implement direct_sysadm_daemon

refpolicy/policy/modules/services/mta.if

@@ -147,16 +147,39 @@ interface(`mta_mailserver',`
 	typeattribute $1 mailserver_domain;
 ')
 
-#######################################
-#
-# mta_sendmail_mailserver(domain,entrypointtype)
-#
+########################################
+## <summary>
+##	Modified mailserver interface for
+##	sendmail daemon use.
+## </summary>
+## <desc>
+##	<p>
+##	A modified MTA mail server interface for
+##	the sendmail program.  It's design does
+##	not fit well with policy, and using the
+##	regular interface causes a type_transition
+##	conflict if direct running of init scripts
+##	is enabled.
+##	</p>
+##	<p>
+##	This interface should most likely only be used
+##	by the sendmail policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type to be used for the mail server.
+## </param>
+## <param name="entry_point">
+##	The type to be used for the domain entry point program.
+## </param>
 interface(`mta_sendmail_mailserver',`
 	gen_require(`
+		attribute mailserver_domain;
 		type sendmail_exec_t;
 	')
 
-	mta_mailserver($1,sendmail_exec_t)
+	init_system_domain($1,sendmail_exec_t)
+	typeattribute $1 mailserver_domain;
 ')
 
 #######################################

refpolicy/policy/modules/services/ssh.te

@@ -18,7 +18,7 @@ files_type(ssh_exec_t)
 
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
-init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
 role system_r types ssh_keygen_t;
 
 ssh_server_template(sshd)
@@ -207,6 +207,8 @@ allow ssh_keygen_t proc_t:lnk_file read;
 userdom_use_sysadm_tty(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
 
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
 ifdef(`direct_sysadm_daemon',`
 	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
 ')

refpolicy/policy/modules/system/authlogin.te

@@ -190,6 +190,8 @@ seutil_read_file_contexts(pam_console_t)
 
 userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
 
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
 ifdef(`direct_sysadm_daemon', `
 	userdom_dontaudit_use_sysadm_terms(pam_console_t)
 ')

refpolicy/policy/modules/system/init.if

@@ -1,8 +1,15 @@
 ## <summary>System initialization programs (init and init scripts).</summary>
 
 ########################################
-#
-# init_domain(domain,entrypointfile)
+## <summary>
+##	Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##	Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+##	Type of the program to be used as an entry point to this domain.
+## </param>
 #
 interface(`init_domain',`
 	gen_require(`
@@ -34,16 +41,25 @@ interface(`init_domain',`
 ')
 
 ########################################
-#
-# init_daemon_domain(domain,entrypointfile)
+## <summary>
+##	Create a domain for long running processes
+##	(daemons) which can be started by init scripts.
+## </summary>
+## <param name="domain">
+##	Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+##	Type of the program to be used as an entry point to this domain.
+## </param>
 #
 interface(`init_daemon_domain',`
 	gen_require(`
+		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
 		class fifo_file rw_file_perms;
 		class fd use;
-		class process sigchld;
+		class process { noatsecure siginh rlimitinh sigchld };
 	')
 
 	domain_type($1)
@@ -54,10 +70,24 @@ interface(`init_daemon_domain',`
 	domain_auto_trans(initrc_t,$2,$1)
 
 	allow initrc_t $1:fd use;
+	allow initrc_t $1:process { noatsecure siginh rlimitinh };
 	allow $1 initrc_t:fd use;
 	allow $1 initrc_t:fifo_file rw_file_perms;
 	allow $1 initrc_t:process sigchld;
 
+	ifdef(`direct_sysadm_daemon',`
+		domain_auto_trans(direct_run_init,$2,$1)
+
+		allow direct_run_init $1:fd use;
+		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+		allow $1 direct_run_init:fd use;
+		allow $1 direct_run_init:fifo_file rw_file_perms;
+		allow $1 direct_run_init:process sigchld;
+
+		typeattribute $1 direct_init;
+		typeattribute $2 direct_init_entry;
+	')
+
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
 	optional_policy(`distro_redhat',`
@@ -67,8 +97,16 @@ interface(`init_daemon_domain',`
 ')
 
 ########################################
-#
-# init_system_domain(domain,entrypointfile)
+## <summary>
+##	Create a domain for short running processes
+##	which can be started by init scripts.
+## </summary>
+## <param name="domain">
+##	Type to be used as a domain.
+## </param>
+## <param name="entry_point">
+##	Type of the program to be used as an entry point to this domain.
+## </param>
 #
 interface(`init_system_domain',`
 	gen_require(`
@@ -259,6 +297,32 @@ interface(`init_domtrans_script',`
 	allow initrc_t $1:process sigchld;
 ')
 
+########################################
+## <desc>
+##	Start and stop daemon programs directly.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be performing this action.
+## </param>
+## <param name="terminal">
+##	The type of the terminal of the user.
+## </param>
+#
+interface(`init_run_daemon',`
+	gen_require(`
+		attribute direct_run_init, direct_init, direct_init_entry;
+		role system_r;
+		class chr_file rw_file_perms;
+	')
+
+	typeattribute $1 direct_run_init;
+	role_transition $2 direct_init_entry system_r;
+	dontaudit direct_init $3:chr_file rw_file_perms;
+')
+
 ########################################
 #
 # init_exec_script(domain)

refpolicy/policy/modules/system/init.te

@@ -6,6 +6,12 @@ policy_module(init,1.0)
 # Declarations
 #
 
+# used for direct running of init scripts
+# by admin domains
+attribute direct_run_init;
+attribute direct_init;
+attribute direct_init_entry;
+
 #
 # init_t is the domain of the init process.
 #

refpolicy/policy/modules/system/logging.te

@@ -82,9 +82,7 @@ libs_use_shared_libs(auditd_t)
 miscfiles_read_localization(auditd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(auditd_t)
-# cjp: this is questionable.  it should probably
-# be a userdom_dontaudit_use_sysadm_terms(auditd_t)
-# in a direct_sysadm_daemon tunable
+# cjp: this is questionable
 userdom_use_sysadm_tty(auditd_t)
 
 ifdef(`targeted_policy', `
@@ -248,10 +246,6 @@ ifdef(`klogd.te', `', `
 	kernel_change_ring_buffer_level(syslogd_t)
 ')
 
-ifdef(`direct_sysadm_daemon',`
-	userdom_dontaudit_use_sysadm_terms(syslogd_t)
-')
-
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(syslogd_t)
 	term_dontaudit_use_generic_pty(syslogd_t)

refpolicy/policy/modules/system/userdomain.te

@@ -100,6 +100,12 @@ ifdef(`targeted_policy',`
 	allow sysadm_t user_home_dir_t:dir create_dir_perms;
 	files_create_home_dirs(sysadm_t,user_home_dir_t)
 
+	ifdef(`direct_sysadm_daemon',`
+		optional_policy(`init.te',`
+			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
+		')
+	')
+
 	optional_policy(`bootloader.te',`
 		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
 	')

refpolicy/policy/users

@@ -38,7 +38,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
-gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
 ',`
-gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+	ifdef(`direct_sysadm_daemon',`
+		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
+',`
+		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+	')
 ')