[refpolicy] RFC: direct_init_entry breaks direct_initrc

Dominick Grift dominick.grift at gmail.com
Tue Jan 14 13:30:29 EST 2014

On Tue, 2014-01-14 at 09:10 -0500, Christopher J. PeBenito wrote:
> On Tue Jan 14 09:02:08 2014, Dominick Grift wrote:
> > On Tue, 2014-01-14 at 08:56 -0500, Christopher J. PeBenito wrote:
> >> On 12/10/13 10:57, Dominick Grift wrote:
> >>> I have not tested this yet and it is a theory
> >>>
> >>> I was not there when that type attribute was implemented so i do not
> >>> know the rationale behind the decision to implement it.
> >>>
> >>> Would be nice if anyone could shed some light on that and would be even
> >>> better if this fix is acknowledged
> >>
> >> It seems like it would probably work, but definitely needs to be tested.
> >>
> >
> > I have tested it. role transitions should happen on the init script and
> > now on the daemon entry file. This is a bug in the init_run_daemon
> > interface and it breaks a lot of stuff
> >
> > Also the init_run_daemon(unconfined_t, unconfined_r) should be make
> > tunable (direct_sysadm_daemon)
> Would you send patches for these?  The first patch I only see as 
> inlined comments in the body of the first message.

Unfortunately i found some other issue during rebasing.

Not only do callers of init_run_daemon() role transition on daemon
executable files instead of init scripts. They turn out to be also
domain transitioning on executable files instead of init scripts.

(so sysadm_t seems to actually run init scripts in the sysadm_t domain
(with direct_initrc=y) (unless i overlooked something)

My previous patches do work and fix many issues but it is not the fix i
was hoping for (i guess i had not tested it enough after all)

Enclosed you will find the rebased patch , and although it builds i have
not been able to test it yet. I need to test this on debian because
Fedora has diverged a lot from refpolicy, is using systemd. I can't test
it on rhel either since that also diverged a lot from refpolicy and
refpolicy probably does not install on el6 due to old user space (does
not support named file transition for one)

I am planning to test this on debian, but for now i just post the patch
for review/comments.

I can't add the patch in-line because git-send-email is broken in my

See attachment:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Previously-callers-of-initrundaemon-role-type-transi.patch
Type: text/x-patch
Size: 4940 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140114/ed243500/attachment.bin 

More information about the refpolicy mailing list