trunk: first part of init script labeling support.

Changelog

@@ -1,3 +1,4 @@
+- Init script file and domain support.
 - Glibc 2.7 fix from Vaclav Ovsik.
 - Samba/winbind update from Mike Edenfield.
 - Policy size optimization with a non-security file attribute from James

policy/modules/system/init.if

@@ -1,5 +1,72 @@
 ## <summary>System initialization programs (init and init scripts).</summary>
 
+########################################
+## <summary>
+##	Create a file type used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a file type used for init scripts.
+##	Can not be used in conjunction with
+##	init_script_domain().
+##	</p>
+## </desc>
+## <param name="script_file">
+##	<summary>
+##	Type of the script file used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_script_file',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type, init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_file_type;
+
+	domain_entry_file(initrc_t, $1)
+
+	domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+## <summary>
+##	Create a domain used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain used for init scripts.
+##	Can not be used in conjunction with
+##	init_script_file().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as an init script domain.
+##	</summary>
+## </param>
+## <param name="script_file">
+##	<summary>
+##	Type of the script file used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_script_domain',`
+	gen_require(`
+		attribute init_script_domain_type, init_script_file_type;
+		attribute init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_domain_type;
+	typeattribute $2 init_script_file_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
 ########################################
 ## <summary>
 ##	Create a domain which can be started by init.
@@ -701,6 +768,25 @@ interface(`init_getattr_script_files',`
 	allow $1 initrc_exec_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	allow $1 initrc_exec_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute init scripts in the caller domain.
@@ -720,6 +806,63 @@ interface(`init_exec_script_files',`
 	can_exec($1,initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Get the attribute of all init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Read all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_search_etc($1)
+	allow $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute all init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	can_exec($1, init_script_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of the init scripts.
@@ -1028,25 +1171,6 @@ interface(`init_dontaudit_use_script_ptys',`
 	dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
 ')
 
-########################################
-## <summary>
-##	Read init scripts.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_read_script_files',`
-	gen_require(`
-		type initrc_exec_t;
-	')
-
-	files_search_etc($1)
-	allow $1 initrc_exec_t:file read_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	Get the attributes of init script

policy/modules/system/init.te

@@ -23,6 +23,10 @@ attribute direct_run_init;
 attribute direct_init;
 attribute direct_init_entry;
 
+attribute init_script_domain_type;
+attribute init_script_file_type;
+attribute init_run_all_scripts_domain;
+
 # Mark process types as daemons
 attribute daemon;
 
@@ -51,8 +55,8 @@ type initctl_t;
 files_type(initctl_t)
 mls_trusted_object(initctl_t)
 
-type initrc_t;
+type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
-type initrc_exec_t;
+type initrc_exec_t, init_script_file_type;
 domain_type(initrc_t)
 domain_entry_file(initrc_t,initrc_exec_t)
 role system_r types initrc_t;
@@ -217,7 +221,9 @@ term_create_pty(initrc_t,initrc_devpts_t)
 # Going to single user mode
 init_exec(initrc_t)
 
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t, init_script_file_type)
+
+domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 
 manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
 manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)