From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 12 Feb 2010 15:00:12 -0500
Subject: [refpolicy] system_init.patch
In-Reply-To: <4AFC8780.4000604@redhat.com>
References: <4AFC8780.4000604@redhat.com>
Message-ID: <1266004812.11004.15.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-11-12 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch
> 
> Fix labels
> 
> Add policy to make upstart->daemon work, in addition to
> upstart->initrc_t->daemon

This needs to go in a init_upstart tunable block.

initrc_tmp_t blk_files and chr_files needs explanation, otherwise its
completely unacceptable.

It looks like your patch reverses some upstream changes. eg:

+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)

then later:

-fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs
-fs_write_ramfs_pipes(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-fs_mount_all_fs(initrc_t)
-fs_unmount_all_fs(initrc_t)
-fs_remount_all_fs(initrc_t)
-fs_getattr_all_fs(initrc_t)

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150