* [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC
@ 2012-10-30 21:51 Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 1/4] Allow init to set attributes on device_t Sven Vermeulen
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-30 21:51 UTC (permalink / raw)
To: refpolicy
This patchset contains a few updates needed for Gentoo's init system (openrc) to
further handle /run related matters.
Sven Vermeulen (4):
Allow init to set attributes on device_t
Introduce files_manage_all_pids interface
Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
Update files_manage_generic_locks with directory permissions
policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
policy/modules/system/init.te | 3 +++
2 files changed, 25 insertions(+), 0 deletions(-)
--
1.7.8.6
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/4] Allow init to set attributes on device_t
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
@ 2012-10-30 21:51 ` Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 2/4] Introduce files_manage_all_pids interface Sven Vermeulen
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-30 21:51 UTC (permalink / raw)
To: refpolicy
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2a8729c..1b32148 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,6 +86,7 @@ files_pid_file(initrc_var_run_t)
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
+
')
ifdef(`enable_mls',`
@@ -458,6 +459,7 @@ ifdef(`distro_gentoo',`
# early init
dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
+ dev_setattr_generic_dirs(initrc_t)
# allow bootmisc to create /var/lock/.keep.
files_manage_generic_locks(initrc_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/4] Introduce files_manage_all_pids interface
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 1/4] Allow init to set attributes on device_t Sven Vermeulen
@ 2012-10-30 21:51 ` Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 3/4] Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) Sven Vermeulen
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-30 21:51 UTC (permalink / raw)
To: refpolicy
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/files.if | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 54c6dbd..7c4b4ae 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6191,6 +6191,27 @@ interface(`files_dontaudit_getattr_all_pids',`
########################################
## <summary>
+## Create, read, write and delete all
+## var_run (pid) content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1, pidfile, pidfile)
+ manage_files_pattern($1, pidfile, pidfile)
+ manage_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/4] Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 1/4] Allow init to set attributes on device_t Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 2/4] Introduce files_manage_all_pids interface Sven Vermeulen
@ 2012-10-30 21:51 ` Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 4/4] Update files_manage_generic_locks with directory permissions Sven Vermeulen
2012-10-31 15:46 ` [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-30 21:51 UTC (permalink / raw)
To: refpolicy
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".
When done, it will create symlinks in /var towards the new locations.
As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1b32148..106d6be 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,7 +86,6 @@ files_pid_file(initrc_var_run_t)
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
-
')
ifdef(`enable_mls',`
@@ -461,8 +460,10 @@ ifdef(`distro_gentoo',`
dev_delete_generic_dirs(initrc_t)
dev_setattr_generic_dirs(initrc_t)
+ files_manage_all_pids(initrc_t)
# allow bootmisc to create /var/lock/.keep.
files_manage_generic_locks(initrc_t)
+ files_manage_var_symlinks(initrc_t)
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
# openrc uses tmpfs for its state data
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 4/4] Update files_manage_generic_locks with directory permissions
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
` (2 preceding siblings ...)
2012-10-30 21:51 ` [refpolicy] [PATCH 3/4] Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) Sven Vermeulen
@ 2012-10-30 21:51 ` Sven Vermeulen
2012-10-31 15:46 ` [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-30 21:51 UTC (permalink / raw)
To: refpolicy
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.
This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:
* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/files.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7c4b4ae..1f0c6f8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5818,6 +5818,7 @@ interface(`files_manage_generic_locks',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ manage_dirs_pattern($1, var_lock_t, var_lock_t)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
` (3 preceding siblings ...)
2012-10-30 21:51 ` [refpolicy] [PATCH 4/4] Update files_manage_generic_locks with directory permissions Sven Vermeulen
@ 2012-10-31 15:46 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2012-10-31 15:46 UTC (permalink / raw)
To: refpolicy
On 10/30/12 17:51, Sven Vermeulen wrote:
> This patchset contains a few updates needed for Gentoo's init system (openrc) to
> further handle /run related matters.
>
> Sven Vermeulen (4):
> Allow init to set attributes on device_t
> Introduce files_manage_all_pids interface
> Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
> Update files_manage_generic_locks with directory permissions
>
> policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
> policy/modules/system/init.te | 3 +++
> 2 files changed, 25 insertions(+), 0 deletions(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-10-31 15:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-30 21:51 [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 1/4] Allow init to set attributes on device_t Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 2/4] Introduce files_manage_all_pids interface Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 3/4] Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) Sven Vermeulen
2012-10-30 21:51 ` [refpolicy] [PATCH 4/4] Update files_manage_generic_locks with directory permissions Sven Vermeulen
2012-10-31 15:46 ` [refpolicy] [PATCH 0/4] Updates on initrc_t for Gentoo OpenRC Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.