From 1a8ab467589ebf6c683811e18e757379fd5dc882 Mon Sep 17 00:00:00 2001 From: Alexander Miroshnichenko Date: Sat, 29 Jun 2019 18:22:21 +0300 Subject: [PATCH] Add support for openrc-init Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Signed-off-by: Alexander Miroshnichenko --- policy/modules/admin/shutdown.fc | 2 ++ policy/modules/system/init.fc | 2 ++ policy/modules/system/init.if | 13 ++++++------- policy/modules/system/init.te | 2 ++ 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc index 03a2230c6766..9d2e1b8acff2 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc @@ -4,6 +4,8 @@ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/openrc-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 0775a6ba777c..d9faded9eb8f 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -41,6 +41,7 @@ ifdef(`distro_gentoo',` /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` @@ -60,6 +61,7 @@ ifdef(`distro_redhat',` /run/initctl -p gen_context(system_u:object_r:initctl_t,s0) /run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/openrc/init\.ctl -p gen_context(system_u:object_r:initctl_t,s0) /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 89ac691c5f04..f496c6e8ee38 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1324,12 +1324,13 @@ interface(`init_pid_filetrans',` # interface(`init_getattr_initctl',` gen_require(` - type initctl_t; + type initctl_t, initrc_state_t; ') files_search_pids($1) dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file getattr; + allow $1 initrc_state_t:dir search_dir_perms; ') ######################################## @@ -1363,12 +1364,13 @@ interface(`init_dontaudit_getattr_initctl',` # interface(`init_write_initctl',` gen_require(` - type initctl_t; + type initctl_t, initrc_state_t; ') dev_list_all_dev_nodes($1) files_search_pids($1) allow $1 initctl_t:fifo_file write; + allow $1 initrc_state_t:dir search_dir_perms; ') ######################################## @@ -1395,14 +1397,11 @@ interface(`init_telinit',` #576913 allow $1 init_t:unix_stream_socket connectto; - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - corecmd_exec_bin($1) - dev_list_all_dev_nodes($1) - files_search_pids($1) - init_exec($1) + + init_write_initctl($1) ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 9f3cfba1bf6d..6319a010cfa8 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -146,6 +146,8 @@ allow init_t init_var_run_t:file manage_lnk_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) files_pid_filetrans(init_t, initctl_t, fifo_file) +# Allow openrc-init to create /run/openrc/init.ctl pipe. +filetrans_add_pattern(init_t, initrc_state_t, initctl_t, fifo_file, "init.ctl" ) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; -- 2.21.0