From: jason@perfinion.com (Jason Zaman) Date: Mon, 7 Mar 2016 23:37:41 +0800 Subject: [refpolicy] context file for openrc In-Reply-To: <56DD9672.1090901@gmail.com> References: <20160307091536.GA4884@meriadoc.perfinion.com> <56DD9404.8020006@tresys.com> <20160307144949.GA20572@meriadoc> <56DD9672.1090901@gmail.com> Message-ID: <20160307153741.GA21973@meriadoc> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote: > On 03/07/2016 03:49 PM, Jason Zaman wrote: > > On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito > > wrote: > >> On 3/7/2016 4:15 AM, Jason Zaman wrote: > >>> Hi all, > >>> > >>> I recently realized that gentoo's selinux-base package creates > >>> the context file /etc/selinux/*/contexts/run_init_type which > >>> contains "run_init_t". This file is missing from refpolicy and > >>> should be added since the rest of openrc's selinux support has > >>> been in refpolicy for ages. > >>> > >>> The run_init_type file is used by openrc's integrated run_init > >>> stuff. This type is different from initrc_context (which > >>> contains "system_u:system_r:initrc_t:s0"). When an admin runs > >>> an init script, it transitions to run_init_type which does > >>> authentication and only then is allowed to exec into > >>> initrc_context to actually run the script. > >>> > >>> My question is basically: should this file be renamed? I can > >>> easily fix it in openrc upstream so that debian and any others > >>> get it too and keep the legacy in gentoo for a while. > >> > >> What do you suggest it be renamed to? > > > > I can't think of anything great. openrc_run_init_type seems a > > little long or maybe just openrc_run_init? > > i would just use "openrc" then if you use the libselinux functionality > the file will end up with name "opentc_contexts", then inside there > you can for example define for example "run_init_type = TYPE" That sounds much more reasonable. I will prepare the patch for openrc first then so I can make sure everything works and then send the patch to refpol. Once the context file is merged in, i'll send the patch to openrc. -- Jason