From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-801861-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id B0EA1138CD0
	for <garchives@archives.gentoo.org>; Fri, 22 May 2015 20:20:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6C5A0E0891;
	Fri, 22 May 2015 20:20:02 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 0D87CE0891
	for <gentoo-commits@lists.gentoo.org>; Fri, 22 May 2015 20:20:01 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id A968B340B74
	for <gentoo-commits@lists.gentoo.org>; Fri, 22 May 2015 20:20:00 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 9E12F9BD
	for <gentoo-commits@lists.gentoo.org>; Fri, 22 May 2015 20:19:57 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1432324901.7a7d862ad99304dbe93e2feb668088b4966db74d.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/init.if policy/modules/system/selinuxutil.if
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7a7d862ad99304dbe93e2feb668088b4966db74d
X-VCS-Branch: master
Date: Fri, 22 May 2015 20:19:57 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: bd58b51a-bf39-4c2c-a359-6f743b3cecd5
X-Archives-Hash: f616f888b38c4dbd37518b7971601d16

commit:     7a7d862ad99304dbe93e2feb668088b4966db74d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 20:01:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d862a

Add openrc support to init_startstop_service

Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.

 policy/modules/system/init.if        | 14 ++++---
 policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..7b17c5c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,11 +998,15 @@ interface(`init_startstop_service',`
 	')
 
 	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
+		ifdef(`distro_gentoo',`
+			seutil_spec_run_runinit($1, $2, $4)
+		',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
 	')
 ')
 

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
 
 ########################################
 ## <summary>
+##	Execute file in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute file in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of entry file.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	domain_entry_file(run_init_t, $2)
+	domain_auto_transition_pattern($1, $2, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute init scripts in the run_init domain.
 ## </summary>
 ## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
 
 ########################################
 ## <summary>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of init script.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_spec_domtrans_runinit($1, $3)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
 ##	Inherit and use run_init file descriptors.
 ## </summary>
 ## <param name="domain">