From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 14 Feb 2011 19:51:08 +0100
Subject: [refpolicy] [PATCH 1/1] Allow udev to launch init scripts (f.i.
 on	network module load)
In-Reply-To: <4D593122.9000701@tresys.com>
References: <1296670820-6208-1-git-send-email-sven.vermeulen@siphos.be>
	<4D49A13F.4020802@redhat.com> <20110202183844.GA6308@siphos.be>
	<4D593122.9000701@tresys.com>
Message-ID: <20110214185107.GB13533@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Feb 14, 2011 at 08:41:54AM -0500, Christopher J. PeBenito wrote:
> > In Gentoo (the patch only includes the line in a distro_gentoo section), the
> > (default installed) 90-network.rules calls the /etc/init.d/net.<interface>
> > init script when a network subsystem is added or removed.
> 
> I believe he is saying that the scripts should be labeled, not that 
> you're missing a description (though thats important too).

Well, the /etc/init.d/net.<interface> scripts are symlinks to a script
labelled initrc_exec_t as one would imagine from an init script. udev itself
(running in udev_t domain) calls a wrapper script net.sh (labelled bin_t). 

You'd rather see this wrapper script be labelled something like
udev_net_exec_t which transitions to udev_net_t which then calls the
net.<interface> script (initrc_exec_t) which transitions to initrc_t ?

Wkr,
	Sven Vermeulen