summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-targeted
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-targeted')
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch65
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch72
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch222
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch222
6 files changed, 0 insertions, 673 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
deleted file mode 100644
index b33e84b..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ /dev/null
@@ -1,65 +0,0 @@
1Subject: [PATCH] refpolicy: fix optional issue on sysadm module
2
3init and locallogin modules have a depend for sysadm module because
4they have called sysadm interfaces(sysadm_shell_domtrans). Since
5sysadm is not a core module, we could make the sysadm_shell_domtrans
6calls optionally by optional_policy.
7
8So, we could make the minimum policy without sysadm module.
9
10Upstream-Status: pending
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/init.te | 14 ++++++++------
17 policy/modules/system/locallogin.te | 4 +++-
18 2 files changed, 11 insertions(+), 7 deletions(-)
19
20--- a/policy/modules/system/init.te
21+++ b/policy/modules/system/init.te
22@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
23
24 optional_policy(`
25 modutils_domtrans(init_t)
26 ')
27 ',`
28- tunable_policy(`init_upstart',`
29- corecmd_shell_domtrans(init_t, initrc_t)
30- ',`
31- # Run the shell in the sysadm role for single-user mode.
32- # causes problems with upstart
33- ifndef(`distro_debian',`
34- sysadm_shell_domtrans(init_t)
35+ optional_policy(`
36+ tunable_policy(`init_upstart',`
37+ corecmd_shell_domtrans(init_t, initrc_t)
38+ ',`
39+ # Run the shell in the sysadm role for single-user mode.
40+ # causes problems with upstart
41+ ifndef(`distro_debian',`
42+ sysadm_shell_domtrans(init_t)
43+ ')
44 ')
45 ')
46 ')
47
48 ifdef(`distro_debian',`
49--- a/policy/modules/system/locallogin.te
50+++ b/policy/modules/system/locallogin.te
51@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
52 userdom_use_unpriv_users_fds(sulogin_t)
53
54 userdom_search_user_home_dirs(sulogin_t)
55 userdom_use_user_ptys(sulogin_t)
56
57-sysadm_shell_domtrans(sulogin_t)
58+optional_policy(`
59+ sysadm_shell_domtrans(sulogin_t)
60+')
61
62 # by default, sulogin does not use pam...
63 # sulogin_pam might need to be defined otherwise
64 ifdef(`sulogin_pam', `
65 selinux_get_fs_mount(sulogin_t)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch
deleted file mode 100644
index 3a8a95e..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch
+++ /dev/null
@@ -1,72 +0,0 @@
1Subject: [PATCH] refpolicy: fix optional issue on sysadm module
2
3init and locallogin modules have a depend for sysadm module because
4they have called sysadm interfaces(sysadm_shell_domtrans). Since
5sysadm is not a core module, we could make the sysadm_shell_domtrans
6calls optionally by optional_policy.
7
8So, we could make the minimum policy without sysadm module.
9
10Upstream-Status: pending
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/init.te | 14 ++++++++------
17 policy/modules/system/locallogin.te | 4 +++-
18 2 files changed, 11 insertions(+), 7 deletions(-)
19
20--- a/policy/modules/system/init.te
21+++ b/policy/modules/system/init.te
22@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
23
24 optional_policy(`
25 modutils_domtrans_insmod(init_t)
26 ')
27 ',`
28- tunable_policy(`init_upstart',`
29- corecmd_shell_domtrans(init_t, initrc_t)
30- ',`
31- # Run the shell in the sysadm role for single-user mode.
32- # causes problems with upstart
33- sysadm_shell_domtrans(init_t)
34+ optional_policy(`
35+ tunable_policy(`init_upstart',`
36+ corecmd_shell_domtrans(init_t, initrc_t)
37+ ',`
38+ # Run the shell in the sysadm role for single-user mode.
