[refpolicy] RFC: direct_init_entry breaks direct_initrc
dominick.grift at gmail.com
Tue Jan 14 13:30:29 EST 2014
On Tue, 2014-01-14 at 09:10 -0500, Christopher J. PeBenito wrote:
> On Tue Jan 14 09:02:08 2014, Dominick Grift wrote:
> > On Tue, 2014-01-14 at 08:56 -0500, Christopher J. PeBenito wrote:
> >> On 12/10/13 10:57, Dominick Grift wrote:
> >>> I have not tested this yet and it is a theory
> >>> I was not there when that type attribute was implemented so i do not
> >>> know the rationale behind the decision to implement it.
> >>> Would be nice if anyone could shed some light on that and would be even
> >>> better if this fix is acknowledged
> >> It seems like it would probably work, but definitely needs to be tested.
> > I have tested it. role transitions should happen on the init script and
> > now on the daemon entry file. This is a bug in the init_run_daemon
> > interface and it breaks a lot of stuff
> > Also the init_run_daemon(unconfined_t, unconfined_r) should be make
> > tunable (direct_sysadm_daemon)
> Would you send patches for these? The first patch I only see as
> inlined comments in the body of the first message.
Unfortunately i found some other issue during rebasing.
Not only do callers of init_run_daemon() role transition on daemon
executable files instead of init scripts. They turn out to be also
domain transitioning on executable files instead of init scripts.
(so sysadm_t seems to actually run init scripts in the sysadm_t domain
(with direct_initrc=y) (unless i overlooked something)
My previous patches do work and fix many issues but it is not the fix i
was hoping for (i guess i had not tested it enough after all)
Enclosed you will find the rebased patch , and although it builds i have
not been able to test it yet. I need to test this on debian because
Fedora has diverged a lot from refpolicy, is using systemd. I can't test
it on rhel either since that also diverged a lot from refpolicy and
refpolicy probably does not install on el6 due to old user space (does
not support named file transition for one)
I am planning to test this on debian, but for now i just post the patch
I can't add the patch in-line because git-send-email is broken in my
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4940 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140114/ed243500/attachment.bin
More information about the refpolicy