* [refpolicy] [PATCH v2] Add openrc support to init_startstop_service
@ 2015-05-27 18:01 Jason Zaman
2015-05-27 18:51 ` Christopher J. PeBenito
2015-06-08 11:24 ` Miroslav Grepl
0 siblings, 2 replies; 4+ messages in thread
From: Jason Zaman @ 2015-05-27 18:01 UTC (permalink / raw)
To: refpolicy
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
---
policy/modules/system/init.if | 15 +++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f39437e..94d9761 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -993,11 +993,16 @@ interface(`init_startstop_service',`
')
ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ # for OpenRC
+ seutil_labeled_init_script_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..bcb4330 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_labeled_init_script_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_labeled_init_script_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
--
2.3.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2] Add openrc support to init_startstop_service
2015-05-27 18:01 [refpolicy] [PATCH v2] Add openrc support to init_startstop_service Jason Zaman
@ 2015-05-27 18:51 ` Christopher J. PeBenito
2015-06-08 11:24 ` Miroslav Grepl
1 sibling, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2015-05-27 18:51 UTC (permalink / raw)
To: refpolicy
On 5/27/2015 2:01 PM, Jason Zaman wrote:
> Adds the openrc rules in ifdef distro_gentoo to transition
> to run_init correctly.
Merged.
> ---
> policy/modules/system/init.if | 15 +++++---
> policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 85 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f39437e..94d9761 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> ')
>
> ifndef(`direct_sysadm_daemon',`
> - # rules for sysvinit / upstart
> - init_labeled_script_domtrans($1, $4)
> - domain_system_change_exemption($1)
> - role_transition $2 $4 system_r;
> - allow $2 system_r;
> + ifdef(`distro_gentoo',`
> + # for OpenRC
> + seutil_labeled_init_script_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> ')
> ')
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 129a6e0..bcb4330 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>
> ########################################
> ## <summary>
> +## Execute file in the run_init domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute file in the run_init domain.
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of entry file.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_domtrans_runinit',`
> + gen_require(`
> + type run_init_t;
> + ')
> +
> + domain_entry_file(run_init_t, $2)
> + domain_auto_transition_pattern($1, $2, run_init_t)
> +
> + allow run_init_t $1:fd use;
> + allow run_init_t $1:fifo_file rw_file_perms;
> + allow run_init_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init scripts in the run_init domain.
> ## </summary>
> ## <desc>
> @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
>
> ########################################
> ## <summary>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </p>
> +## <p>
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of init script.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_run_runinit',`
> + gen_require(`
> + attribute_role run_init_roles;
> + ')
> +
> + seutil_labeled_init_script_domtrans_runinit($1, $3)
> + roleattribute $2 run_init_roles;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit and use run_init file descriptors.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2] Add openrc support to init_startstop_service
2015-05-27 18:01 [refpolicy] [PATCH v2] Add openrc support to init_startstop_service Jason Zaman
2015-05-27 18:51 ` Christopher J. PeBenito
@ 2015-06-08 11:24 ` Miroslav Grepl
2015-06-08 15:33 ` Jason Zaman
1 sibling, 1 reply; 4+ messages in thread
From: Miroslav Grepl @ 2015-06-08 11:24 UTC (permalink / raw)
To: refpolicy
On 05/27/2015 08:01 PM, Jason Zaman wrote:
> Adds the openrc rules in ifdef distro_gentoo to transition
> to run_init correctly.
> ---
> policy/modules/system/init.if | 15 +++++---
> policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 85 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index f39437e..94d9761 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> ')
>
> ifndef(`direct_sysadm_daemon',`
> - # rules for sysvinit / upstart
> - init_labeled_script_domtrans($1, $4)
> - domain_system_change_exemption($1)
> - role_transition $2 $4 system_r;
> - allow $2 system_r;
> + ifdef(`distro_gentoo',`
> + # for OpenRC
> + seutil_labeled_init_script_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> ')
> ')
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 129a6e0..bcb4330 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
>
> ########################################
> ## <summary>
> +## Execute file in the run_init domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute file in the run_init domain.
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of entry file.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_domtrans_runinit',`
> + gen_require(`
> + type run_init_t;
> + ')
> +
> + domain_entry_file(run_init_t, $2)
> + domain_auto_transition_pattern($1, $2, run_init_t)
> +
> + allow run_init_t $1:fd use;
> + allow run_init_t $1:fifo_file rw_file_perms;
> + allow run_init_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> ## Execute init scripts in the run_init domain.
> ## </summary>
> ## <desc>
> @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
>
> ########################################
> ## <summary>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute specified file in the run_init domain, and
> +## allow the specified role the run_init domain,
> +## and use the caller's terminal.
> +## </p>
> +## <p>
> +## This is used for the Gentoo integrated run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type of init script.
