commit: 91b06086bea526e22411773d54c897ef06d85861 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Tue Nov 11 15:58:55 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Tue Nov 11 15:59:06 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91b06086
Add support for init_script_readable --- policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 5 +++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 2b7793a..7cdf3a8 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',` relabelto_files_pattern($1, initrc_state_t, initrc_state_t) relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t) ') + +######################################### +## <summary> +## Mark as a readable type for the initrc_t domain +## </summary> +## <param name="type"> +## <summary> +## Type that initrc_t needs read access to +## </summary> +## </param> +# +interface(`init_script_readable_type',` + gen_require(` + attribute init_script_readable; + ') + + typeattribute $1 init_script_readable; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index cd2b0e4..cd3d18d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -935,12 +935,17 @@ optional_policy(` ') ifdef(`distro_gentoo',` + # Attribute to assign to types that the initrc_t domain needs read access to + attribute init_script_readable; + ##################################### # # Local initrc_t policy # allow initrc_t self:capability sys_admin; + read_files_pattern(initrc_t, init_script_readable, init_script_readable) + manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) files_pid_filetrans(initrc_t, initrc_var_run_t, dir)