39+ # causes problems with upstart
40+ sysadm_shell_domtrans(init_t)
41+ ')
42 ')
43 ')
44
45 ifdef(`distro_debian',`
46 fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
47@@ -1109,6 +1111,6 @@ optional_policy(`
48 ')
49
50 # systemd related allow rules
51 allow kernel_t init_t:process dyntransition;
52 allow devpts_t device_t:filesystem associate;
53-allow init_t self:capability2 block_suspend;
54\ No newline at end of file
55+allow init_t self:capability2 block_suspend;
56--- a/policy/modules/system/locallogin.te
57+++ b/policy/modules/system/locallogin.te
58@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
59 userdom_use_unpriv_users_fds(sulogin_t)
60
61 userdom_search_user_home_dirs(sulogin_t)
62 userdom_use_user_ptys(sulogin_t)
63
64-sysadm_shell_domtrans(sulogin_t)
65+optional_policy(`
66+ sysadm_shell_domtrans(sulogin_t)
67+')
68
69 # suse and debian do not use pam with sulogin...
70 ifdef(`distro_suse', `define(`sulogin_no_pam')')
71 ifdef(`distro_debian', `define(`sulogin_no_pam')')
72
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
deleted file mode 100644
index 17a8199..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Wed, 17 Feb 2016 08:35:51 -0500
4Subject: [PATCH] remove duplicate type_transition
5
6Remove duplicate type rules from init_t to init_script_file_type,
7they have been included by systemd policies. This also fixes the
8errors while installing modules for refpolicy-targeted if systemd
9support is enabled:
10
11| Conflicting type rules
12| Binary policy creation failed at line 327 of \
13 .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
14 /var/lib/selinux/targeted/tmp/modules/100/init/cil
15| Failed to generate binary
16| semodule: Failed!
17
18Upstream-Status: Inappropriate
19
20Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
22---
23 policy/modules/system/init.if | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26--- a/policy/modules/system/init.if
27+++ b/policy/modules/system/init.if
28@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
29 ## </summary>
30 ## </param>
31 #
32 interface(`init_domtrans_script',`
33 gen_require(`
34- type initrc_t;
35+ type initrc_t, initrc_exec_t;
36 attribute init_script_file_type;
37 ')
38
39 files_list_etc($1)
40- domtrans_pattern($1, init_script_file_type, initrc_t)
41+ domtrans_pattern($1, initrc_exec_t, initrc_t)
42
43 ifdef(`enable_mcs',`
44 range_transition $1 init_script_file_type:process s0;
45 ')
46
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
deleted file mode 100644
index 1dc9911..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Wed, 17 Feb 2016 08:35:51 -0500
4Subject: [PATCH] remove duplicate type_transition
5
6Remove duplicate type rules from init_t to init_script_file_type,
7they have been included by systemd policies. This also fixes the
8errors while installing modules for refpolicy-targeted if systemd
9support is enabled:
10
11| Conflicting type rules
12| Binary policy creation failed at line 327 of \
13 .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
14 /var/lib/selinux/targeted/tmp/modules/100/init/cil
15| Failed to generate binary
16| semodule: Failed!
17
18Upstream-Status: Inappropriate
19
20Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
22---
23 policy/modules/system/init.if | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26--- a/policy/modules/system/init.if
27+++ b/policy/modules/system/init.if
28@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
29 ## </summary>
30 ## </param>
31 #
32 interface(`init_domtrans_script',`
33 gen_require(`
34- type initrc_t;
35+ type initrc_t, initrc_exec_t;
36 attribute init_script_file_type;
37 ')
38
39 files_list_etc($1)
40- domtrans_pattern($1, init_script_file_type, initrc_t)
41+ domtrans_pattern($1, initrc_exec_t, initrc_t)
42
43 ifdef(`enable_mcs',`
44 range_transition $1 init_script_file_type:process s0;
45 ')
46
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
deleted file mode 100644
index 29d3e2d..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ /dev/null
@@ -1,222 +0,0 @@
1Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2
3For targeted policy type, we define unconfined_u as the default selinux
4user for root and normal users, so users could login in and run most
5commands and services on unconfined domains.
6
7Also add rules for users to run init scripts directly, instead of via
8run_init.
