Signed-off-by: Alexander Miroshnichenko <alex@xxxxxxxxxxxxxx>
---
policy/modules/admin/shutdown.fc | 2 ++
policy/modules/admin/shutdown.te | 2 ++
policy/modules/system/init.fc | 2 ++
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 2 ++
5 files changed, 26 insertions(+)
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index 03a2230c6766..9d2e1b8acff2 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -4,6 +4,8 @@
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/openrc-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 2168d03fcf63..c504fadb6dc9 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -52,6 +52,8 @@ auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
init_rw_utmp(shutdown_t)
+# Search for init.ctl in /run/openrc by openrc-shutdown
+init_search_state_data(shutdown_t)
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce93a040..48c78b8c6241 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -41,6 +41,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
@@ -60,6 +61,7 @@ ifdef(`distro_redhat',`
/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/openrc/init.ctl -p gen_context(system_u:object_r:initctl_t,s0)
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2415bb771080..2a7262b325a6 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1870,6 +1870,24 @@ interface(`init_startstop_all_script_services',`
allow $1 init_script_file_type:service { start status stop };
')
+########################################
+## <summary>
+## Search in a initrc_state_t directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_state_data',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ allow $1 initrc_state_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Read the process state (/proc/pid) of init.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f4d27bff3ea2..cb0f5f03d946 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -146,6 +146,8 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
files_pid_filetrans(init_t, initctl_t, fifo_file)
+# Allow openrc-init to create /run/openrc/init.ctl pipe.
+filetrans_add_pattern(init_t, initrc_state_t, initctl_t, fifo_file, "init.ctl" )
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.21.0
