| 1 |
On Sat, Jan 25, 2014 at 08:48:25PM +0100, Luis Ressel wrote: |
| 2 |
> This patch makes run_init unneccessary for "normal" init scripts (those |
| 3 |
> labeled initrc_exec_t). However, it's still neccessary for scripts with |
| 4 |
> custom types, such as iptables. |
| 5 |
> |
| 6 |
> Looking at the openrc code clearly shows that rc-service doesn't make |
| 7 |
> any attempt to transition to the correct domain (initrc_t) beforce |
| 8 |
> execv()'ing the script. |
| 9 |
> |
| 10 |
> Are there any plans to change this? |
| 11 |
|
| 12 |
OpenRC doesn't do much SELinux specific here, beyond calling the run_init |
| 13 |
code. There are no plans (from me) currently to update the behavior to also |
| 14 |
support the other, named init scripts as this should be handled by the |
| 15 |
policy. |
| 16 |
|
| 17 |
When a named script exists, there usually is an interface for that domain as |
| 18 |
well that allows the given role/type to execute the script and have it |
| 19 |
transition to the right domain and role. |
| 20 |
|
| 21 |
For instance, for postgresql_initrc_exec_t, you have postgresql_admin(). If |
| 22 |
you assign this to, say, sysadm_t/sysadm_r, then the regular system |
| 23 |
administrator on the system can handle these services as well. |
| 24 |
I have tried to implement a rule that grants an "operate all service |
| 25 |
scripts" privilege to a domain, but that didn't work out fine (yet). That |
| 26 |
being said, there is a build option (I think it is called direct_sysadm or |
| 27 |
so) that should support this - but that breaks the integrated run_init |
| 28 |
implementation iirc. |
| 29 |
|
| 30 |
Wkr, |
| 31 |
Sven Vermeulen |
Archives