[refpolicy] [PATCHv2 1/8] Introduce rc_exec_t as file entry for initrc_t

Sven Vermeulen sven.vermeulen at siphos.be
Sat Sep 3 09:19:27 CDT 2011


Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc)
for all its functions, be it executing init scripts, managing runlevels,
checking state, etc. This binary is not allowed to be labeled
initrc_exec_t as that would trigger domain transitions where this isn't
necessary (or even allowed).

A suggested solution is to use a separate type declaration for /sbin/rc
(rc_exec_t) which transitions where necessary.

This patch includes support for the /sbin/rc rc_exec_t type and declares
the init_rc_exec() interface which allows domains to execute the binary
without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/system/init.fc |    2 +-
 policy/modules/system/init.if |   37 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te |    8 ++++++++
 3 files changed, 46 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..c2021e3 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,7 +38,7 @@ ifdef(`distro_gentoo', `
 /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
-/sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 /sbin/runscript		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runsvcscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94fd8dd..8d45ef7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -455,6 +455,36 @@ interface(`init_exec',`
 
 ########################################
 ## <summary>
+##	Execute the rc application in the caller domain.
+## </summary>
+## <desc>
+## <p>
+##   This is only applicable to Gentoo or distributions that use the OpenRC
+##   init system.
+## </p>
+## <p>
+##   The OpenRC /sbin/rc binary is used for both init scripts as well as
+##   management applications and tools. When used for management purposes,
+##   calling /sbin/rc should never cause a transition to initrc_t.
+## </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rc_exec',`
+	gen_require(`
+		type rc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Get the process group of init.
 ## </summary>
 ## <param name="domain">
@@ -779,6 +809,13 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
+	ifdef(`distro_gentoo',`
+		gen_require(`
+			type rc_exec_t;
+		')
+		domtrans_pattern($1, rc_exec_t, initrc_t)
+	')
+
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 157e844..585a77e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -77,10 +77,16 @@ files_tmp_file(initrc_tmp_t)
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
 
+ifdef(`distro_gentoo',`
+	type rc_exec_t;
+	domain_entry_file(initrc_t, rc_exec_t)
+')
+
 ifdef(`enable_mls',`
 	kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
 ')
 
+
 ########################################
 #
 # Init local policy
@@ -170,6 +176,8 @@ miscfiles_read_localization(init_t)
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
+
+	init_rc_exec(initrc_t)
 ')
 
 ifdef(`distro_redhat',`
-- 
1.7.3.4



More information about the refpolicy mailing list