| 1 |
On Sun, May 15, 2011 at 12:25:32AM +0200, Sven Vermeulen wrote: |
| 2 |
> I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git |
| 3 |
> overlay. It does not resolve all problems, but at least Gentoo Hardened with |
| 4 |
> SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook |
| 5 |
> has been updated with that what Chris R. said). |
| 6 |
|
| 7 |
Small update. I'm going to push out -r16 after the regression tests finish. |
| 8 |
|
| 9 |
> But there is still some work ahead. |
| 10 |
> - rc-update currently *does* *not* *work*. Not good. I know. |
| 11 |
> The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so |
| 12 |
> transitions to run_init_t which does not have the rights to write in |
| 13 |
> /etc/runlevels (etc_t). Calling rc-update with run_init doesn't help |
| 14 |
> either (transitions to initrc_t which also has no rights to write to |
| 15 |
> etc_t) |
| 16 |
|
| 17 |
This is fixed; from -r16, my proposal would be to use an intermediate domain |
| 18 |
(sysadm_initrc_notrans_t) which, when executing an initrc_exec_t file (like |
| 19 |
/sbin/rc) transitions back to sysadm_t. |
| 20 |
|
| 21 |
The intermediate domain can be entered through an initrc_notrans_exec_t |
| 22 |
file. |
| 23 |
|
| 24 |
> - rc-status works if you use "run_init rc-status". Allowing rc-status to |
| 25 |
> work without run_init is possible as well (-r15 offers the |
| 26 |
> gentoo_init_manage_script_status_files interface for this which we can |
| 27 |
> apply to run_init_t, but you'll also need to add in a |
| 28 |
> term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to |
| 29 |
> be an ugly situation then |
| 30 |
|
| 31 |
This is fixed as well using the same method. |
| 32 |
|
| 33 |
When installing -r16, you want to relabel the /sbin/rc-* and /bin/rc-* files |
| 34 |
to make use of this though. |
| 35 |
|
| 36 |
Wkr, |
| 37 |
Sven Vermeulen |
Archives