9
10Upstream-Status: Inappropriate [configuration]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15---
16 config/appconfig-mcs/seusers | 4 ++--
17 policy/modules/roles/sysadm.te | 1 +
18 policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
19 policy/modules/system/unconfined.te | 7 ++++++
20 policy/users | 16 +++++--------
21 5 files changed, 55 insertions(+), 20 deletions(-)
22
23--- a/config/appconfig-mcs/seusers
24+++ b/config/appconfig-mcs/seusers
25@@ -1,2 +1,3 @@
26-root:root:s0-mcs_systemhigh
27-__default__:user_u:s0
28+root:unconfined_u:s0-mcs_systemhigh
29+__default__:unconfined_u:s0
30+
31--- a/policy/modules/roles/sysadm.te
32+++ b/policy/modules/roles/sysadm.te
33@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
34 ubac_file_exempt(sysadm_t)
35 ubac_fd_exempt(sysadm_t)
36
37 init_exec(sysadm_t)
38 init_admin(sysadm_t)
39+init_script_role_transition(sysadm_r)
40
41 selinux_read_policy(sysadm_t)
42
43 # Add/remove user home directories
44 userdom_manage_user_home_dirs(sysadm_t)
45--- a/policy/modules/system/init.if
46+++ b/policy/modules/system/init.if
47@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
48 ## </summary>
49 ## </param>
50 #
51 interface(`init_spec_domtrans_script',`
52 gen_require(`
53- type initrc_t, initrc_exec_t;
54+ type initrc_t;
55+ attribute init_script_file_type;
56 ')
57
58 files_list_etc($1)
59- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
60+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
61
62 ifdef(`distro_gentoo',`
63 gen_require(`
64 type rc_exec_t;
65 ')
66
67 domtrans_pattern($1, rc_exec_t, initrc_t)
68 ')
69
70 ifdef(`enable_mcs',`
71- range_transition $1 initrc_exec_t:process s0;
72+ range_transition $1 init_script_file_type:process s0;
73 ')
74
75 ifdef(`enable_mls',`
76- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
77+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
78 ')
79 ')
80
81 ########################################
82 ## <summary>
83@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
84 ## </summary>
85 ## </param>
86 #
87 interface(`init_domtrans_script',`
88 gen_require(`
89- type initrc_t, initrc_exec_t;
90+ type initrc_t;
91+ attribute init_script_file_type;
92 ')
93
94 files_list_etc($1)
95- domtrans_pattern($1, initrc_exec_t, initrc_t)
96+ domtrans_pattern($1, init_script_file_type, initrc_t)
97
98 ifdef(`enable_mcs',`
99- range_transition $1 initrc_exec_t:process s0;
100+ range_transition $1 init_script_file_type:process s0;
101 ')
102
103 ifdef(`enable_mls',`
104- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
105+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
106 ')
107 ')
108
109 ########################################
110 ## <summary>
111@@ -2972,5 +2974,34 @@ interface(`init_admin',`
112 init_stop_all_units($1)
113 init_stop_generic_units($1)
114 init_stop_system($1)
115 init_telinit($1)
116 ')
117+
118+########################################
119+## <summary>
120+## Transition to system_r when execute an init script
121+## </summary>
122+## <desc>
123+## <p>
124+## Execute a init script in a specified role
125+## </p>
126+## <p>
127+## No interprocess communication (signals, pipes,
128+## etc.) is provided by this interface since
129+## the domains are not owned by this module.
130+## </p>
131+## </desc>
132+## <param name="source_role">
133+## <summary>
134+## Role to transition from.
