Attachment #581402 for bug #688946

Lines 4-9 Link Here

(-)a/policy/modules/admin/shutdown.fc (+2 lines)
4		4
5	/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)	5	/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
6		6
		7	/usr/sbin/openrc-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
		8
7	/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)	9	/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
8		10
9	/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)	11	/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)

Lines 41-46 ifdef(`distro_gentoo',` Link Here

(-)a/policy/modules/system/init.fc (+2 lines)
41		41
42	/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)	42	/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
43	/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)	43	/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
		44	/usr/sbin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0)
44	/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)	45	/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
45		46
46	ifdef(`distro_gentoo', `	47	ifdef(`distro_gentoo', `
Lines 60-65 ifdef(`distro_redhat',` Link Here
60	/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)	61	/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
61	/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)	62	/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
62	/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)	63	/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
		64	/run/openrc/init\.ctl -p gen_context(system_u:object_r:initctl_t,s0)
63	/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)	65	/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
64	/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)	66	/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
65	/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)	67	/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)




#
interface(`init_getattr_initctl',`
	gen_require(`
		type initctl_t, initrc_state_t;
	')

	files_search_pids($1)
	dev_list_all_dev_nodes($1)
	allow $1 initctl_t:fifo_file getattr;
	allow $1 initrc_state_t:dir search_dir_perms;
')

########################################

#
interface(`init_write_initctl',`
	gen_require(`
		type initctl_t, initrc_state_t;
	')

	dev_list_all_dev_nodes($1)
	files_search_pids($1)
	allow $1 initctl_t:fifo_file write;
	allow $1 initrc_state_t:dir search_dir_perms;
')

########################################

	#576913
	allow $1 init_t:unix_stream_socket connectto;

	allow $1 initctl_t:fifo_file rw_fifo_file_perms;

	corecmd_exec_bin($1)

	dev_list_all_dev_nodes($1)
	files_search_pids($1)

	init_exec($1)

	init_write_initctl($1)
')

########################################

Lines 146-151 allow init_t init_var_run_t:file manage_lnk_file_perms; Link Here

(-)a/policy/modules/system/init.te (-1 / +2 lines)
146	allow init_t initctl_t:fifo_file manage_fifo_file_perms;	146	allow init_t initctl_t:fifo_file manage_fifo_file_perms;
147	dev_filetrans(init_t, initctl_t, fifo_file)	147	dev_filetrans(init_t, initctl_t, fifo_file)
148	files_pid_filetrans(init_t, initctl_t, fifo_file)	148	files_pid_filetrans(init_t, initctl_t, fifo_file)
		149	# Allow openrc-init to create /run/openrc/init.ctl pipe.
		150	filetrans_add_pattern(init_t, initrc_state_t, initctl_t, fifo_file, "init.ctl" )
149		151
150	# Modify utmp.	152	# Modify utmp.
151	allow init_t initrc_var_run_t:file { rw_file_perms setattr };	153	allow init_t initrc_var_run_t:file { rw_file_perms setattr };
152	-

Return to bug 688946

Lines 1324-1335 interface(`init_pid_filetrans',` Link Here

(-)a/policy/modules/system/init.if (-7 / +6 lines)
1324	#	1324	#
1325	interface(`init_getattr_initctl',`	1325	interface(`init_getattr_initctl',`
1326	gen_require(`	1326	gen_require(`
1327	type initctl_t;	1327	type initctl_t, initrc_state_t;
1328	')	1328	')
1329		1329
1330	files_search_pids($1)	1330	files_search_pids($1)
1331	dev_list_all_dev_nodes($1)	1331	dev_list_all_dev_nodes($1)
1332	allow $1 initctl_t:fifo_file getattr;	1332	allow $1 initctl_t:fifo_file getattr;
		1333	allow $1 initrc_state_t:dir search_dir_perms;
1333	')	1334	')
1334		1335
1335	########################################	1336	########################################
Lines 1363-1374 interface(`init_dontaudit_getattr_initctl',` Link Here
1363	#	1364	#
1364	interface(`init_write_initctl',`	1365	interface(`init_write_initctl',`
1365	gen_require(`	1366	gen_require(`
1366	type initctl_t;	1367	type initctl_t, initrc_state_t;
1367	')	1368	')
1368		1369
1369	dev_list_all_dev_nodes($1)	1370	dev_list_all_dev_nodes($1)
1370	files_search_pids($1)	1371	files_search_pids($1)
1371	allow $1 initctl_t:fifo_file write;	1372	allow $1 initctl_t:fifo_file write;
		1373	allow $1 initrc_state_t:dir search_dir_perms;
1372	')	1374	')
1373		1375
1374	########################################	1376	########################################
Lines 1395-1408 interface(`init_telinit',` Link Here
1395	#576913	1397	#576913
1396	allow $1 init_t:unix_stream_socket connectto;	1398	allow $1 init_t:unix_stream_socket connectto;
1397		1399
1398	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
1399
1400	corecmd_exec_bin($1)	1400	corecmd_exec_bin($1)
1401		1401
1402	dev_list_all_dev_nodes($1)
1403	files_search_pids($1)
1404
1405	init_exec($1)	1402	init_exec($1)
		1403
		1404	init_write_initctl($1)
1406	')	1405	')
1407		1406
1408	########################################	1407	########################################