From: justinmattock@gmail.com (Justin P. Mattock) Date: Mon, 03 May 2010 10:29:05 -0700 Subject: [refpolicy] /etc/initscript breaks SELinux In-Reply-To: <1272906164.20339.107.camel@moss-pluto.epoch.ncsc.mil> References: <1272904285.20339.82.camel@moss-pluto.epoch.ncsc.mil> <4BDF0059.7050907@gmail.com> <1272906164.20339.107.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4BDF07E1.2020500@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/03/2010 10:02 AM, Stephen Smalley wrote: > On Mon, 2010-05-03 at 09:56 -0700, Justin P. Mattock wrote: >> On 05/03/2010 09:31 AM, Stephen Smalley wrote: >>> On Sun, 2010-05-02 at 21:54 -0700, Justin Mattock wrote: >>>> I've been racking my brain for the last few days on >>>> this one, and seem(for the life of me), have no solution. >>>> >>>> at first thought this was opensuse specific, but it's not >>>> i.g. my cblfs systems hit this as well(if not all systems at that). >>>> >>>> when adding /etc/initscript somehow SELinux can't figure how to >>>> transistion with the whole SHELL -c thing. >>>> >>>> under init.c #800(sysvinit-2.85) >>>> the code is this: >>>> >>>> /* See if there is an "initscript" (except in single user mode). */ >>>> if (access(INITSCRIPT, R_OK) == 0&& runlevel != 'S') { >>>> /* Build command line using "initscript" */ >>>> args[1] = SHELL; >>>> args[2] = INITSCRIPT; >>>> args[3] = ch->id; >>>> args[4] = ch->rlevel; >>>> args[5] = "unknown"; >>>> for(f = 0; actions[f].name; f++) { >>>> if (ch->action == actions[f].act) { >>>> args[5] = actions[f].name; >>>> break; >>>> } >>>> } >>>> >>>> >>>> any ideas why SELinux gets confused with this, and >>>> doesn't want to transistion? >>> >>> In the above code, you are exec'ing the shell and just passing the >>> script as an argument, not exec'ing the script. So you need a domain >>> transition on the shell rather than the script, or you need to perform a >>> setexecon() in the code. >>> >> >> Thanks for the info on this.. >> >> I'll have a look at seeing how todo this >> (I enjoy the challenge). >> >> As an example on setexecon() I was looking >> at the sulogin.c patch for SELinux, but still >> need to figure out how to actually do this. > > Well, you can do it without using setexeccon() just by configuring > policy to domain transition from init_t to initrc_t on shell_exec_t. > That's what happens if you enable init_upstart=on. So I think it is > mostly just a matter of making that the default and dropping the legacy > transition to sysadm_t for single-user mode. > what/where is that code at in the policy? (I've looked but can seem to grep the right word). As for the dropping the legacy(as mentioned in this post: http://oss.tresys.com/pipermail/refpolicy/2010-February/002012.html) tough to say... right now(as a learning experience) I'll dive into sysvinit(because I need to get better at reading/writing code), as well as do the same for the policy. Justin P. Mattock