1 |
On Mon, Aug 22, 2011 at 03:18:16PM +0000, Sven Vermeulen wrote: |
2 |
> What you are suggesting (label init script) is exactly what I was talking |
3 |
> about: instead of having the init scripts labeled initrc_exec_t, they should |
4 |
> be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and Gentoo's |
5 |
> integrated run_init support, which by the policy is currently only working |
6 |
> on initrc_exec_t, should support those too. |
7 |
|
8 |
I guess that won't be happening soon. |
9 |
|
10 |
When an administrative interface is granted to a domain/role (like |
11 |
ldap_admin) then a role transition to system_r is automatically granted |
12 |
when a transition occurs on the domain-specific initrc script (like |
13 |
slapd_initrc_exec_t). In case of integrated run_init support, this would |
14 |
create a context root:system_r:run_init_t, which is invalid. |
15 |
|
16 |
Removing the role transition in all administrative interfaces is imo a no-go |
17 |
as that would mean lots of work and maintenance. |
18 |
|
19 |
Oh well, it was fun to try... |
20 |
|
21 |
Wkr, |
22 |
Sven Vermeulen |