[refpolicy] [PATCH 5/5] Make direct_sysadm_daemon apply to unconfined_t

[refpolicy] [PATCH 5/5] Make direct_sysadm_daemon apply to unconfined_t

[Dominick Grift]

Currently init_run_daemon is called unconditionally for unconfined_t.
Yet unconfined_u is not associated with system_r.

It is also a little inconsistent do make unconfined_t automatically
transition to initrc by default because first of all its an oxomoron in
that unconfined_t should be unrestricted in essence, and second of all
why would direct_sysadm_daemon apply to only sysadm_t and not
unconfined_t

If distribution maintainers want general purpose administrators
(sysadm_t, unconfined_t) to automatically domain transition to init
script domains then they can toggle "direct_sysadm_daemon", else their
users need to use run_init

This only applies to init_run_daemon so it might not change anything for
Gentoo and their openrc solution.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/unconfined.te | 14 ++++++++++----
 policy/users                        |  6 +++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 667f2a0..ee90fc0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
-init_run_daemon(unconfined_t, unconfined_r)
-
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
@@ -49,9 +47,17 @@ unconfined_domain(unconfined_t)
 
 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 
+ifdef(`direct_sysadm_daemon',`
+	optional_policy(`
+		init_run_daemon(unconfined_t, unconfined_r)
+	')
+')
+
 ifdef(`distro_gentoo',`
-	seutil_run_runinit(unconfined_t, unconfined_r)
-	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+	optional_policy(`
+		seutil_run_runinit(unconfined_t, unconfined_r)
+		seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+	gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+	gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
 
 #
 # The following users correspond to Unix identities.
-- 
1.8.4.2

[refpolicy] [PATCH 5/5] Make direct_sysadm_daemon apply to unconfined_t

[Dominick Grift]

On Sat, 2013-12-07 at 20:21 +0100, Dominick Grift wrote:

>  ifdef(`distro_gentoo',`
> -	seutil_run_runinit(unconfined_t, unconfined_r)
> -	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> +	optional_policy(`
> +		seutil_run_runinit(unconfined_t, unconfined_r)
> +		seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> +	')
>  ')

Ignore this patch. I should not have made this optional.. copy and paste
error. will resubmit

[refpolicy] [PATCH 5/5] Make direct_sysadm_daemon apply to unconfined_t

[Dominick Grift]

On Sat, 2013-12-07 at 20:21 +0100, Dominick Grift wrote:
> Currently init_run_daemon is called unconditionally for unconfined_t.
> Yet unconfined_u is not associated with system_r.

Probably best to get rid of direct_initrc and init_run_daemon altogether
as i causes fundamental problems with executables that can be run both
by the system as well as users

I hit this issue before with recently with git-daemon, and pulseaudio
suffers the same problems

With systemd we dont have that issue anymore of having to role
transition to system_r if we want to start a service on behalf of the
system