| 1 |
On 8/21/2011 10:18 AM, Sven Vermeulen wrote: |
| 2 |
> On Sun, Aug 21, 2011 at 01:39:15PM +0200, Rados??aw Smogura wrote: |
| 3 |
>> I'm not SeLinux guroo, but at eye glance it looks like init (runint) script |
| 4 |
>> 1. reads contexts/run_init_type (but I think this is done to password |
| 5 |
>> authentication) |
| 6 |
>> 2. then it reads and changes to contexts/initrc_context domain. |
| 7 |
>> |
| 8 |
>> This is made in policycoreutils-extras/runscript_selinux.c. There are some |
| 9 |
>> comments about initrc_devpts_t. |
| 10 |
>> |
| 11 |
>> Maybe changin 2. will be solution, instead of read contexts/initrc_context |
| 12 |
>> take context from target script? |
| 13 |
> |
| 14 |
> The solution to support<domain>_initrc_exec_t must be a policy-based one |
| 15 |
> afaik. I don't think it'll be too difficult to find (the places within |
| 16 |
> refpolicy that are offering interfaces just for Gentoo's integrated run_init |
| 17 |
> are documented), it'll just take some time to get it in proper shape. |
| 18 |
|
| 19 |
Is there a specific reason that the domain-specific initrc |
| 20 |
support cannot be made part of run_init? Instead of reading |
| 21 |
a single default context from initrc_context, you could |
| 22 |
instead label, for ex. the init script itself, and have |
| 23 |
run_init use that instead? |
| 24 |
|
| 25 |
ISTM that the reason the existing domain-specific init |
| 26 |
policy doesn't work is because run_init is doing something |
| 27 |
unexpected, so it makes sense that fixing run_init would be |
| 28 |
the correct solution... |
| 29 |
|
| 30 |
--Mike |
Archives