From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 11 Dec 2013 10:52:03 +0100 Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc In-Reply-To: <1386752197.18689.88.camel@d30> References: <20131211083339.GA5997@siphos.be> <1386752197.18689.88.camel@d30> Message-ID: <20131211095203.GA6201@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Dec 11, 2013 at 09:56:37AM +0100, Dominick Grift wrote: > Thanks. Do the *_admin() interfaces work in Gentoo? > > The role transition in the *_admin() interfaces happen on the init > scripts, So if they work in Gentoo then i think we can be pretty certain > that the change i am suggesting in my patch will not break the SELinux > policy openrc solution. Yes they do. In case of such transitions, upon executing the script, the context is already initrc_t (in the system_r role). The SELinux code that OpenRC calls checks the current context, sees that it is not run_init_t and gracefully returns (no further actions taken) and the "normal" flow continues. > It's a bit harder to verify init related stuff now though because > gentoo, debian and fedora each use a different init systems now Indeed. I wouldn't mind splitting the init code into their respective domains, although that will be a "hell of a job", while there are still important shared aspects to it. > I believe we need to make sure to role transition on the init scripts > only because if we role transition on the daemon executable files > themselves then we get conflicts with executable files that can be run > both as a system service as well as a sessions service. Indeed. Wkr, Sven Vermeulen