Hi all,
I recently realized that gentoo's selinux-base package creates the
context file /etc/selinux/*/contexts/run_init_type which contains
"run_init_t". This file is missing from refpolicy and should be added
since the rest of openrc's selinux support has been in refpolicy for
ages.
The run_init_type file is used by openrc's integrated run_init stuff.
This type is different from initrc_context (which contains
"system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
transitions to run_init_type which does authentication and only then is
allowed to exec into initrc_context to actually run the script.
My question is basically: should this file be renamed? I can easily fix
it in openrc upstream so that debian and any others get it too and keep the
legacy in gentoo for a while.
I will send a patch adding the file as soon as the name is OK'd
-- Jason
On 3/7/2016 4:15 AM, Jason Zaman wrote:
> Hi all,
>
> I recently realized that gentoo's selinux-base package creates the
> context file /etc/selinux/*/contexts/run_init_type which contains
> "run_init_t". This file is missing from refpolicy and should be added
> since the rest of openrc's selinux support has been in refpolicy for
> ages.
>
> The run_init_type file is used by openrc's integrated run_init stuff.
> This type is different from initrc_context (which contains
> "system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
> transitions to run_init_type which does authentication and only then is
> allowed to exec into initrc_context to actually run the script.
>
> My question is basically: should this file be renamed? I can easily fix
> it in openrc upstream so that debian and any others get it too and keep the
> legacy in gentoo for a while.
What do you suggest it be renamed to?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito wrote:
> On 3/7/2016 4:15 AM, Jason Zaman wrote:
> > Hi all,
> >
> > I recently realized that gentoo's selinux-base package creates the
> > context file /etc/selinux/*/contexts/run_init_type which contains
> > "run_init_t". This file is missing from refpolicy and should be added
> > since the rest of openrc's selinux support has been in refpolicy for
> > ages.
> >
> > The run_init_type file is used by openrc's integrated run_init stuff.
> > This type is different from initrc_context (which contains
> > "system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
> > transitions to run_init_type which does authentication and only then is
> > allowed to exec into initrc_context to actually run the script.
> >
> > My question is basically: should this file be renamed? I can easily fix
> > it in openrc upstream so that debian and any others get it too and keep the
> > legacy in gentoo for a while.
>
> What do you suggest it be renamed to?
I can't think of anything great. openrc_run_init_type seems a little long
or maybe just openrc_run_init?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/07/2016 03:49 PM, Jason Zaman wrote:
> On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito
> wrote:
>> On 3/7/2016 4:15 AM, Jason Zaman wrote:
>>> Hi all,
>>>
>>> I recently realized that gentoo's selinux-base package creates
>>> the context file /etc/selinux/*/contexts/run_init_type which
>>> contains "run_init_t". This file is missing from refpolicy and
>>> should be added since the rest of openrc's selinux support has
>>> been in refpolicy for ages.
>>>
>>> The run_init_type file is used by openrc's integrated run_init
>>> stuff. This type is different from initrc_context (which
>>> contains "system_u:system_r:initrc_t:s0"). When an admin runs
>>> an init script, it transitions to run_init_type which does
>>> authentication and only then is allowed to exec into
>>> initrc_context to actually run the script.
>>>
>>> My question is basically: should this file be renamed? I can
>>> easily fix it in openrc upstream so that debian and any others
>>> get it too and keep the legacy in gentoo for a while.
>>
>> What do you suggest it be renamed to?
>
> I can't think of anything great. openrc_run_init_type seems a
> little long or maybe just openrc_run_init?
i would just use "openrc" then if you use the libselinux functionality
the file will end up with name "opentc_contexts", then inside there
you can for example define for example "run_init_type = TYPE"
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW3ZZsAAoJECV0jlU3+UdpiJoMAIQYmMb7GyYykbEGljFEdSYQ
6NtPjl+1Kf3m6C1j7ykNgw51RDyNlSonSKakQ9vuM9eDKH9yOBtyENFIEjPREXQQ
3hO4yc85Xv/QkvTDdgCgrsOWdghynWzb9JXERFjgemRmtKask5ejKr7W4+vZJVOp
HjsjJ1B6vwGAMjgG+1Rtqdj545bB/reLCLtd1D6esZ8erNoMYrXBUX3mbl0ElHkg
+fI4pAk9ArXWca4f3Qmqqbht7BCYmj7flsoDPbzU3eVRSv8Clbs9as5sw47x0n1G
QCSSzWEoxggPMZ3bvSaS2LpF4/sySmxS0+mF4hVc6CkU4JrP8RUrZTwW7d7C+00X
LiTtFGY21ZuE0+6WlCDjAeF6WczWsXUnB9Rl6haqUfKK4y99YKRS1/3GRj/VfvoM
WVHnA1UtsUUQWWjnSO8OgrI+9nWboc/CEbezNFANDM2qRGMMVe42N/I4j9SkW7SW
vmWNSXWOkVgJHQwvF8e4VAZyB59OL6kw4za01MATkw==
=4myX
-----END PGP SIGNATURE-----
On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote:
> On 03/07/2016 03:49 PM, Jason Zaman wrote:
> > On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito
> > wrote:
> >> On 3/7/2016 4:15 AM, Jason Zaman wrote:
> >>> Hi all,
> >>>
> >>> I recently realized that gentoo's selinux-base package creates
> >>> the context file /etc/selinux/*/contexts/run_init_type which
> >>> contains "run_init_t". This file is missing from refpolicy and
> >>> should be added since the rest of openrc's selinux support has
> >>> been in refpolicy for ages.
