Re: [gentoo-hardened] SELinux policy and openrc

[Sven Vermeulen <sven.vermeulen@siphos.be>]

On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote:
> Just posting this so that others will know about it.  We determined that 
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file 
> system using the same relabel that we do for /dev.  I believe the manual 
> is being updated to add this information.  In addition, a rule has to be 
> added to init.fc and init.te to relabel this directory ( 
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, 
> s0) (or something similar), as well as add the mounton privilege using 
> files_mountpoint(initrc_state_t).  Once that is done, there is no longer 
> a need for the fstab stuff.

I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
overlay. It does not resolve all problems, but at least Gentoo Hardened with
SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook
has been updated with that what Chris R. said).

But there is still some work ahead.
- rc-update currently *does* *not* *work*. Not good. I know. 
  The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so
  transitions to run_init_t which does not have the rights to write in
  /etc/runlevels (etc_t). Calling rc-update with run_init doesn't help
  either (transitions to initrc_t which also has no rights to write to
  etc_t)
- rc-service works
- rc-status works if you use "run_init rc-status". Allowing rc-status to
  work without run_init is possible as well (-r15 offers the
  gentoo_init_manage_script_status_files interface for this which we can
  apply to run_init_t, but you'll also need to add in a
  term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to
  be an ugly situation then
- rc works if you use "run_init rc". 

Now, this mixed usage of "with run_init" and "without run_init" is a pain,
especially as Gentoo tried hard not to require run_init in the first place
(well, it uses it, but in the background). This can be fixed by using
run_init in the wrappers where needed, but that requires an update on
openrc. Yet this still looks to me like the sanest approach. 

Some methods can be used to work around this, like labelling the wrappers so
that they transition before /sbin/rc is called, but that looks like an ugly
situation too to me.

To fix the rc-update issue, we need to be able to run /sbin/rc without
transitioning. I'm thinking about having a copy of /sbin/rc to
/lib64/rc/sbin and have the rc-update wrapper point to that one. I can then
also do the same for rc-status (no need for run_init then, sysadm_t has the
same privileges). It seems to work fairly well on my systems, but that's
again another change just for SELinux-enabled Gentoo systems :-(

Chris R.: in https://bugs.gentoo.org/351712 the use of the wrappers was
suggested instead of symlinks (which would've caused the same problems here
I think) just for the reason that I'm writing out now. How did you resolve
the problem on your system?

Wkr,
	Sven Vermeulen