| 1 |
On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote: |
| 2 |
> Just posting this so that others will know about it. We determined that |
| 3 |
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file |
| 4 |
> system using the same relabel that we do for /dev. I believe the manual |
| 5 |
> is being updated to add this information. In addition, a rule has to be |
| 6 |
> added to init.fc and init.te to relabel this directory ( |
| 7 |
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, |
| 8 |
> s0) (or something similar), as well as add the mounton privilege using |
| 9 |
> files_mountpoint(initrc_state_t). Once that is done, there is no longer |
| 10 |
> a need for the fstab stuff. |
| 11 |
|
| 12 |
I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git |
| 13 |
overlay. It does not resolve all problems, but at least Gentoo Hardened with |
| 14 |
SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook |
| 15 |
has been updated with that what Chris R. said). |
| 16 |
|
| 17 |
But there is still some work ahead. |
| 18 |
- rc-update currently *does* *not* *work*. Not good. I know. |
| 19 |
The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so |
| 20 |
transitions to run_init_t which does not have the rights to write in |
| 21 |
/etc/runlevels (etc_t). Calling rc-update with run_init doesn't help |
| 22 |
either (transitions to initrc_t which also has no rights to write to |
| 23 |
etc_t) |
| 24 |
- rc-service works |
| 25 |
- rc-status works if you use "run_init rc-status". Allowing rc-status to |
| 26 |
work without run_init is possible as well (-r15 offers the |
| 27 |
gentoo_init_manage_script_status_files interface for this which we can |
| 28 |
apply to run_init_t, but you'll also need to add in a |
| 29 |
term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to |
| 30 |
be an ugly situation then |
| 31 |
- rc works if you use "run_init rc". |
| 32 |
|
| 33 |
Now, this mixed usage of "with run_init" and "without run_init" is a pain, |
| 34 |
especially as Gentoo tried hard not to require run_init in the first place |
| 35 |
(well, it uses it, but in the background). This can be fixed by using |
| 36 |
run_init in the wrappers where needed, but that requires an update on |
| 37 |
openrc. Yet this still looks to me like the sanest approach. |
| 38 |
|
| 39 |
Some methods can be used to work around this, like labelling the wrappers so |
| 40 |
that they transition before /sbin/rc is called, but that looks like an ugly |
| 41 |
situation too to me. |
| 42 |
|
| 43 |
To fix the rc-update issue, we need to be able to run /sbin/rc without |
| 44 |
transitioning. I'm thinking about having a copy of /sbin/rc to |
| 45 |
/lib64/rc/sbin and have the rc-update wrapper point to that one. I can then |
| 46 |
also do the same for rc-status (no need for run_init then, sysadm_t has the |
| 47 |
same privileges). It seems to work fairly well on my systems, but that's |
| 48 |
again another change just for SELinux-enabled Gentoo systems :-( |
| 49 |
|
| 50 |
Chris R.: in https://bugs.gentoo.org/351712 the use of the wrappers was |
| 51 |
suggested instead of symlinks (which would've caused the same problems here |
| 52 |
I think) just for the reason that I'm writing out now. How did you resolve |
| 53 |
the problem on your system? |
| 54 |
|
| 55 |
Wkr, |
| 56 |
Sven Vermeulen |
Archives