From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 24 Sep 2008 15:42:17 -0400
Subject: [refpolicy] system_init.patch
Message-ID: <48DA9819.8040000@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/system_init.patch

label all /etc/rc\.d/rc\.[^/]+  as initrc_exec_t

system-config-services uses dbus to start and stop services via
+/usr/share/system-config-services/system-config-services-mechanism\.py
 --

So this needs to be labeled an initrc_script_t script


init_spec_domtrans_script and init_domtrans_script need to use all init
scripts not just the ones labeled initrc_exec_t.

dbus can be used to start any binary, so added init_bin_domtrans_spec to
transition bin_t to initrc_t, via dbus.

init_script_role_transition is used by unconifned_t to transion
initsscripts to system_r when the user executes an initrc_t script.

upstart has dbus capabilities.

init needs to list inotify

init communicates with initrc_t via stream sockets

init calls setsched

initrc_t under mls can call runuser which attempts to send and audit message

initrc_ needs to be able to talk to /dev/initctrl

initscripts create links in /var/run


initrc talks to lvm_control

initrc_t can chat with consolekit

Lots of dontaudit commands to quiet init scripts using passwd file
descriptors



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjamBkACgkQrlYvE4MpobOp+wCguq2QiyAbtI3KcGOfBmO0lHGh
Q2UAoItsiOAlq7nd470Ub3nL9XpGayVu
=4Y96
-----END PGP SIGNATURE-----