diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 4855de5..ab495be 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Add disable_*_trans bool support for targeted policy. - Add MLS module to handle MLS constraint exceptions, such as reading up and writing down. - Fix errors uncovered by sediff. diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 1957149..60bf234 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -57,9 +57,6 @@ interface(`init_daemon_domain',` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; role system_r; - class fifo_file rw_file_perms; - class fd use; - class process { noatsecure siginh rlimitinh sigchld }; ') domain_type($1) @@ -67,14 +64,6 @@ interface(`init_daemon_domain',` role system_r types $1; - domain_auto_trans(initrc_t,$2,$1) - - allow initrc_t $1:fd use; - allow initrc_t $1:process { noatsecure siginh rlimitinh }; - allow $1 initrc_t:fd use; - allow $1 initrc_t:fifo_file rw_file_perms; - allow $1 initrc_t:process sigchld; - ifdef(`direct_sysadm_daemon',` domain_auto_trans(direct_run_init,$2,$1) @@ -95,6 +84,31 @@ interface(`init_daemon_domain',` files_dontaudit_read_root_file($1) ') + ifdef(`targeted_policy',` + # this regex is a hack, since it assumes there is a + # _t at the end of the domain type. If there is no _t + # at the end of the type, it returns empty! + bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false; + if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) { + domain_auto_trans(initrc_t,$2,$1) + allow initrc_t $1:fd use; + allow initrc_t $1:process { noatsecure siginh rlimitinh }; + allow $1 initrc_t:fd use; + allow $1 initrc_t:fifo_file rw_file_perms; + allow $1 initrc_t:process sigchld; + } else { + can_exec(initrc_t,$2) + can_exec(direct_run_init,$2) + } + ',` + domain_auto_trans(initrc_t,$2,$1) + allow initrc_t $1:fd use; + allow initrc_t $1:process { noatsecure siginh rlimitinh }; + allow $1 initrc_t:fd use; + allow $1 initrc_t:fifo_file rw_file_perms; + allow $1 initrc_t:process sigchld; + ') + optional_policy(`nscd.te',` nscd_use_socket($1) ')