From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 11 Dec 2013 09:56:37 +0100
Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc
In-Reply-To: <20131211083339.GA5997@siphos.be>
References: <20131211083339.GA5997@siphos.be>
Message-ID: <1386752197.18689.88.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2013-12-11 at 09:33 +0100, Sven Vermeulen wrote:
> 
> What we do is we have the following set:
> 
> seutil_init_script_run_runinit(sysadm_t, sysadm_r)
> . seutil_init_script_domtrans_runinit(sysadm_t)
> . . init_script_file_domtrans(sysadm_t, run_init_t)
> . . . domain_auto_trans(sysadm_t, initrc_exec_t, run_init_t)
> 
> This ensures that, if sysadm_t executes an initrc_exec_t script, the script
> is launched in the run_init_t context. Then, our init system (OpenRC) calls
> a shared library we provide (linked with libselinux) which sets the next
> execution context to system_u:system_r:initrc_t (using setexeccon) and
> re-executes the script.
> 

Thanks. Do the *_admin() interfaces work in Gentoo?

The role transition in the *_admin() interfaces happen on the init
scripts, So if they work in Gentoo then i think we can be pretty certain
that the change i am suggesting in my patch will not break the SELinux
policy openrc solution.

It's a bit harder to verify init related stuff now though because
gentoo, debian and fedora each use a different init systems now

I believe we need to make sure to role transition on the init scripts
only because if we role transition on the daemon executable files
themselves then we get conflicts with executable files that can be run
both as a system service as well as a sessions service.