From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 11 Dec 2013 09:33:40 +0100
Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc
Message-ID: <20131211083339.GA5997@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2013-12-10 at 17:00 +0100, Dominick Grift wrote:
> On Tue, 2013-12-10 at 16:57 +0100, Dominick Grift wrote:
> 
> > >  
> > >  		typeattribute $1 direct_init;
> > -		typeattribute $2 direct_init_entry;
> 
> Here its actually associated with the init daemon entry file. That is
> wrong in my view. The role transition should happen on the init script
> not the daemon entry file
> 
> > > -	role_transition $2 direct_init_entry system_r;
> > > +	role_transition $2 init_script_file_type system_r;
>
> Here is that actual role transition. This is causing problems with
> direct_initrc. role transition to system_r should happen on the init
> script and not the init daemon executable file

In Gentoo, we don't use the direct_* attributes so I can't tell you that
they do (or do not) cause problems. 

hpl htdocs # seinfo -adirect_init -x
   direct_init
hpl htdocs # seinfo -adirect_run_init -x
   direct_run_init
hpl htdocs # seinfo -adirect_init_entry -x
   direct_init_entry

What we do is we have the following set:

seutil_init_script_run_runinit(sysadm_t, sysadm_r)
. seutil_init_script_domtrans_runinit(sysadm_t)
. . init_script_file_domtrans(sysadm_t, run_init_t)
. . . domain_auto_trans(sysadm_t, initrc_exec_t, run_init_t)

This ensures that, if sysadm_t executes an initrc_exec_t script, the script
is launched in the run_init_t context. Then, our init system (OpenRC) calls
a shared library we provide (linked with libselinux) which sets the next
execution context to system_u:system_r:initrc_t (using setexeccon) and
re-executes the script.

Wkr,
  Sven Vermeulen