From 62082b40c134c87d7a54d07551b8d3dee65cbae9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 9 Feb 2023 17:37:08 +0100
Subject: [PATCH] Allow sysadm_t run initrc_t script and sysadm_r role access

The init_run_script() interface was added.

Addresses the following SELINUX_ERR denials:

type=PROCTITLE msg=audit(05/05/2022 05:11:51.666:421) : proctitle=/bin/sh /etc/init.d/foo status
type=SYSCALL msg=audit(05/05/2022 05:11:51.666:421) : arch=x86_64 syscall=socket success=yes exit=4 a0=local a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22124 pid=22131 auid=sysadm-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:initrc_t:s0 key=(null)
type=SELINUX_ERR msg=audit(05/05/2022 05:11:51.666:421) : op=security_compute_sid invalid_context=sysadm_u:system_r:initrc_t:s0 scontext=sysadm_u:system_r:initrc_t:s0 tcontext=sysadm_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SELINUX_ERR msg=audit(05/05/2022 05:11:51.666:421) : op=security_compute_sid invalid_context=sysadm_u:system_r:initrc_t:s0 scontext=sysadm_u:system_r:initrc_t:s0 tcontext=sysadm_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Resolves: rhbz#2039662
---
 policy/modules/roles/sysadm.te |  2 +-
 policy/modules/system/init.if  | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 039cc7cb77..94c1749213 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -90,7 +90,7 @@ init_halt(sysadm_t)
 init_undefined(sysadm_t)
 init_ioctl_stream_sockets(sysadm_t)
 init_prog_run_bpf(sysadm_t)
-init_domtrans_script(sysadm_t)
+init_run_script(sysadm_t, sysadm_r)
 
 logging_filetrans_named_content(sysadm_t)
 logging_map_audit_config(sysadm_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index afcb34c2fa..b4ffbec63d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1185,6 +1185,32 @@ interface(`init_domtrans_script',`
 	')
 ')
 
+########################################
+## <summary>
+##	Execute init scripts with a domain transition
+##	and allow the specified role the init script type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_run_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	init_domtrans_script($1)
+	role $2 types initrc_t;
+')
+
 ########################################
 ## <summary>
 ##	Execute a file in a bin directory