commit: 91b06086bea526e22411773d54c897ef06d85861
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 15:58:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 15:59:06 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91b06086
Add support for init_script_readable
---
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
')
+
+#########################################
+## <summary>
+## Mark as a readable type for the initrc_t domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type that initrc_t needs read access to
+## </summary>
+## </param>
+#
+interface(`init_script_readable_type',`
+ gen_require(`
+ attribute init_script_readable;
+ ')
+
+ typeattribute $1 init_script_readable;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..cd3d18d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,17 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ # Attribute to assign to types that the initrc_t domain needs read
access to
+ attribute init_script_readable;
+
#####################################
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
+ read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
