| 1 |
On 05/13/2011 03:06 PM, Sven Vermeulen wrote: |
| 2 |
> Hi all, |
| 3 |
> |
| 4 |
> I've put selinux-base-policy-2.20101213-r14 in the hardened-dev.git overlay. |
| 5 |
> Its main addition is support for openrc (which is now stable and was hunting |
| 6 |
> for my patience the last few days) which is done by a few labelling |
| 7 |
> statements (especially for /lib(64)?/rc/... stuff) as well as to "allow |
| 8 |
> run_init_t initrc_exec_t:file execute_no_trans", this because |
| 9 |
> /sbin/runscript was previously a binary and is now a wrapper (hence the |
| 10 |
> additional rule). |
| 11 |
> |
| 12 |
> In the further future, we might want to relabel runscript to bin_t (as |
| 13 |
> run_init_t already has execute_no_trans on those) but for those systems that |
| 14 |
> have not migrated to openrc yet, such a change would mean disaster. |
| 15 |
> |
| 16 |
> I've added a reminder for myself around August to make this switch /if/ |
| 17 |
> other architectures have also migrated to openrc (ok, I know we do not |
| 18 |
> support SELinux on those, but (1.) that doesn't mean no-one uses it, and |
| 19 |
> (2.) there are a few people waiting for openrc migration until things cool |
| 20 |
> down). |
| 21 |
> |
| 22 |
> Sadly, to support openrc, SELinux users will also need to add the following |
| 23 |
> line to their /etc/fstab (wrapped): |
| 24 |
> rc-svcdir /lib64/rc/init.d tmpfs \ |
| 25 |
> rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,\ |
| 26 |
> nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0 |
| 27 |
> |
| 28 |
> I tried labelling /lib64/rc to initrc_state_t, but then I had to put a lot |
| 29 |
> of other allow rules for less related domains towards initrc_state_t. |
| 30 |
> Mounting the init.d as initrc_state_t requires no additional updates on the |
| 31 |
> policy (well, perhaps a few cosmetic ones to hide denials that are seemingly |
| 32 |
> not needed). Perhaps we could have the openrc people update the |
| 33 |
> /lib64/rc/sh/init.sh file to do this automatically on SELinux systems, but |
| 34 |
> let us first see how things turn out. |
| 35 |
> |
| 36 |
|
| 37 |
Just posting this so that others will know about it. We determined that |
| 38 |
/lib64/rc/init.d needs to be relabled to initrc_state_t on the file |
| 39 |
system using the same relabel that we do for /dev. I believe the manual |
| 40 |
is being updated to add this information. In addition, a rule has to be |
| 41 |
added to init.fc and init.te to relabel this directory ( |
| 42 |
/lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, |
| 43 |
s0) (or something similar), as well as add the mounton privilege using |
| 44 |
files_mountpoint(initrc_state_t). Once that is done, there is no longer |
| 45 |
a need for the fstab stuff. |
| 46 |
|
| 47 |
> Anyway, this addition to the /etc/fstab has been put in the SELinux handbook |
| 48 |
> in hardened-doc.git overlay. |
| 49 |
> |
| 50 |
> Wkr, |
| 51 |
> Sven Vermeulen |
| 52 |
> |
| 53 |
> |
Archives