[refpolicy] Fwd: Re: [PATCH 1/2] Allow Gentoo rc-update to manage runlevels, try 2

Chris Richards gizmo at giz-works.com
Tue Dec 21 12:18:37 CST 2010


On 12/20/2010 04:37 PM, Dominick Grift wrote:

>  -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  On 12/20/2010 11:28 PM, gizmo at giz-works.com wrote:
>>  From: Chris Richards<gizmo at giz-works.com>
>>
>>  rc-update cannot properly update the system runlevels, even when run
>>  as the root user in sysadm role.
>>
>>  Signed-off-by: Chris Richards<gizmo at giz-works.com>
>>  ---
>>    policy/modules/system/init.if |   19 +++++++++++++++++++
>>    1 files changed, 19 insertions(+), 0 deletions(-)
>>
>>  diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
>>  index ed152c4..7904818 100644
>>  --- a/policy/modules/system/init.if
>>  +++ b/policy/modules/system/init.if
>>  @@ -1442,6 +1442,25 @@ interface(`init_dontaudit_use_script_ptys',`
>>
>>    ########################################
>>    ##<summary>
>>  +##	Manage init script runlevel files.
>>  +##</summary>
>>  +##<param name="domain">
>>  +##	<summary>
>>  +##	Domain allowed access.
>>  +##	</summary>
>>  +##</param>
>>  +#
>>  +interface(`init_manage_script_runlevel_files',`
>>  +	gen_require(`
>>  +		type initrc_state_t;
>>  +	')
>>  +
>>  +	read_lnk_files_pattern($1, initrc_state_t, initrc_state_t)
>>  +	files_manage_etc_symlinks($1)
>  I am worried about the above symlink, seems to be it may be mislabelled.
>  (should it have been created with initrc_state_t type or some other type?)
>
Yeah, I'm not real wild about this either, but I didn't see any other
way to handle it.  What's happening here is that the rc system makes
symlinks inside the /etc/init.d directory.  While all of the scripts are
initrc_exec_t, the symlinks are all created as etc_t (the type of the
parent directory).  I wasn't able to find any way to alter that behavior.
>>  +')
>>  +
>>  +########################################
>>  +##<summary>
>>    ##	Get the attributes of init script
>>    ##	status files.
>>    ##</summary>
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v2.0.16 (GNU/Linux)
>  Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
>  iEYEARECAAYFAk0P2pkACgkQMlxVo39jgT+o2gCgwtQZXmkairFLb1lSVYMRGIYY
>  LyoAn1ZbC8tlSpPCKi9+vJeiQm6CRLk3
>  =vYcR
>  -----END PGP SIGNATURE-----
>  _______________________________________________
>  refpolicy mailing list
>  refpolicy at oss.tresys.com
>  http://oss.tresys.com/mailman/listinfo/refpolicy
>



More information about the refpolicy mailing list