[refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 08/23/11 09:40, Sven Vermeulen wrote:
> Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all
> its functions, be it executing init scripts, managing runlevels, checking state,
> etc. This binary is not allowed to be labeled initrc_exec_t as that would
> trigger domain transitions where this isn't necessary (or even allowed).
> 
> A suggested solution is to use a separate type declaration for /sbin/rc
> (rc_exec_t) which transitions where necessary.
> 
> This patch includes support for the /sbin/rc rc_exec_t type and declares
> the init_rc_exec() interface which allows domains to execute the binary
> without transitioning.

I think the overall implementation is fine, except everything in this
patch should be in distro_gentoo blocks, except for the init_rc_exec()
implementation.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.fc |    2 +-
>  policy/modules/system/init.if |   23 ++++++++++++++++++++++-
>  policy/modules/system/init.te |    4 ++++
>  3 files changed, 27 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index 354ce93..c2021e3 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -38,7 +38,7 @@ ifdef(`distro_gentoo', `
>  /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
>  
>  ifdef(`distro_gentoo', `
> -/sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
>  /sbin/runscript		--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /sbin/runscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /sbin/runsvcscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 94fd8dd..b8b3337 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -455,6 +455,26 @@ interface(`init_exec',`
>  
>  ########################################
>  ## <summary>
> +##	Execute the rc program in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_rc_exec',`
> +	gen_require(`
> +		type rc_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, rc_exec_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the process group of init.
>  ## </summary>
>  ## <param name="domain">
> @@ -800,11 +820,12 @@ interface(`init_spec_domtrans_script',`
>  #
>  interface(`init_domtrans_script',`
>  	gen_require(`
> -		type initrc_t, initrc_exec_t;
> +		type initrc_t, initrc_exec_t, rc_exec_t;
>  	')
>  
>  	files_list_etc($1)
>  	domtrans_pattern($1, initrc_exec_t, initrc_t)
> +	domtrans_pattern($1, rc_exec_t, initrc_t)
>  
>  	ifdef(`enable_mcs',`
>  		range_transition $1 initrc_exec_t:process s0;
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 157e844..00586c6 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -56,8 +56,10 @@ mls_trusted_object(initctl_t)
>  
>  type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
>  type initrc_exec_t, init_script_file_type;
> +type rc_exec_t;
>  domain_type(initrc_t)
>  domain_entry_file(initrc_t, initrc_exec_t)
> +domain_entry_file(initrc_t, rc_exec_t)
>  role system_r types initrc_t;
>  # should be part of the true block
>  # of the below init_upstart tunable
> @@ -381,6 +383,8 @@ auth_delete_pam_pid(initrc_t)
>  auth_delete_pam_console_data(initrc_t)
>  auth_use_nsswitch(initrc_t)
>  
> +init_rc_exec(initrc_t)
> +
>  libs_rw_ld_so_cache(initrc_t)
>  libs_exec_lib_files(initrc_t)
>  libs_exec_ld_so(initrc_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com