From: dwalsh@redhat.com (Daniel J Walsh)
Date: Sat, 13 Feb 2010 06:59:49 -0500
Subject: [refpolicy] system_init.patch
In-Reply-To: <1266004812.11004.15.camel@gorn.columbia.tresys.com>
References: <4AFC8780.4000604@redhat.com>
	<1266004812.11004.15.camel@gorn.columbia.tresys.com>
Message-ID: <4B769435.3000108@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/12/2010 03:00 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:09 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch
>>
>> Fix labels
>>
>> Add policy to make upstart->daemon work, in addition to
>> upstart->initrc_t->daemon
> 
> This needs to go in a init_upstart tunable block.
> 
> initrc_tmp_t blk_files and chr_files needs explanation, otherwise its
> completely unacceptable.
>
I believe this has to do with initrc running mkinitd at some point.  Since we don't do this anymore, I guess we can leave it off.


 
> It looks like your patch reverses some upstream changes. eg:
> 
> +fs_register_binary_executable_type(initrc_t)
> +# rhgb-console writes to ramfs
> +fs_write_ramfs_pipes(initrc_t)
> +# cjp: not sure why these are here; should use mount policy
> +fs_mount_all_fs(initrc_t)
> +fs_unmount_all_fs(initrc_t)
> +fs_remount_all_fs(initrc_t)
> +fs_getattr_all_fs(initrc_t)
> +fs_search_all(initrc_t)
> +fs_getattr_nfsd_files(initrc_t)
> 
> then later:
> 
> -fs_register_binary_executable_type(initrc_t)
> -# rhgb-console writes to ramfs
> -fs_write_ramfs_pipes(initrc_t)
> -# cjp: not sure why these are here; should use mount policy
> -fs_mount_all_fs(initrc_t)
> -fs_unmount_all_fs(initrc_t)
> -fs_remount_all_fs(initrc_t)
> -fs_getattr_all_fs(initrc_t)
> 

I will fix this.