From: justinmattock@gmail.com (Justin P. Mattock) Date: Mon, 03 May 2010 10:58:55 -0700 Subject: [refpolicy] /etc/initscript breaks SELinux In-Reply-To: <1272907960.20339.131.camel@moss-pluto.epoch.ncsc.mil> References: <1272904285.20339.82.camel@moss-pluto.epoch.ncsc.mil> <4BDF0059.7050907@gmail.com> <1272906164.20339.107.camel@moss-pluto.epoch.ncsc.mil> <4BDF07E1.2020500@gmail.com> <1272907960.20339.131.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4BDF0EDF.3090106@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/03/2010 10:32 AM, Stephen Smalley wrote: > On Mon, 2010-05-03 at 10:29 -0700, Justin P. Mattock wrote: >> On 05/03/2010 10:02 AM, Stephen Smalley wrote: >>> On Mon, 2010-05-03 at 09:56 -0700, Justin P. Mattock wrote: >>>> On 05/03/2010 09:31 AM, Stephen Smalley wrote: >>>>> On Sun, 2010-05-02 at 21:54 -0700, Justin Mattock wrote: >>>>>> I've been racking my brain for the last few days on >>>>>> this one, and seem(for the life of me), have no solution. >>>>>> >>>>>> at first thought this was opensuse specific, but it's not >>>>>> i.g. my cblfs systems hit this as well(if not all systems at that). >>>>>> >>>>>> when adding /etc/initscript somehow SELinux can't figure how to >>>>>> transistion with the whole SHELL -c thing. >>>>>> >>>>>> under init.c #800(sysvinit-2.85) >>>>>> the code is this: >>>>>> >>>>>> /* See if there is an "initscript" (except in single user mode). */ >>>>>> if (access(INITSCRIPT, R_OK) == 0&& runlevel != 'S') { >>>>>> /* Build command line using "initscript" */ >>>>>> args[1] = SHELL; >>>>>> args[2] = INITSCRIPT; >>>>>> args[3] = ch->id; >>>>>> args[4] = ch->rlevel; >>>>>> args[5] = "unknown"; >>>>>> for(f = 0; actions[f].name; f++) { >>>>>> if (ch->action == actions[f].act) { >>>>>> args[5] = actions[f].name; >>>>>> break; >>>>>> } >>>>>> } >>>>>> >>>>>> >>>>>> any ideas why SELinux gets confused with this, and >>>>>> doesn't want to transistion? >>>>> >>>>> In the above code, you are exec'ing the shell and just passing the >>>>> script as an argument, not exec'ing the script. So you need a domain >>>>> transition on the shell rather than the script, or you need to perform a >>>>> setexecon() in the code. >>>>> >>>> >>>> Thanks for the info on this.. >>>> >>>> I'll have a look at seeing how todo this >>>> (I enjoy the challenge). >>>> >>>> As an example on setexecon() I was looking >>>> at the sulogin.c patch for SELinux, but still >>>> need to figure out how to actually do this. >>> >>> Well, you can do it without using setexeccon() just by configuring >>> policy to domain transition from init_t to initrc_t on shell_exec_t. >>> That's what happens if you enable init_upstart=on. So I think it is >>> mostly just a matter of making that the default and dropping the legacy >>> transition to sysadm_t for single-user mode. >>> >> >> what/where is that code at in the policy? >> (I've looked but can seem to grep the right word). > > system/init.te, line 182: > tunable_policy(`init_upstart',` > corecmd_shell_domtrans(init_t, initrc_t) > ',` > # Run the shell in the sysadm role for single-user mode. > # causes problems with upstart > sysadm_shell_domtrans(init_t) > ') ah.. I looked at this(must have bee too tired), and nothing registered in my head. > >> As for the dropping the legacy(as mentioned in this post: >> http://oss.tresys.com/pipermail/refpolicy/2010-February/002012.html) > > Yes, that was the prior discussion. > hm.. I'm thinking this should be as is i.g. if sysvinit can do the proper things, then that's it(the policy still has legacy, etc..) >> tough to say... right now(as a learning experience) I'll dive into >> sysvinit(because I need to get better at reading/writing code), >> as well as do the same for the policy. > I'll look into sysv an see if I can make some headway with it reading initscript properly. Justin P. Mattock