduce init_manage_service_template interface
This is to be used where a role needs to start and stop a service. It
centralizes all the rules for redhat < 6 sysvinit that were used in the
_admin interfaces. The rules for other inits will be added later.
policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1f897d2..f0ce970 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -968,6 +968,46 @@ interface(`init_all_labeled_script_domtrans',`
########################################
## <summary>
+## Allow the role to start and stop
+## labeled services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_manage_service_template',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+')
+
+########################################
+## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/
@ 2015-05-16 11:32 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-05-16 11:32 UTC (permalink / raw
To: gentoo-commits
commit: 7f309b2fa56d519fb54e94f8cf332b3fea99307b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:12:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f309b2f
add openrc support to init_manage_service_template
policy/modules/system/init.if | 16 +++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f0ce970..c37ed82 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -997,12 +997,16 @@ interface(`init_manage_service_template',`
role system_r;
')
- ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ seutil_spec_run_runinit($1, $2, $4)
+ ',`
+ ifndef(`direct_sysadm_daemon',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_spec_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-16 11:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-16 11:32 [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2015-05-16 11:32 Jason Zaman
2015-02-09 9:58 Jason Zaman
2015-02-09 9:55 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-02-09 9:58 ` [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox