* [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl
@ 2018-03-30 22:07 Luis Ressel
2018-04-03 10:07 ` Dominick Grift
2018-04-27 6:32 ` [refpolicy] [PATCH v2] init: Add " Jason Zaman
0 siblings, 2 replies; 7+ messages in thread
From: Luis Ressel @ 2018-03-30 22:07 UTC (permalink / raw)
To: refpolicy
sysvinit 2.89 moved /dev/initctl to /run/initctl.
Reported-by: revel
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4fd9745b..64c61377 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl
2018-03-30 22:07 [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl Luis Ressel
@ 2018-04-03 10:07 ` Dominick Grift
2018-04-27 6:32 ` [refpolicy] [PATCH v2] init: Add " Jason Zaman
1 sibling, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2018-04-03 10:07 UTC (permalink / raw)
To: refpolicy
On Sat, Mar 31, 2018 at 12:07:54AM +0200, Luis Ressel via refpolicy wrote:
> sysvinit 2.89 moved /dev/initctl to /run/initctl.
Might this be missing an file context specification?
Also, should existing interfaces providing access to initctl, be extended to allow traversal of /run?
>
> Reported-by: revel
> ---
> policy/modules/system/init.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 4fd9745b..64c61377 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> --
> 2.16.3
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180403/cbe55edf/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl
2018-03-30 22:07 [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl Luis Ressel
2018-04-03 10:07 ` Dominick Grift
@ 2018-04-27 6:32 ` Jason Zaman
2018-04-28 22:05 ` Chris PeBenito
2018-04-30 6:32 ` [refpolicy] [PATCH v3] " Jason Zaman
1 sibling, 2 replies; 7+ messages in thread
From: Jason Zaman @ 2018-04-27 6:32 UTC (permalink / raw)
To: refpolicy
sysvinit 2.89 moved /dev/initctl to /run/initctl.
There is already a filecontext so this only adds the filetrans and
updates interfaces.
Reported-by: revel
---
policy/modules/system/init.if | 5 +++++
policy/modules/system/init.te | 1 +
2 files changed, 6 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 326581ec..bd5fe207 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
type initctl_t;
')
+ dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file getattr;
')
')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')
@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
corecmd_exec_bin($1)
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
init_exec($1)
')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8fabb0ea..aa5506ca 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl
2018-04-27 6:32 ` [refpolicy] [PATCH v2] init: Add " Jason Zaman
@ 2018-04-28 22:05 ` Chris PeBenito
2018-04-30 3:55 ` Jason Zaman
2018-04-30 6:32 ` [refpolicy] [PATCH v3] " Jason Zaman
1 sibling, 1 reply; 7+ messages in thread
From: Chris PeBenito @ 2018-04-28 22:05 UTC (permalink / raw)
To: refpolicy
On 04/27/2018 02:32 AM, Jason Zaman via refpolicy wrote:
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8fabb0ea..aa5506ca 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
Is the name really needed? I don't see any type_transition conflicts.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl
2018-04-28 22:05 ` Chris PeBenito
@ 2018-04-30 3:55 ` Jason Zaman
0 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2018-04-30 3:55 UTC (permalink / raw)
To: refpolicy
On Sat, Apr 28, 2018 at 06:05:59PM -0400, Chris PeBenito wrote:
> On 04/27/2018 02:32 AM, Jason Zaman via refpolicy wrote:
>
> > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> > index 8fabb0ea..aa5506ca 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
> >
> > allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> > dev_filetrans(init_t, initctl_t, fifo_file)
> > +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> Is the name really needed? I don't see any type_transition conflicts.
>
Indeed, there is a filetrans for file but nothing for fifo_file. I'll
re-send the patch
-- Jason
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v3] init: Add filetrans for /run/initctl
2018-04-27 6:32 ` [refpolicy] [PATCH v2] init: Add " Jason Zaman
2018-04-28 22:05 ` Chris PeBenito
@ 2018-04-30 6:32 ` Jason Zaman
2018-05-02 21:23 ` Chris PeBenito
1 sibling, 1 reply; 7+ messages in thread
From: Jason Zaman @ 2018-04-30 6:32 UTC (permalink / raw)
To: refpolicy
sysvinit 2.89 moved /dev/initctl to /run/initctl.
Reported-by: revel
---
policy/modules/system/init.if | 5 +++++
policy/modules/system/init.te | 1 +
2 files changed, 6 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 326581ec..bd5fe207 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
type initctl_t;
')
+ dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file getattr;
')
')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')
@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
corecmd_exec_bin($1)
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
init_exec($1)
')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8fabb0ea..02538ac7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v3] init: Add filetrans for /run/initctl
2018-04-30 6:32 ` [refpolicy] [PATCH v3] " Jason Zaman
@ 2018-05-02 21:23 ` Chris PeBenito
0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-05-02 21:23 UTC (permalink / raw)
To: refpolicy
On 04/30/2018 02:32 AM, Jason Zaman via refpolicy wrote:
> sysvinit 2.89 moved /dev/initctl to /run/initctl.
>
> Reported-by: revel
> ---
> policy/modules/system/init.if | 5 +++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 326581ec..bd5fe207 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
> type initctl_t;
> ')
>
> + dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file getattr;
> ')
> ')
> @@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
> ')
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file write;
> ')
>
> @@ -1385,6 +1388,7 @@ interface(`init_telinit',`
> corecmd_exec_bin($1)
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
>
> init_exec($1)
> ')
> @@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
> ')
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file rw_fifo_file_perms;
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8fabb0ea..02538ac7 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file)
>
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-05-02 21:23 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-30 22:07 [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl Luis Ressel
2018-04-03 10:07 ` Dominick Grift
2018-04-27 6:32 ` [refpolicy] [PATCH v2] init: Add " Jason Zaman
2018-04-28 22:05 ` Chris PeBenito
2018-04-30 3:55 ` Jason Zaman
2018-04-30 6:32 ` [refpolicy] [PATCH v3] " Jason Zaman
2018-05-02 21:23 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).