From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QuxNA-0004Jp-Pi for garchives@archives.gentoo.org; Sun, 21 Aug 2011 02:02:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2EA8821C2E5 for ; Sun, 21 Aug 2011 02:02:48 +0000 (UTC) Received: from mail.aoaforums.com (www.aoaforums.com [174.123.188.106]) by pigeon.gentoo.org (Postfix) with ESMTP id B2C0321C14F for ; Sun, 21 Aug 2011 01:08:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.aoaforums.com (Postfix) with ESMTP id BDC0E12CF05 for ; Sun, 21 Aug 2011 01:08:42 +0000 (UTC) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.aoaforums.com BDC0E12CF05 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=giz-works.com; s=20080229-giz-works-com; t=1313888922; bh=EGsbcRLP7WCNLy4j4o+6ycE4SOA=; h=Message-ID:In-Reply-To:References:Date:Subject:From:To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=cDtxqNFi0wHvUWFW+sbds8/vVZwJG9G6qOLGk+6AEOXPX6QpCK1eex/z08u6WNICl dqhvtRHF8nLFTd0LZljiLZXkc1hoNTbEMm5uMotwa6Ps0Axww377CtqKT3ixoSHRRi vbFGlKYjjDBAqV5ZHps0duyYkmggAFoFo6o0appo= X-Virus-Scanned: amavisd-new at aoaforums.com Received: from mail.aoaforums.com ([127.0.0.1]) by localhost (aoaforums.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roY1OaE8N8fx for ; Sun, 21 Aug 2011 01:08:41 +0000 (UTC) Received: from www.giz-works.com (localhost [127.0.0.1]) by mail.aoaforums.com (Postfix) with ESMTP id 3FFD3BC00A for ; Sun, 21 Aug 2011 01:08:41 +0000 (UTC) Received: from 70.141.193.251 (SquirrelMail authenticated user gizmo@giz-works.com) by www.giz-works.com with HTTP; Sat, 20 Aug 2011 20:08:41 -0500 Message-ID: In-Reply-To: <20110819205148.GA29497@gentoo.org> References: <20110819205148.GA29497@gentoo.org> Date: Sat, 20 Aug 2011 20:08:41 -0500 Subject: Re: [gentoo-hardened] SELinux base policy r2 in hardened-dev overlay From: "Chris Richards" To: gentoo-hardened@lists.gentoo.org User-Agent: SquirrelMail/1.4.21 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 6c9a5dd6b1a33becfa423d85bc4d10be > Okay, but what is this "in-depth" change that I was talking about. Well= , > SELinux policies support labeled init scripts. For instance, > "slapd_initrc_exec_t" which allows the init script to run in an init > script > domain specific for slapd (splad_initrc_t). This allows for slapd-speci= fic > allow statements (for instance PID file management) from within the ini= t > script. > > All fine, but Gentoo doesn't use that. We run all our scripts in initrc= _t > instead. Why? Because we support "integrated run_init support", which > allows > our users to just call "/etc/init.d/slapd start" instead of "run_init > /etc/init.d/slapd start". But this integrated run_init support > automatically > transitions all scripts to initrc_t (and not slapd_initrc_t). And chang= ing > this to support the named init scripts isn't straight forward (well, I > hope > I eventually find a straight-forward method, but until now I didn't > succeed). > > Yet we will eventually need to support this, because otherwise we need = to > "open" the privileges on initrc_t towards all potential services. Not o= nly > does that require lots of work, it also brings in patches in our policy > that > upstream will never accept (and they're right not to accept it). Ok, I buy the argument. Is this a shortcoming in the old bash init, or i= s this a shortcoming in OpenRC? I'm starting to see a little more free time from my job and might be able to tackle some things starting in a couple of weeks. Gizmo