1 |
Hi guys, |
2 |
|
3 |
Back again with the spamming "SELinux base policy rev ## in hardened-dev" |
4 |
mails, but now for the 2.20120215 policies. |
5 |
|
6 |
Changes since rev 2: |
7 |
|
8 |
<no bug> Allow sysadm to call qemu directly to launch virtual guests from commandline |
9 |
<no bug> Allow su to get the security file system attributes, needed for su calls |
10 |
#401857 Set /usr/share/GNUstep/Makefiles/*.sh (and mkinstalldirs) as #bin_t t allow building gnustep-base |
11 |
#403143 Add TCP 3128 as http_cache_port_t (default port for squid cache) |
12 |
<no bug> Update usermanage/selinux util role attributes to include the proper types |
13 |
<no bug> Allow mount to get the security file system attributes, needed for rootcontext mounts |
14 |
|
15 |
There is still an issue that amade on #gentoo-hardened reported, that is |
16 |
that our integrated run_init support in the init scripts is suddenly not |
17 |
working anymore. I'm too tired to look at that right now, so that'll be for |
18 |
tomorrow. |
19 |
|
20 |
Point is, I *think* we need to have a role transition between run_init_t and |
21 |
initrc_t, but it shouldn't be automated (SELinux supports automated role |
22 |
transitions, but then we would switch roles the moment we touch /sbin/rc, |
23 |
which is also the case when we run rc-config and the like, in many cases |
24 |
where we need to remain in the current role). |
25 |
|
26 |
Or, in the notation @@ = execute, --> = transition: |
27 |
|
28 |
sysadm_r:sysadm_t @@ initrc_exec_t --> sysadm_r:run_init_t |
29 |
@@ rc_exec_t --> sysadm_r:run_init_t |
30 |
@@ initrc_exec_t --> system_r:initrc_t |
31 |
|
32 |
I think that's something openrc does (with its support for SELinux, through |
33 |
/lib64/rc/runscript_selinux.so) or needs to do, but I have no clue how we do |
34 |
all that. |
35 |
|
36 |
Until then, you can use "run_init" to launch init scripts, like most (if not |
37 |
all) other distributions work: |
38 |
|
39 |
run_init /etc/init.d/apache start |
40 |
|
41 |
or using rc-service |
42 |
|
43 |
run_init rc-service apache start |
44 |
|
45 |
But as I said, I'll look at it more closely tomorrow. It's probably a change |
46 |
I forgot to forward-port or so... |
47 |
|
48 |
Wkr, |
49 |
Sven Vermeulen |