| 1 |
On Aug 22, 2011, at 12:11 PM, Sven Vermeulen wrote: |
| 2 |
|
| 3 |
> On Mon, Aug 22, 2011 at 03:18:16PM +0000, Sven Vermeulen wrote: |
| 4 |
>> What you are suggesting (label init script) is exactly what I was talking |
| 5 |
>> about: instead of having the init scripts labeled initrc_exec_t, they should |
| 6 |
>> be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and Gentoo's |
| 7 |
>> integrated run_init support, which by the policy is currently only working |
| 8 |
>> on initrc_exec_t, should support those too. |
| 9 |
> |
| 10 |
> I guess that won't be happening soon. |
| 11 |
> |
| 12 |
> When an administrative interface is granted to a domain/role (like |
| 13 |
> ldap_admin) then a role transition to system_r is automatically granted |
| 14 |
> when a transition occurs on the domain-specific initrc script (like |
| 15 |
> slapd_initrc_exec_t). In case of integrated run_init support, this would |
| 16 |
> create a context root:system_r:run_init_t, which is invalid. |
| 17 |
> |
| 18 |
> Removing the role transition in all administrative interfaces is imo a no-go |
| 19 |
> as that would mean lots of work and maintenance. |
| 20 |
> |
| 21 |
> Oh well, it was fun to try... |
| 22 |
> |
| 23 |
> Wkr, |
| 24 |
> Sven Vermeulen |
| 25 |
> |
| 26 |
|
| 27 |
I know this is not ideal, but can you simply allow sysadm_r to use rc-service and it's brothers? |
| 28 |
|
| 29 |
-- Matthew Thode |
Archives