diff --git a/Changelog b/Changelog index 382ac7a..9497a31 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Init script file and domain support. - Glibc 2.7 fix from Vaclav Ovsik. - Samba/winbind update from Mike Edenfield. - Policy size optimization with a non-security file attribute from James diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index c923e6f..3cdd56a 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -2,6 +2,73 @@ ######################################## ## +## Create a file type used for init scripts. +## +## +##

+## Create a file type used for init scripts. +## Can not be used in conjunction with +## init_script_domain(). +##

+##
+## +## +## Type of the script file used as an entry point to this domain. +## +## +# +interface(`init_script_file',` + gen_require(` + type initrc_t; + attribute init_script_file_type, init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_file_type; + + domain_entry_file(initrc_t, $1) + + domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) +') + +######################################## +## +## Create a domain used for init scripts. +## +## +##

+## Create a domain used for init scripts. +## Can not be used in conjunction with +## init_script_file(). +##

+##
+## +## +## Type to be used as an init script domain. +## +## +## +## +## Type of the script file used as an entry point to this domain. +## +## +# +interface(`init_script_domain',` + gen_require(` + attribute init_script_domain_type, init_script_file_type; + attribute init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_domain_type; + typeattribute $2 init_script_file_type; + + domain_type($1) + domain_entry_file($1, $2) + + domtrans_pattern(init_run_all_scripts_domain, $2, $1) +') + +######################################## +## ## Create a domain which can be started by init. ## ## @@ -703,6 +770,25 @@ interface(`init_getattr_script_files',` ######################################## ## +## Read init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_files',` + gen_require(` + type initrc_exec_t; + ') + + files_search_etc($1) + allow $1 initrc_exec_t:file read_file_perms; +') + +######################################## +## ## Execute init scripts in the caller domain. ## ## @@ -722,6 +808,63 @@ interface(`init_exec_script_files',` ######################################## ## +## Get the attribute of all init script entrypoint files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + allow $1 init_script_file_type:file getattr; +') + +######################################## +## +## Read all init script files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_search_etc($1) + allow $1 init_script_file_type:file read_file_perms; +') + +######################################## +## +## Execute all init scripts in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_exec_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + can_exec($1, init_script_file_type) +') + +######################################## +## ## Read the process state (/proc/pid) of the init scripts. ## ## @@ -1030,25 +1173,6 @@ interface(`init_dontaudit_use_script_ptys',` ######################################## ## -## Read init scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_script_files',` - gen_require(` - type initrc_exec_t; - ') - - files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; -') - -######################################## -## ## Get the attributes of init script ## status files. ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 51b714c..ebc586d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -23,6 +23,10 @@ attribute direct_run_init; attribute direct_init; attribute direct_init_entry; +attribute init_script_domain_type; +attribute init_script_file_type; +attribute init_run_all_scripts_domain; + # Mark process types as daemons attribute daemon; @@ -51,8 +55,8 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) -type initrc_t; -type initrc_exec_t; +type initrc_t, init_script_domain_type, init_run_all_scripts_domain; +type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t,initrc_exec_t) role system_r types initrc_t; @@ -217,7 +221,9 @@ term_create_pty(initrc_t,initrc_devpts_t) # Going to single user mode init_exec(initrc_t) -can_exec(initrc_t,initrc_exec_t) +can_exec(initrc_t, init_script_file_type) + +domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)