135+## </summary>
136+## </param>
137+#
138+interface(`init_script_role_transition',`
139+ gen_require(`
140+ attribute init_script_file_type;
141+ ')
142+
143+ role_transition $1 init_script_file_type system_r;
144+')
145+
146--- a/policy/modules/system/unconfined.te
147+++ b/policy/modules/system/unconfined.te
148@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
149
150 type unconfined_execmem_t;
151 type unconfined_execmem_exec_t;
152 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
153 role unconfined_r types unconfined_execmem_t;
154+role unconfined_r types unconfined_t;
155+role system_r types unconfined_t;
156+role_transition system_r unconfined_exec_t unconfined_r;
157+allow system_r unconfined_r;
158+allow unconfined_r system_r;
159
160 ########################################
161 #
162 # Local policy
163 #
164@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
165 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
166
167 ifdef(`direct_sysadm_daemon',`
168 optional_policy(`
169 init_run_daemon(unconfined_t, unconfined_r)
170+ init_domtrans_script(unconfined_t)
171+ init_script_role_transition(unconfined_r)
172 ')
173 ',`
174 ifdef(`distro_gentoo',`
175 seutil_run_runinit(unconfined_t, unconfined_r)
176 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
177--- a/policy/users
178+++ b/policy/users
179@@ -13,37 +13,33 @@
180 # system_u is the user identity for system processes and objects.
181 # There should be no corresponding Unix user identity for system,
182 # and a user process should never be assigned the system user
183 # identity.
184 #
185-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
186+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
187
188 #
189 # user_u is a generic user identity for Linux users who have no
190 # SELinux user identity defined. The modified daemons will use
191 # this user identity in the security context if there is no matching
192 # SELinux user identity for a Linux user. If you do not want to
193 # permit any access to such users, then remove this entry.
194 #
195 gen_user(user_u, user, user_r, s0, s0)
196-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
197-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
198+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
199+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
200
201 # Until order dependence is fixed for users:
202 ifdef(`direct_sysadm_daemon',`
203- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
204+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
205 ',`
206- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
207+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
208 ')
209
210 #
211 # The following users correspond to Unix identities.
212 # These identities are typically assigned as the user attribute
213 # when login starts the user shell. Users with access to the sysadm_r
214 # role should use the staff_r role instead of the user_r role when
215 # not in the sysadm_r.
216 #
217-ifdef(`direct_sysadm_daemon',`
218- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
219-',`
220- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
221-')
222+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
deleted file mode 100644
index f28ab74..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
+++ /dev/null
@@ -1,222 +0,0 @@
1Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2
3For targeted policy type, we define unconfined_u as the default selinux
4user for root and normal users, so users could login in and run most
5commands and services on unconfined domains.
6
7Also add rules for users to run init scripts directly, instead of via
8run_init.
9
10Upstream-Status: Inappropriate [configuration]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15---
16 config/appconfig-mcs/seusers | 4 ++--
17 policy/modules/roles/sysadm.te | 1 +
18 policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
19 policy/modules/system/unconfined.te | 7 ++++++
20 policy/users | 16 +++++--------
21 5 files changed, 55 insertions(+), 20 deletions(-)
22
23--- a/config/appconfig-mcs/seusers
24+++ b/config/appconfig-mcs/seusers
25@@ -1,2 +1,3 @@
26-root:root:s0-mcs_systemhigh
27-__default__:user_u:s0
28+root:unconfined_u:s0-mcs_systemhigh
29+__default__:unconfined_u:s0
30+
31--- a/policy/modules/roles/sysadm.te
32+++ b/policy/modules/roles/sysadm.te
33@@ -41,10 +41,11 @@ init_reload(sysadm_t)
34 init_reboot_system(sysadm_t)
35 init_shutdown_system(sysadm_t)
36 init_start_generic_units(sysadm_t)
37 init_stop_generic_units(sysadm_t)
38 init_reload_generic_units(sysadm_t)
39+init_script_role_transition(sysadm_r)
40
41 # Add/remove user home directories
42 userdom_manage_user_home_dirs(sysadm_t)
43 userdom_home_filetrans_user_home_dir(sysadm_t)
44
45--- a/policy/modules/system/init.if
46+++ b/policy/modules/system/init.if
47@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
48 ## </summary>
49 ## </param>
50 #
51 interface(`init_spec_domtrans_script',`
52 gen_require(`
53- type initrc_t, initrc_exec_t;
54+ type initrc_t;
55+ attribute init_script_file_type;
56 ')
57
58 files_list_etc($1)
59- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