> +## </summary>
> +## </param>
> +#
> +interface(`seutil_labeled_init_script_run_runinit',`
> + gen_require(`
> + attribute_role run_init_roles;
> + ')
> +
> + seutil_labeled_init_script_domtrans_runinit($1, $3)
> + roleattribute $2 run_init_roles;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit and use run_init file descriptors.
> ## </summary>
> ## <param name="domain">
>
We will apply these changes also in Fedora.
Thinking about systemd integration.
The point is there is foo_unit_file_t type in the game. We call
allow $1 foo_unit_file_t:service manage_service_perms;
interfaces in foo_admin() as a part of foo_systemctl().
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2] Add openrc support to init_startstop_service
2015-06-08 11:24 ` Miroslav Grepl
@ 2015-06-08 15:33 ` Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-06-08 15:33 UTC (permalink / raw)
To: refpolicy
On Mon, Jun 08, 2015 at 01:24:54PM +0200, Miroslav Grepl wrote:
> On 05/27/2015 08:01 PM, Jason Zaman wrote:
> > Adds the openrc rules in ifdef distro_gentoo to transition
> > to run_init correctly.
> > ---
> > policy/modules/system/init.if | 15 +++++---
> > policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
> > 2 files changed, 85 insertions(+), 5 deletions(-)
> >
> > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> > index f39437e..94d9761 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -993,11 +993,16 @@ interface(`init_startstop_service',`
> > ')
> >
> > ifndef(`direct_sysadm_daemon',`
> > - # rules for sysvinit / upstart
> > - init_labeled_script_domtrans($1, $4)
> > - domain_system_change_exemption($1)
> > - role_transition $2 $4 system_r;
> > - allow $2 system_r;
> > + ifdef(`distro_gentoo',`
> > + # for OpenRC
> > + seutil_labeled_init_script_run_runinit($1, $2, $4)
> > + ',`
> > + # rules for sysvinit / upstart
> > + init_labeled_script_domtrans($1, $4)
> > + domain_system_change_exemption($1)
> > + role_transition $2 $4 system_r;
> > + allow $2 system_r;
> > + ')
> > ')
> > ')
> >
> > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> > index 129a6e0..bcb4330 100644
> > --- a/policy/modules/system/selinuxutil.if
> > +++ b/policy/modules/system/selinuxutil.if
> > @@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute file in the run_init domain.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute file in the run_init domain.
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of entry file.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_domtrans_runinit',`
> > + gen_require(`
> > + type run_init_t;
> > + ')
> > +
> > + domain_entry_file(run_init_t, $2)
> > + domain_auto_transition_pattern($1, $2, run_init_t)
> > +
> > + allow run_init_t $1:fd use;
> > + allow run_init_t $1:fifo_file rw_file_perms;
> > + allow run_init_t $1:process sigchld;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Execute init scripts in the run_init domain.
> > ## </summary>
> > ## <desc>
> > @@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
> >
> > ########################################
> > ## <summary>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Execute specified file in the run_init domain, and
> > +## allow the specified role the run_init domain,
> > +## and use the caller's terminal.
> > +## </p>
> > +## <p>
> > +## This is used for the Gentoo integrated run_init.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## Type of init script.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`seutil_labeled_init_script_run_runinit',`
> > + gen_require(`
> > + attribute_role run_init_roles;
> > + ')
> > +
> > + seutil_labeled_init_script_domtrans_runinit($1, $3)
> > + roleattribute $2 run_init_roles;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Inherit and use run_init file descriptors.
> > ## </summary>
> > ## <param name="domain">
> >
>
> We will apply these changes also in Fedora.
>
> Thinking about systemd integration.
>
> The point is there is foo_unit_file_t type in the game. We call
>
> allow $1 foo_unit_file_t:service manage_service_perms;
>
> interfaces in foo_admin() as a part of foo_systemctl().
That would be great, init_startstop_service has the extra param that
isnt used in the interface, its intention was to be used for systemd.
I dont know enough about systemd to do it, but could you send a patch
that does the allow rules in an ifdef inside init_startstop_service,
then refpol would be closer to supporting systemd too. We get people
asking in gentoo too once in a while when it will have support.
When I did the change to init_startstop_service I the param uses the
domain's type, if systemd uses a foo_unit_file_t then lots of the
_admin interfaces will have to change that too it looks like. I wonder
if that would have to wait till after the basic stuff for systemd is
merged into refpol from chris' fork.
-- Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-08 15:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-27 18:01 [refpolicy] [PATCH v2] Add openrc support to init_startstop_service Jason Zaman
2015-05-27 18:51 ` Christopher J. PeBenito
2015-06-08 11:24 ` Miroslav Grepl
2015-06-08 15:33 ` Jason Zaman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.