LinuxLists.cc - [refpolicy] system

2009-11-12 22:09:04

Subject: [refpolicy] system_init.patch

http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch

Fix labels

Add policy to make upstart->daemon work, in addition to upstart->initrc_t->daemon

2010-02-12 20:00:12

by cpebenito

[permalink] [raw]

Subject: [refpolicy] system_init.patch

On Thu, 2009-11-12 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch
>
> Fix labels
>
> Add policy to make upstart->daemon work, in addition to
> upstart->initrc_t->daemon

This needs to go in a init_upstart tunable block.

initrc_tmp_t blk_files and chr_files needs explanation, otherwise its
completely unacceptable.

It looks like your patch reverses some upstream changes. eg:

+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)

then later:

-fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs
-fs_write_ramfs_pipes(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-fs_mount_all_fs(initrc_t)
-fs_unmount_all_fs(initrc_t)
-fs_remount_all_fs(initrc_t)
-fs_getattr_all_fs(initrc_t)

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2010-02-13 11:59:49

by Daniel Walsh

[permalink] [raw]

Subject: [refpolicy] system_init.patch

On 02/12/2010 03:00 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:09 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch
>>
>> Fix labels
>>
>> Add policy to make upstart->daemon work, in addition to
>> upstart->initrc_t->daemon
>
> This needs to go in a init_upstart tunable block.
>
> initrc_tmp_t blk_files and chr_files needs explanation, otherwise its
> completely unacceptable.
>
I believe this has to do with initrc running mkinitd at some point. Since we don't do this anymore, I guess we can leave it off.

> It looks like your patch reverses some upstream changes. eg:
>
> +fs_register_binary_executable_type(initrc_t)
> +# rhgb-console writes to ramfs
> +fs_write_ramfs_pipes(initrc_t)
> +# cjp: not sure why these are here; should use mount policy
> +fs_mount_all_fs(initrc_t)
> +fs_unmount_all_fs(initrc_t)
> +fs_remount_all_fs(initrc_t)
> +fs_getattr_all_fs(initrc_t)
> +fs_search_all(initrc_t)
> +fs_getattr_nfsd_files(initrc_t)
>
> then later:
>
> -fs_register_binary_executable_type(initrc_t)
> -# rhgb-console writes to ramfs
> -fs_write_ramfs_pipes(initrc_t)
> -# cjp: not sure why these are here; should use mount policy
> -fs_mount_all_fs(initrc_t)
> -fs_unmount_all_fs(initrc_t)
> -fs_remount_all_fs(initrc_t)
> -fs_getattr_all_fs(initrc_t)
>

I will fix this.