60+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
61
62 ifdef(`distro_gentoo',`
63 gen_require(`
64 type rc_exec_t;
65 ')
66
67 domtrans_pattern($1, rc_exec_t, initrc_t)
68 ')
69
70 ifdef(`enable_mcs',`
71- range_transition $1 initrc_exec_t:process s0;
72+ range_transition $1 init_script_file_type:process s0;
73 ')
74
75 ifdef(`enable_mls',`
76- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
77+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
78 ')
79 ')
80
81 ########################################
82 ## <summary>
83@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
84 ## </summary>
85 ## </param>
86 #
87 interface(`init_domtrans_script',`
88 gen_require(`
89- type initrc_t, initrc_exec_t;
90+ type initrc_t;
91+ attribute init_script_file_type;
92 ')
93
94 files_list_etc($1)
95- domtrans_pattern($1, initrc_exec_t, initrc_t)
96+ domtrans_pattern($1, init_script_file_type, initrc_t)
97
98 ifdef(`enable_mcs',`
99- range_transition $1 initrc_exec_t:process s0;
100+ range_transition $1 init_script_file_type:process s0;
101 ')
102
103 ifdef(`enable_mls',`
104- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
105+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
106 ')
107 ')
108
109 ########################################
110 ## <summary>
111@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
112 class service reload;
113 ')
114
115 allow $1 systemdunit:service reload;
116 ')
117+
118+########################################
119+## <summary>
120+## Transition to system_r when execute an init script
121+## </summary>
122+## <desc>
123+## <p>
124+## Execute a init script in a specified role
125+## </p>
126+## <p>
127+## No interprocess communication (signals, pipes,
128+## etc.) is provided by this interface since
129+## the domains are not owned by this module.
130+## </p>
131+## </desc>
132+## <param name="source_role">
133+## <summary>
134+## Role to transition from.
135+## </summary>
136+## </param>
137+#
138+interface(`init_script_role_transition',`
139+ gen_require(`
140+ attribute init_script_file_type;
141+ ')
142+
143+ role_transition $1 init_script_file_type system_r;
144+')
145+
146--- a/policy/modules/system/unconfined.te
147+++ b/policy/modules/system/unconfined.te
148@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
149
150 type unconfined_execmem_t;
151 type unconfined_execmem_exec_t;
152 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
153 role unconfined_r types unconfined_execmem_t;
154+role unconfined_r types unconfined_t;
155+role system_r types unconfined_t;
156+role_transition system_r unconfined_exec_t unconfined_r;
157+allow system_r unconfined_r;
158+allow unconfined_r system_r;
159
160 ########################################
161 #
162 # Local policy
163 #
164@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
165 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
166
167 ifdef(`direct_sysadm_daemon',`
168 optional_policy(`
169 init_run_daemon(unconfined_t, unconfined_r)
170+ init_domtrans_script(unconfined_t)
171+ init_script_role_transition(unconfined_r)
172 ')
173 ',`
174 ifdef(`distro_gentoo',`
175 seutil_run_runinit(unconfined_t, unconfined_r)
176 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
177--- a/policy/users
178+++ b/policy/users
179@@ -13,37 +13,33 @@
180 # system_u is the user identity for system processes and objects.
181 # There should be no corresponding Unix user identity for system,
182 # and a user process should never be assigned the system user
183 # identity.
184 #
185-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
186+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
187
188 #
189 # user_u is a generic user identity for Linux users who have no
190 # SELinux user identity defined. The modified daemons will use
191 # this user identity in the security context if there is no matching
192 # SELinux user identity for a Linux user. If you do not want to
193 # permit any access to such users, then remove this entry.
194 #
195 gen_user(user_u, user, user_r, s0, s0)
196-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
197-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
198+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
199+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
200
201 # Until order dependence is fixed for users:
202 ifdef(`direct_sysadm_daemon',`
203- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
204+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
205 ',`
206- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
207+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
208 ')
209
210 #
211 # The following users correspond to Unix identities.
212 # These identities are typically assigned as the user attribute
213 # when login starts the user shell. Users with access to the sysadm_r
214 # role should use the staff_r role instead of the user_r role when
215 # not in the sysadm_r.
216 #
217-ifdef(`direct_sysadm_daemon',`
218- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
219-',`
220- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
221-')
222+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-10 00:31:15 +0000