From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux policy and openrc
Date: Sat, 14 May 2011 23:41:53 +0200 [thread overview]
Message-ID: <20110514214153.GA26927@siphos.be> (raw)
In-Reply-To: <4DCEB50A.8080707@giz-works.com>
On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote:
> Just posting this so that others will know about it. We determined that
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file
> system using the same relabel that we do for /dev. I believe the manual
> is being updated to add this information. In addition, a rule has to be
> added to init.fc and init.te to relabel this directory (
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t,
> s0) (or something similar), as well as add the mounton privilege using
> files_mountpoint(initrc_state_t). Once that is done, there is no longer
> a need for the fstab stuff.
Still not there yet.
One major pita is that the various management scripts (rc-update &
rc-status) are now wrappers over /sbin/rc. As a result, when you execute the
scripts, they are all transitioning to the run_init_t domain.
As a result, we have to add several permissions to run_init_t which
were previously managed by sysadm_t. For instance, rc-update needs write
privileges in /etc/runlevels (etc_t). Changing the type isn't that easy,
because the files are also used (read) by various other domains, which would
then also need to be patched, and all that just for Gentoo.
The moment I notice that I'm deviating too much from things because of a
single reason (having wrappers over /sbin/rc) I tend to look for other
answers. I have a few ones up my sleeve, but need to test them out :-(
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2011-05-14 22:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-13 20:06 [gentoo-hardened] SELinux policy and openrc Sven Vermeulen
2011-05-14 16:59 ` Chris Richards
2011-05-14 21:41 ` Sven Vermeulen [this message]
2011-05-14 22:25 ` Sven Vermeulen
2011-05-15 13:16 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110514214153.GA26927@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox