From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qv5nc-0001Tq-Me for garchives@archives.gentoo.org; Sun, 21 Aug 2011 11:02:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 401D621C349 for ; Sun, 21 Aug 2011 11:02:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 43D1021C18E for ; Sun, 21 Aug 2011 10:06:47 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id CD2461B4016; Sun, 21 Aug 2011 10:06:46 +0000 (UTC) Date: Sun, 21 Aug 2011 10:06:46 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux base policy r2 in hardened-dev overlay Message-ID: <20110821100646.GA16371@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <20110819205148.GA29497@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: X-Archives-Hash: 60b3e96c0ae76de5eb7a9ac7bda21f38 On Sat, Aug 20, 2011 at 08:08:41PM -0500, Chris Richards wrote: > > Yet we will eventually need to support this, because otherwise we need to > > "open" the privileges on initrc_t towards all potential services. Not only > > does that require lots of work, it also brings in patches in our policy > > that > > upstream will never accept (and they're right not to accept it). > > Ok, I buy the argument. Is this a shortcoming in the old bash init, or is > this a shortcoming in OpenRC? > > I'm starting to see a little more free time from my job and might be able > to tackle some things starting in a couple of weeks. I'm not sure. A quick check reveals that there is no such thing as domain-specific initrc_t subdomains. It seems that the subdomains are there to allow roles within SELinux to handle init scripts of one daemon but not the other (for instance, create an ldapadm_r which has ldap_admin() and as such is allowed to execute it properly, but doesn't have the same rights for postfix). Within Gentoo, we mark everything as initrc_exec_t, so the user needs just "one" privilege to handle services for all domains. I'd like to "fix" that, but still keep the integrated run_init support in-place. That'll require some more investigation here (since I don't understand how the integrated run_init is done). However, my initial assessment that we "otherwise" need to "open" up initrc_t stays in place (we just don't have a choice here). That initrc_t is a highly privileged domain is obvious from a first look at its .te file. So it looks as if we just need to add the proper optional_policy statements here. BTW, glad to hear you're seeing some free time in the near future ;-) Wkr, Sven Vermeulen