From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 11 Dec 2013 10:52:03 +0100
Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc
In-Reply-To: <1386752197.18689.88.camel@d30>
References: <20131211083339.GA5997@siphos.be> <1386752197.18689.88.camel@d30>
Message-ID: <20131211095203.GA6201@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Dec 11, 2013 at 09:56:37AM +0100, Dominick Grift wrote:
> Thanks. Do the *_admin() interfaces work in Gentoo?
> 
> The role transition in the *_admin() interfaces happen on the init
> scripts, So if they work in Gentoo then i think we can be pretty certain
> that the change i am suggesting in my patch will not break the SELinux
> policy openrc solution.

Yes they do.

In case of such transitions, upon executing the script, the context is
already initrc_t (in the system_r role). The SELinux code that OpenRC calls
checks the current context, sees that it is not run_init_t and gracefully
returns (no further actions taken) and the "normal" flow continues.

> It's a bit harder to verify init related stuff now though because
> gentoo, debian and fedora each use a different init systems now

Indeed. I wouldn't mind splitting the init code into their respective
domains, although that will be a "hell of a job", while there are still
important shared aspects to it.

> I believe we need to make sure to role transition on the init scripts
> only because if we role transition on the daemon executable files
> themselves then we get conflicts with executable files that can be run
> both as a system service as well as a sessions service.

Indeed. 

Wkr,
	Sven Vermeulen