| 1 |
On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote: |
| 2 |
> Just posting this so that others will know about it. We determined that |
| 3 |
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file |
| 4 |
> system using the same relabel that we do for /dev. I believe the manual |
| 5 |
> is being updated to add this information. In addition, a rule has to be |
| 6 |
> added to init.fc and init.te to relabel this directory ( |
| 7 |
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, |
| 8 |
> s0) (or something similar), as well as add the mounton privilege using |
| 9 |
> files_mountpoint(initrc_state_t). Once that is done, there is no longer |
| 10 |
> a need for the fstab stuff. |
| 11 |
|
| 12 |
Still not there yet. |
| 13 |
|
| 14 |
One major pita is that the various management scripts (rc-update & |
| 15 |
rc-status) are now wrappers over /sbin/rc. As a result, when you execute the |
| 16 |
scripts, they are all transitioning to the run_init_t domain. |
| 17 |
|
| 18 |
As a result, we have to add several permissions to run_init_t which |
| 19 |
were previously managed by sysadm_t. For instance, rc-update needs write |
| 20 |
privileges in /etc/runlevels (etc_t). Changing the type isn't that easy, |
| 21 |
because the files are also used (read) by various other domains, which would |
| 22 |
then also need to be patched, and all that just for Gentoo. |
| 23 |
|
| 24 |
The moment I notice that I'm deviating too much from things because of a |
| 25 |
single reason (having wrappers over /sbin/rc) I tend to look for other |
| 26 |
answers. I have a few ones up my sleeve, but need to test them out :-( |
| 27 |
|
| 28 |
Wkr, |
| 29 |
Sven Vermeulen |
Archives