1 |
commit: 805b0b2bbf6125b135d8180d3a898070af812b76 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Jun 25 19:53:00 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 30 18:57:58 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=805b0b2b |
7 |
|
8 |
Support initrc_t generated pid files with file transition |
9 |
|
10 |
For some daemons, it is the init script that is responsible for creating |
11 |
the PID file of the daemon. As we do not want to update the init SELinux |
12 |
policy module for each of these situations, we need to introduce an |
13 |
interface that can be called by the SELinux policy module of the caller |
14 |
(the daemon domain). |
15 |
|
16 |
The initial suggestion was to transform the init_daemon_run_dir |
17 |
interface, which offers a similar approach for directories in /run, into |
18 |
a class-agnostic interface. Several names have been suggested, such as |
19 |
init_script_spec_run_content or init_script_generic_run_filetrans_spec, |
20 |
but in the end init_daemon_pid_file was used. |
21 |
|
22 |
The interface requires the class(es) on which the file transition should |
23 |
occur, like so: |
24 |
|
25 |
init_daemon_pid_file(xdm_var_run_t, dir, "xdm") |
26 |
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid") |
27 |
|
28 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
29 |
|
30 |
--- |
31 |
policy/modules/system/init.if | 33 +++++++++++++++++++++++++++++++++ |
32 |
policy/modules/system/init.te | 6 ++++++ |
33 |
2 files changed, 39 insertions(+) |
34 |
|
35 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
36 |
index 4d53ebb..e60d55e 100644 |
37 |
--- a/policy/modules/system/init.if |
38 |
+++ b/policy/modules/system/init.if |
39 |
@@ -158,6 +158,39 @@ interface(`init_ranged_domain',` |
40 |
|
41 |
######################################## |
42 |
## <summary> |
43 |
+## Mark the file type as a daemon pid file, allowing initrc_t |
44 |
+## to create it |
45 |
+## </summary> |
46 |
+## <param name="filetype"> |
47 |
+## <summary> |
48 |
+## Type to mark as a daemon pid file |
49 |
+## </summary> |
50 |
+## </param> |
51 |
+## <param name="class"> |
52 |
+## <summary> |
53 |
+## Class on which the type is applied |
54 |
+## </summary> |
55 |
+## </param> |
56 |
+## <param name="filename"> |
57 |
+## <summary> |
58 |
+## Filename of the file that the init script creates |
59 |
+## </summary> |
60 |
+## </param> |
61 |
+# |
62 |
+interface(`init_daemon_pid_file',` |
63 |
+ gen_require(` |
64 |
+ attribute daemonpidfile; |
65 |
+ type initrc_t; |
66 |
+ ') |
67 |
+ |
68 |
+ typeattribute $1 daemonpidfile; |
69 |
+ |
70 |
+ files_pid_file($1) |
71 |
+ files_pid_filetrans(initrc_t, $1, $2, $3) |
72 |
+') |
73 |
+ |
74 |
+######################################## |
75 |
+## <summary> |
76 |
## Create a domain for long running processes |
77 |
## (daemons/services) which are started by init scripts. |
78 |
## </summary> |
79 |
|
80 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
81 |
index 355892a..a243be6 100644 |
82 |
--- a/policy/modules/system/init.te |
83 |
+++ b/policy/modules/system/init.te |
84 |
@@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain; |
85 |
# Mark process types as daemons |
86 |
attribute daemon; |
87 |
|
88 |
+# Mark file type as a daemon pid file |
89 |
+attribute daemonpidfile; |
90 |
# Mark file type as a daemon run directory |
91 |
attribute daemonrundir; |
92 |
|
93 |
@@ -251,6 +253,10 @@ init_telinit(initrc_t) |
94 |
|
95 |
can_exec(initrc_t, init_script_file_type) |
96 |
|
97 |
+create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) |
98 |
+manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile) |
99 |
+setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) |
100 |
+ |
101 |
create_dirs_pattern(initrc_t, daemonrundir, daemonrundir) |
102 |
setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir) |