From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QvWHH-0001Sg-AT for garchives@archives.gentoo.org; Mon, 22 Aug 2011 15:19:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E0AEA21C299; Mon, 22 Aug 2011 15:18:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id CC36B21C201 for ; Mon, 22 Aug 2011 15:18:16 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 56F431B401C; Mon, 22 Aug 2011 15:18:16 +0000 (UTC) Date: Mon, 22 Aug 2011 15:18:16 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux base policy r2 in hardened-dev overlay Message-ID: <20110822151816.GA23404@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <20110819205148.GA29497@gentoo.org> <20110821100646.GA16371@gentoo.org> <201108211339.15280.mail@smogura.eu> <20110821141808.GA22005@gentoo.org> <4E519275.8090003@kutulu.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <4E519275.8090003@kutulu.org> User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: X-Archives-Hash: 358afd2968a8d91803b14a3e88009990 On Sun, Aug 21, 2011 at 07:19:17PM -0400, Mike Edenfield wrote: >> The solution to support_initrc_exec_t must be a policy-based one >> afaik. I don't think it'll be too difficult to find (the places within >> refpolicy that are offering interfaces just for Gentoo's integrated >> run_init >> are documented), it'll just take some time to get it in proper shape. > > Is there a specific reason that the domain-specific initrc support cannot > be made part of run_init? Instead of reading a single default context from > initrc_context, you could instead label, for ex. the init script itself, > and have run_init use that instead? The run_init application is merely a tool to support transitions across roles as well. Its behavior can well be defined by the SELinux policy itself. What you are suggesting (label init script) is exactly what I was talking about: instead of having the init scripts labeled initrc_exec_t, they should be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and Gentoo's integrated run_init support, which by the policy is currently only working on initrc_exec_t, should support those too. Since the policy defines an attribute called init_script_file_type, I hope to update the Gentoo-specific privileges towards this attribute rather than to initrc_exec_t so that the current behavior (sysadm_r can call init scripts directly) is retained. Then the second approach is to update - I think - the init_script_file interface to support the Gentoo integrated run_init as well. But that's something to test and find out. Wkr, Sven Vermeulen