Gentoo Archives: gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Mon, 30 Jun 2014 19:03:32
Message-Id:	`1404154678.805b0b2bbf6125b135d8180d3a898070af812b76.swift@gentoo`

1	commit: 805b0b2bbf6125b135d8180d3a898070af812b76
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Wed Jun 25 19:53:00 2014 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Mon Jun 30 18:57:58 2014 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=805b0b2b
7
8	Support initrc_t generated pid files with file transition
9
10	For some daemons, it is the init script that is responsible for creating
11	the PID file of the daemon. As we do not want to update the init SELinux
12	policy module for each of these situations, we need to introduce an
13	interface that can be called by the SELinux policy module of the caller
14	(the daemon domain).
15
16	The initial suggestion was to transform the init_daemon_run_dir
17	interface, which offers a similar approach for directories in /run, into
18	a class-agnostic interface. Several names have been suggested, such as
19	init_script_spec_run_content or init_script_generic_run_filetrans_spec,
20	but in the end init_daemon_pid_file was used.
21
22	The interface requires the class(es) on which the file transition should
23	occur, like so:
24
25	init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
26	init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
27
28	Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
29
30	---
31	policy/modules/system/init.if \| 33 +++++++++++++++++++++++++++++++++
32	policy/modules/system/init.te \| 6 ++++++
33	2 files changed, 39 insertions(+)
34
35	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
36	index 4d53ebb..e60d55e 100644
37	--- a/policy/modules/system/init.if
38	+++ b/policy/modules/system/init.if
39	@@ -158,6 +158,39 @@ interface(`init_ranged_domain',`
40
41	########################################
42	## <summary>
43	+## Mark the file type as a daemon pid file, allowing initrc_t
44	+## to create it
45	+## </summary>
46	+## <param name="filetype">
47	+## <summary>
48	+## Type to mark as a daemon pid file
49	+## </summary>
50	+## </param>
51	+## <param name="class">
52	+## <summary>
53	+## Class on which the type is applied
54	+## </summary>
55	+## </param>
56	+## <param name="filename">
57	+## <summary>
58	+## Filename of the file that the init script creates
59	+## </summary>
60	+## </param>
61	+#
62	+interface(`init_daemon_pid_file',`
63	+ gen_require(`
64	+ attribute daemonpidfile;
65	+ type initrc_t;
66	+ ')
67	+
68	+ typeattribute $1 daemonpidfile;
69	+
70	+ files_pid_file($1)
71	+ files_pid_filetrans(initrc_t, $1, $2, $3)
72	+')
73	+
74	+########################################
75	+## <summary>
76	## Create a domain for long running processes
77	## (daemons/services) which are started by init scripts.
78	## </summary>
79
80	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
81	index 355892a..a243be6 100644
82	--- a/policy/modules/system/init.te
83	+++ b/policy/modules/system/init.te
84	@@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain;
85	# Mark process types as daemons
86	attribute daemon;
87
88	+# Mark file type as a daemon pid file
89	+attribute daemonpidfile;
90	# Mark file type as a daemon run directory
91	attribute daemonrundir;
92
93	@@ -251,6 +253,10 @@ init_telinit(initrc_t)
94
95	can_exec(initrc_t, init_script_file_type)
96
97	+create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
98	+manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
99	+setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
100	+
101	create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
102	setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)

Report Message

Find on MARC Find on Google Groups