[refpolicy] [PATCH 3/5] init: in redhat derived distributions the kernel (systemd) dynamically transitions to init

[refpolicy] [PATCH 3/5] init: in redhat derived distributions the kernel (systemd) dynamically transitions to init

[Dominick Grift]

I used the kernel_dyntrans_to() to stay consistent with the
kernel_domtrans_to. I am not sure why this was done this way

init: systemd wants to block suspend in distro_redhat

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/kernel.if | 53 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.fc   |  2 ++
 policy/modules/system/init.te   | 23 ++++++++++++++++++
 3 files changed, 78 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..15cd2a2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -32,6 +32,25 @@ interface(`kernel_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Start userland processes by dynamically
+##	transitioning to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dyntrans_pattern(kernel_t, $1)
+')
+
+########################################
+## <summary>
 ##	Allows to start userland processes
 ##	by transitioning to the specified domain,
 ##	with a range transition.
@@ -71,6 +90,40 @@ interface(`kernel_ranged_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Start userland processes by dynamically
+##	transitioning to the specified domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`kernel_ranged_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	kernel_dyntrans_to($1)
+
+	ifdef(`enable_mcs',`
+		range_transition kernel_t $1:process $2;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition kernel_t $1:process $2;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to mount filesystems on
 ##	the specified directory type.
 ## </summary>
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index bc0ffc8..71314a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -42,6 +42,8 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/usr/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..d9d9f5d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,13 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, false)
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
@@ -88,10 +95,22 @@ ifdef(`distro_gentoo',`
 	domain_entry_file(initrc_t, rc_exec_t)
 ')
 
+ifdef(`distro_redhat',`
+	tunable_policy(`init_systemd',`
+		kernel_dyntrans_to(init_t)
+	')
+')
+
 ifdef(`enable_mls',`
 	kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
 ')
 
+ifdef(`enable_mls && distro_redhat',`
+	tunable_policy(`init_systemd',`
+		kernel_ranged_dyntrans_to(init_t, s0 - mls_systemhigh)
+	')
+')
+
 ########################################
 #
 # Init local policy
@@ -189,6 +208,10 @@ ifdef(`distro_redhat',`
 	fs_read_tmpfs_symlinks(init_t)
 	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+
+	tunable_policy(`init_systemd',`
+		allow init_t self:capability2 block_suspend;
+	')
 ')
 
 tunable_policy(`init_upstart',`
-- 
1.8.4.2

[refpolicy] [PATCH 3/5] init: in redhat derived distributions the kernel (systemd) dynamically transitions to init

[Dominick Grift]

On Sat, 2013-12-07 at 20:19 +0100, Dominick Grift wrote:
> I used the kernel_dyntrans_to() to stay consistent with the
> kernel_domtrans_to. I am not sure why this was done this way
> 
> init: systemd wants to block suspend in distro_redhat
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

Whoops these patches were sent from the wrong email address.
git-send-email or dependency is broken in fedora so i resorted to mutt
which was configured with this email address

Anyhow:

This might be a first step to supporting systemd.

Basically run the main component in init_t, and add the systemd specific
policy in a boolean init_systemd

These changes also only apply to rh derived distros (at least for now)

debian is not using systemd currently but is using some systemd
components

however these components are started by dbus system bus, and not by
systemd like they are in fedora for example

So that needs special attention

The main message of this patch i guess is that i suggest we take
advantage of Fedoras experience with systemd and follow suit as much as
possible

Earlier on i was hoping we could do more but now i am of the opinion
that this is probably best