From: justinmattock@gmail.com (Justin P. Mattock) Date: Mon, 03 May 2010 09:56:57 -0700 Subject: [refpolicy] /etc/initscript breaks SELinux In-Reply-To: <1272904285.20339.82.camel@moss-pluto.epoch.ncsc.mil> References: <1272904285.20339.82.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4BDF0059.7050907@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/03/2010 09:31 AM, Stephen Smalley wrote: > On Sun, 2010-05-02 at 21:54 -0700, Justin Mattock wrote: >> I've been racking my brain for the last few days on >> this one, and seem(for the life of me), have no solution. >> >> at first thought this was opensuse specific, but it's not >> i.g. my cblfs systems hit this as well(if not all systems at that). >> >> when adding /etc/initscript somehow SELinux can't figure how to >> transistion with the whole SHELL -c thing. >> >> under init.c #800(sysvinit-2.85) >> the code is this: >> >> /* See if there is an "initscript" (except in single user mode). */ >> if (access(INITSCRIPT, R_OK) == 0&& runlevel != 'S') { >> /* Build command line using "initscript" */ >> args[1] = SHELL; >> args[2] = INITSCRIPT; >> args[3] = ch->id; >> args[4] = ch->rlevel; >> args[5] = "unknown"; >> for(f = 0; actions[f].name; f++) { >> if (ch->action == actions[f].act) { >> args[5] = actions[f].name; >> break; >> } >> } >> >> >> any ideas why SELinux gets confused with this, and >> doesn't want to transistion? > > In the above code, you are exec'ing the shell and just passing the > script as an argument, not exec'ing the script. So you need a domain > transition on the shell rather than the script, or you need to perform a > setexecon() in the code. > Thanks for the info on this.. I'll have a look at seeing how todo this (I enjoy the challenge). As an example on setexecon() I was looking at the sulogin.c patch for SELinux, but still need to figure out how to actually do this. Justin P. Mattock