[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     1d291587f6308317bfd3a37227a00d68092e9c40
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 08:40:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:52:54 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587

Revert "Reshuffle and update with upstream"

This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.

the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.

---
 policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
 1 file changed, 36 insertions(+), 46 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
+##	Mark the type as a daemon run dir
 ## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Mark the file type as a daemon run dir, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Filename of the directory that the init script creates
+##	Name of the run dir directory
 ##	</summary>
 ## </param>
 #
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type rc_exec_t;
-		')
-
-		domtrans_pattern($1, rc_exec_t, initrc_t)
-	')
-
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
-
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/

[Jason Zaman]

commit:     1d291587f6308317bfd3a37227a00d68092e9c40
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 08:40:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:52:54 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587

Revert "Reshuffle and update with upstream"

This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.

the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.

---
 policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
 1 file changed, 36 insertions(+), 46 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
+##	Mark the type as a daemon run dir
 ## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Mark the file type as a daemon run dir, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Filename of the directory that the init script creates
+##	Name of the run dir directory
 ##	</summary>
 ## </param>
 #
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type rc_exec_t;
-		')
-
-		domtrans_pattern($1, rc_exec_t, initrc_t)
-	')
-
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
-
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Jason Zaman]

commit:     1d291587f6308317bfd3a37227a00d68092e9c40
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 08:40:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:52:54 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587

Revert "Reshuffle and update with upstream"

This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.

the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.

---
 policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
 1 file changed, 36 insertions(+), 46 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
+##	Mark the type as a daemon run dir
 ## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Mark the file type as a daemon run dir, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Filename of the directory that the init script creates
+##	Name of the run dir directory
 ##	</summary>
 ## </param>
 #
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type rc_exec_t;
-		')
-
-		domtrans_pattern($1, rc_exec_t, initrc_t)
-	')
-
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
-
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/

[Jason Zaman]

commit:     0897e2ba7152ef4752b2fb292fe9bde72b88b465
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 09:20:21 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:54:18 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0897e2ba

add back the working parts of commit fe62598f2fb87

---
 policy/modules/system/init.if | 74 ++++++++++++++++++++++---------------------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7cdf3a8..1f897d2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the type as a daemon run dir
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
 ## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Name of the run dir directory
+##	Filename of the directory that the init script creates
 ##	</summary>
 ## </param>
 #
@@ -882,6 +883,7 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
+
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/

[Jason Zaman]

commit:     6334284140a5d1500e5de10cd1d59ad78bab91d5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue May 12 20:03:40 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 15 16:50:52 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63342841

Introduce init_manage_service_template interface

This is to be used where a role needs to start and stop a service. It
centralizes all the rules for redhat < 6 sysvinit that were used in the
_admin interfaces. The rules for other inits will be added later.

 policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1f897d2..f0ce970 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -968,6 +968,46 @@ interface(`init_all_labeled_script_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow the role to start and stop
+##	labeled services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+#
+interface(`init_manage_service_template',`
+	gen_require(`
+		role system_r;
+	')
+
+	ifndef(`direct_sysadm_daemon',`
+		# rules for sysvinit / upstart
+		init_labeled_script_domtrans($1, $4)
+		domain_system_change_exemption($1)
+		role_transition $2 $4 system_r;
+		allow $2 system_r;
+	')
+')
+
+########################################
+## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
 ## <desc>

[gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/

[Jason Zaman]

commit:     7f309b2fa56d519fb54e94f8cf332b3fea99307b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:12:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f309b2f

add openrc support to init_manage_service_template

 policy/modules/system/init.if        | 16 +++++---
 policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f0ce970..c37ed82 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -997,12 +997,16 @@ interface(`init_manage_service_template',`
 		role system_r;
 	')
 
-	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
+	ifdef(`distro_gentoo',`
+		seutil_spec_run_runinit($1, $2, $4)
+	',`
+		ifndef(`direct_sysadm_daemon',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
 	')
 ')
 

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
 
 ########################################
 ## <summary>
+##	Execute file in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute file in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of entry file.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	domain_entry_file(run_init_t, $2)
+	domain_auto_transition_pattern($1, $2, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute init scripts in the run_init domain.
 ## </summary>
 ## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
 
 ########################################
 ## <summary>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of init script.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_spec_domtrans_runinit($1, $3)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
 ##	Inherit and use run_init file descriptors.
 ## </summary>
 ## <param name="domain">