[refpolicy] RFC: direct_init_entry breaks direct_initrc

Christopher J. PeBenito cpebenito at tresys.com
Tue Jan 14 08:56:37 EST 2014


On 12/10/13 10:57, Dominick Grift wrote:
> I have not tested this yet and it is a theory
> 
> I was not there when that type attribute was implemented so i do not
> know the rationale behind the decision to implement it.
> 
> Would be nice if anyone could shed some light on that and would be even
> better if this fix is acknowledged

It seems like it would probably work, but definitely needs to be tested.


>> From fc51afbd178dd6321f51d54939e73b1a94172fb9 Tue, 10 Dec 2013 16:53:08 +0100
>> From: Dominick Grift <dominick.grift at gmail.com>
>> Date: Tue, 10 Dec 2013 16:51:46 +0100
>> Subject: [PATCH] Get rid of direct_init_entry:
>>
>>
>> This thing breaks direct_initrc
>>
>> This type attribute was associated to domain entry files and used for
>> role transitions to system_r
>>
>> The transition shouldnt happem on the domain entry file though it should
>> happen on the init script executable files
>>
>> This was breaking direct_initrc because some executables can be run as
>> system service and session service. By using the domain entry file init
>> the init_daemon_domain interface and associating direct init entry with
>> it and using direct init entry for the role transitions you force
>> daemons to use system_r whether they are system or session daemon.
>>
>>
>>
>>
>> Signed-off-by: Dominick Grift <dominick.grift at gmail.com>
>> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
>> index 79a45f6..5a7df5e 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -191,7 +191,7 @@
>>  #
>>  interface(`init_daemon_domain',`
>>  	gen_require(`
>> -		attribute direct_run_init, direct_init, direct_init_entry;
>> +		attribute direct_run_init, direct_init;
>>  		type initrc_t;
>>  		role system_r;
>>  		attribute daemon;
>> @@ -220,7 +220,6 @@
>>  		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
>>  
>>  		typeattribute $1 direct_init;
>> -		typeattribute $2 direct_init_entry;
>>  
>>  		userdom_dontaudit_use_user_terminals($1)
>>  	')
>> @@ -982,12 +981,12 @@
>>  #
>>  interface(`init_run_daemon',`
>>  	gen_require(`
>> -		attribute direct_run_init, direct_init, direct_init_entry;
>> +		attribute direct_run_init, init_script_file_type;
>>  		role system_r;
>>  	')
>>  
>>  	typeattribute $1 direct_run_init;
>> -	role_transition $2 direct_init_entry system_r;
>> +	role_transition $2 init_script_file_type system_r;
>>  ')
>>  
>>  ########################################
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index d9d9f5d..116e37a 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -27,7 +27,6 @@
>>  # by admin domains
>>  attribute direct_run_init;
>>  attribute direct_init;
>> -attribute direct_init_entry;
>>  
>>  attribute init_script_domain_type;
>>  attribute init_script_file_type;
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list