| 1 |
Hi guys, |
| 2 |
|
| 3 |
Back again with the spamming "SELinux base policy rev ## in hardened-dev" |
| 4 |
mails, but now for the 2.20120215 policies. |
| 5 |
|
| 6 |
Changes since rev 2: |
| 7 |
|
| 8 |
<no bug> Allow sysadm to call qemu directly to launch virtual guests from commandline |
| 9 |
<no bug> Allow su to get the security file system attributes, needed for su calls |
| 10 |
#401857 Set /usr/share/GNUstep/Makefiles/*.sh (and mkinstalldirs) as #bin_t t allow building gnustep-base |
| 11 |
#403143 Add TCP 3128 as http_cache_port_t (default port for squid cache) |
| 12 |
<no bug> Update usermanage/selinux util role attributes to include the proper types |
| 13 |
<no bug> Allow mount to get the security file system attributes, needed for rootcontext mounts |
| 14 |
|
| 15 |
There is still an issue that amade on #gentoo-hardened reported, that is |
| 16 |
that our integrated run_init support in the init scripts is suddenly not |
| 17 |
working anymore. I'm too tired to look at that right now, so that'll be for |
| 18 |
tomorrow. |
| 19 |
|
| 20 |
Point is, I *think* we need to have a role transition between run_init_t and |
| 21 |
initrc_t, but it shouldn't be automated (SELinux supports automated role |
| 22 |
transitions, but then we would switch roles the moment we touch /sbin/rc, |
| 23 |
which is also the case when we run rc-config and the like, in many cases |
| 24 |
where we need to remain in the current role). |
| 25 |
|
| 26 |
Or, in the notation @@ = execute, --> = transition: |
| 27 |
|
| 28 |
sysadm_r:sysadm_t @@ initrc_exec_t --> sysadm_r:run_init_t |
| 29 |
@@ rc_exec_t --> sysadm_r:run_init_t |
| 30 |
@@ initrc_exec_t --> system_r:initrc_t |
| 31 |
|
| 32 |
I think that's something openrc does (with its support for SELinux, through |
| 33 |
/lib64/rc/runscript_selinux.so) or needs to do, but I have no clue how we do |
| 34 |
all that. |
| 35 |
|
| 36 |
Until then, you can use "run_init" to launch init scripts, like most (if not |
| 37 |
all) other distributions work: |
| 38 |
|
| 39 |
run_init /etc/init.d/apache start |
| 40 |
|
| 41 |
or using rc-service |
| 42 |
|
| 43 |
run_init rc-service apache start |
| 44 |
|
| 45 |
But as I said, I'll look at it more closely tomorrow. It's probably a change |
| 46 |
I forgot to forward-port or so... |
| 47 |
|
| 48 |
Wkr, |
| 49 |
Sven Vermeulen |
Archives