From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-819106-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 47A4D138D03
	for <garchives@archives.gentoo.org>; Sat, 11 Jul 2015 13:38:55 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4E150E0886;
	Sat, 11 Jul 2015 13:38:53 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id D2F83E0886
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Jul 2015 13:38:52 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 819E634082B
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Jul 2015 13:38:51 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 9385375C
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Jul 2015 13:38:49 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1436621790.76b213703ff1b7bbcbfb0876388c764918290070.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/init.if policy/modules/system/selinuxutil.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 76b213703ff1b7bbcbfb0876388c764918290070
X-VCS-Branch: master
Date: Sat, 11 Jul 2015 13:38:49 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 8433cda3-caf5-41d1-830c-3de6d2ef2300
X-Archives-Hash: 66b34298e9aee525b007dce7f042a47b
Message-ID: <20150711133849.1fHG6mOGwbYqVV_v1SZCjnlFTMzTmqLu_Zanyc6QqZk@z>

commit:     76b213703ff1b7bbcbfb0876388c764918290070
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:36:30 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:36:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76b21370

Allow run_init_t to read all named init scripts

When OpenRC wants to execute a labeled init script, it fails if this is
a symlink:

~$ sudo /etc/init.d/ceph-mon.0 start
openrc-run should not be run directly

The denial shows that a read on the symlink is denied:

type=AVC msg=audit(1436621093.701:1165): avc:  denied  { read } for
pid=30786 comm="openrc" name="ceph-mon.0" dev="vda3" ino=1966780
scontext=staff_u:staff_r:run_init_t:s0
tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file
permissive=0

After granting this, the behavior is as expected:

~$ sudo /etc/init.d/ceph-mon.0 start
* Starting Ceph mon.0 ...               [ ok ]

X-Gentoo-Bug: 554514
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554514

 policy/modules/system/init.if        | 5 +++++
 policy/modules/system/selinuxutil.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
 
 	files_search_etc($1)
 	allow $1 init_script_file_type:file read_file_perms;
+
+	ifdef(`distro_gentoo',`
+		# Bug 554514
+		allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+	')
 ')
 
 #######################################

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
+		# Bug 554514
+		init_read_all_script_files(run_init_t)	
 		init_script_file_entry_type(run_init_t)
 
 		init_exec_rc(run_init_t)