From mboxrd@z Thu Jan 1 00:00:00 1970 From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 10 Dec 2013 16:57:01 +0100 Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc Message-ID: <1386691021.18689.75.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I have not tested this yet and it is a theory I was not there when that type attribute was implemented so i do not know the rationale behind the decision to implement it. Would be nice if anyone could shed some light on that and would be even better if this fix is acknowledged > From fc51afbd178dd6321f51d54939e73b1a94172fb9 Tue, 10 Dec 2013 16:53:08 +0100 > From: Dominick Grift > Date: Tue, 10 Dec 2013 16:51:46 +0100 > Subject: [PATCH] Get rid of direct_init_entry: > > > This thing breaks direct_initrc > > This type attribute was associated to domain entry files and used for > role transitions to system_r > > The transition shouldnt happem on the domain entry file though it should > happen on the init script executable files > > This was breaking direct_initrc because some executables can be run as > system service and session service. By using the domain entry file init > the init_daemon_domain interface and associating direct init entry with > it and using direct init entry for the role transitions you force > daemons to use system_r whether they are system or session daemon. > > > > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 79a45f6..5a7df5e 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -191,7 +191,7 @@ > # > interface(`init_daemon_domain',` > gen_require(` > - attribute direct_run_init, direct_init, direct_init_entry; > + attribute direct_run_init, direct_init; > type initrc_t; > role system_r; > attribute daemon; > @@ -220,7 +220,6 @@ > allow direct_run_init $1:process { noatsecure siginh rlimitinh }; > > typeattribute $1 direct_init; > - typeattribute $2 direct_init_entry; > > userdom_dontaudit_use_user_terminals($1) > ') > @@ -982,12 +981,12 @@ > # > interface(`init_run_daemon',` > gen_require(` > - attribute direct_run_init, direct_init, direct_init_entry; > + attribute direct_run_init, init_script_file_type; > role system_r; > ') > > typeattribute $1 direct_run_init; > - role_transition $2 direct_init_entry system_r; > + role_transition $2 init_script_file_type system_r; > ') > > ######################################## > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index d9d9f5d..116e37a 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -27,7 +27,6 @@ > # by admin domains > attribute direct_run_init; > attribute direct_init; > -attribute direct_init_entry; > > attribute init_script_domain_type; > attribute init_script_file_type;