> >>>
> >>> The run_init_type file is used by openrc's integrated run_init
> >>> stuff. This type is different from initrc_context (which
> >>> contains "system_u:system_r:initrc_t:s0"). When an admin runs
> >>> an init script, it transitions to run_init_type which does
> >>> authentication and only then is allowed to exec into
> >>> initrc_context to actually run the script.
> >>>
> >>> My question is basically: should this file be renamed? I can
> >>> easily fix it in openrc upstream so that debian and any others
> >>> get it too and keep the legacy in gentoo for a while.
> >>
> >> What do you suggest it be renamed to?
> >
> > I can't think of anything great. openrc_run_init_type seems a
> > little long or maybe just openrc_run_init?
>
> i would just use "openrc" then if you use the libselinux functionality
> the file will end up with name "opentc_contexts", then inside there
> you can for example define for example "run_init_type = TYPE"
That sounds much more reasonable. I will prepare the patch for openrc
first then so I can make sure everything works and then send the patch
to refpol. Once the context file is merged in, i'll send the patch to
openrc.
-- Jason
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/07/2016 04:37 PM, Jason Zaman wrote:
> On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote:
>> On 03/07/2016 03:49 PM, Jason Zaman wrote:
>>> On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J.
>>> PeBenito wrote:
>>>> On 3/7/2016 4:15 AM, Jason Zaman wrote:
>>>>> Hi all,
>>>>>
>>>>> I recently realized that gentoo's selinux-base package
>>>>> creates the context file
>>>>> /etc/selinux/*/contexts/run_init_type which contains
>>>>> "run_init_t". This file is missing from refpolicy and
>>>>> should be added since the rest of openrc's selinux support
>>>>> has been in refpolicy for ages.
>>>>>
>>>>> The run_init_type file is used by openrc's integrated
>>>>> run_init stuff. This type is different from initrc_context
>>>>> (which contains "system_u:system_r:initrc_t:s0"). When an
>>>>> admin runs an init script, it transitions to run_init_type
>>>>> which does authentication and only then is allowed to exec
>>>>> into initrc_context to actually run the script.
>>>>>
>>>>> My question is basically: should this file be renamed? I
>>>>> can easily fix it in openrc upstream so that debian and any
>>>>> others get it too and keep the legacy in gentoo for a
>>>>> while.
>>>>
>>>> What do you suggest it be renamed to?
>>>
>>> I can't think of anything great. openrc_run_init_type seems a
>>> little long or maybe just openrc_run_init?
>>
>> i would just use "openrc" then if you use the libselinux
>> functionality the file will end up with name "opentc_contexts",
>> then inside there you can for example define for example
>> "run_init_type = TYPE"
>
> That sounds much more reasonable. I will prepare the patch for
> openrc first then so I can make sure everything works and then send
> the patch to refpol. Once the context file is merged in, i'll send
> the patch to openrc.
>
Here is an example patch to libselinux
https://dwalsh.fedorapeople.org/SELinux/Patches/0008-Add-selinux_systemd
_contexts_path.patch
It would look pretty much the same except for the name
> -- Jason
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW3aWiAAoJECV0jlU3+Udp6bkL/RDY7DMX8VOTRVvmpx4wvMSo
9AZ94RFAtv/ikqYYBeN9lq/bS1PEZBzabIyySY5nagmf5Igg/yLP6VfZPgz/ZJv7
aIAUPM1h5A9Pj7gEkB4WzI+u7lL7x9EIT9m2UkjRwxLCXJ9NErKTMCT3i5TBiSr3
paWTCT6eGTUTET5ygEz9vu1ievpNJAgAy6w0QUANWXIJPD0dUVFl+KICYyespJST
qbrNcwA8Dhw3H7eVNrWAMCbURTzR+qF0W68Beht5LdOVsIh+9mvmjzuNAH9rO8Sh
Y59gP0frVKKCM21u7JFlsNMlc6zFOdskoM5duqmSaU3cfBWv8BPKbFgEh+TgcqGf
duDsEJXytTVx5IUDyqF1pI9igSTZfvijAmpdu7JIBbXX6gMi6vcdLDnt/DT9J6di
1jAmCzaisFtvPAuibBdi+jOrqT/KMfVISNWf9I7B9SQHEOUF3Aszs4MU8ZBCBiRe
z5F+OvFG8vy8w89ym7eSjJvIlFkctsHG21LymPmSiQ==
=aCiq
-----END PGP SIGNATURE-----