From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 16 Feb 2011 09:28:10 -0500
Subject: [refpolicy] [PATCH 1/1] Allow udev to launch init scripts (f.i.
 on	network module load)
In-Reply-To: <20110214185107.GB13533@siphos.be>
References: <1296670820-6208-1-git-send-email-sven.vermeulen@siphos.be>
	<4D49A13F.4020802@redhat.com> <20110202183844.GA6308@siphos.be>
	<4D593122.9000701@tresys.com> <20110214185107.GB13533@siphos.be>
Message-ID: <4D5BDEFA.5070301@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/14/11 13:51, Sven Vermeulen wrote:
> On Mon, Feb 14, 2011 at 08:41:54AM -0500, Christopher J. PeBenito wrote:
>>> In Gentoo (the patch only includes the line in a distro_gentoo section), the
>>> (default installed) 90-network.rules calls the /etc/init.d/net.<interface>
>>> init script when a network subsystem is added or removed.
>>
>> I believe he is saying that the scripts should be labeled, not that 
>> you're missing a description (though thats important too).
> 
> Well, the /etc/init.d/net.<interface> scripts are symlinks to a script
> labelled initrc_exec_t as one would imagine from an init script. udev itself
> (running in udev_t domain) calls a wrapper script net.sh (labelled bin_t). 
> 
> You'd rather see this wrapper script be labelled something like
> udev_net_exec_t which transitions to udev_net_t which then calls the
> net.<interface> script (initrc_exec_t) which transitions to initrc_t ?

Making something like network_initrc_exec_t and labeling all the basic
networking scripts with it, and then transitioning to initrc_t is what
we mean.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com