1 |
On 8/21/2011 10:18 AM, Sven Vermeulen wrote: |
2 |
> On Sun, Aug 21, 2011 at 01:39:15PM +0200, Rados??aw Smogura wrote: |
3 |
>> I'm not SeLinux guroo, but at eye glance it looks like init (runint) script |
4 |
>> 1. reads contexts/run_init_type (but I think this is done to password |
5 |
>> authentication) |
6 |
>> 2. then it reads and changes to contexts/initrc_context domain. |
7 |
>> |
8 |
>> This is made in policycoreutils-extras/runscript_selinux.c. There are some |
9 |
>> comments about initrc_devpts_t. |
10 |
>> |
11 |
>> Maybe changin 2. will be solution, instead of read contexts/initrc_context |
12 |
>> take context from target script? |
13 |
> |
14 |
> The solution to support<domain>_initrc_exec_t must be a policy-based one |
15 |
> afaik. I don't think it'll be too difficult to find (the places within |
16 |
> refpolicy that are offering interfaces just for Gentoo's integrated run_init |
17 |
> are documented), it'll just take some time to get it in proper shape. |
18 |
|
19 |
Is there a specific reason that the domain-specific initrc |
20 |
support cannot be made part of run_init? Instead of reading |
21 |
a single default context from initrc_context, you could |
22 |
instead label, for ex. the init script itself, and have |
23 |
run_init use that instead? |
24 |
|
25 |
ISTM that the reason the existing domain-specific init |
26 |
policy doesn't work is because run_init is doing something |
27 |
unexpected, so it makes sense that fixing run_init would be |
28 |
the correct solution... |
29 |
|
30 |
--Mike |