[refpolicy] [PATCH 3/5] init: in redhat derived distributions the kernel (systemd) dynamically transitions to init

[errno13@gmail.com (Dominick Grift)]

I used the kernel_dyntrans_to() to stay consistent with the
kernel_domtrans_to. I am not sure why this was done this way

init: systemd wants to block suspend in distro_redhat

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/kernel.if | 53 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.fc   |  2 ++
 policy/modules/system/init.te   | 23 ++++++++++++++++++
 3 files changed, 78 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..15cd2a2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -32,6 +32,25 @@ interface(`kernel_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Start userland processes by dynamically
+##	transitioning to the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dyntrans_pattern(kernel_t, $1)
+')
+
+########################################
+## <summary>
 ##	Allows to start userland processes
 ##	by transitioning to the specified domain,
 ##	with a range transition.
@@ -71,6 +90,40 @@ interface(`kernel_ranged_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Start userland processes by dynamically
+##	transitioning to the specified domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`kernel_ranged_dyntrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	kernel_dyntrans_to($1)
+
+	ifdef(`enable_mcs',`
+		range_transition kernel_t $1:process $2;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition kernel_t $1:process $2;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to mount filesystems on
 ##	the specified directory type.
 ## </summary>
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index bc0ffc8..71314a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -42,6 +42,8 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/usr/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..d9d9f5d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,13 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, false)
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
@@ -88,10 +95,22 @@ ifdef(`distro_gentoo',`
 	domain_entry_file(initrc_t, rc_exec_t)
 ')
 
+ifdef(`distro_redhat',`
+	tunable_policy(`init_systemd',`
+		kernel_dyntrans_to(init_t)
+	')
+')
+
 ifdef(`enable_mls',`
 	kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
 ')
 
+ifdef(`enable_mls && distro_redhat',`
+	tunable_policy(`init_systemd',`
+		kernel_ranged_dyntrans_to(init_t, s0 - mls_systemhigh)
+	')
+')
+
 ########################################
 #
 # Init local policy
@@ -189,6 +208,10 @@ ifdef(`distro_redhat',`
 	fs_read_tmpfs_symlinks(init_t)
 	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+
+	tunable_policy(`init_systemd',`
+		allow init_t self:capability2 block_suspend;
+	')
 ')
 
 tunable_policy(`init_upstart',`
-- 
1.8.4.2