From: dac.override@gmail.com (Dominick Grift) Date: Mon, 7 Mar 2016 17:00:39 +0100 Subject: [refpolicy] context file for openrc In-Reply-To: <20160307153741.GA21973@meriadoc> References: <20160307091536.GA4884@meriadoc.perfinion.com> <56DD9404.8020006@tresys.com> <20160307144949.GA20572@meriadoc> <56DD9672.1090901@gmail.com> <20160307153741.GA21973@meriadoc> Message-ID: <56DDA5A7.8000602@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/07/2016 04:37 PM, Jason Zaman wrote: > On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote: >> On 03/07/2016 03:49 PM, Jason Zaman wrote: >>> On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. >>> PeBenito wrote: >>>> On 3/7/2016 4:15 AM, Jason Zaman wrote: >>>>> Hi all, >>>>> >>>>> I recently realized that gentoo's selinux-base package >>>>> creates the context file >>>>> /etc/selinux/*/contexts/run_init_type which contains >>>>> "run_init_t". This file is missing from refpolicy and >>>>> should be added since the rest of openrc's selinux support >>>>> has been in refpolicy for ages. >>>>> >>>>> The run_init_type file is used by openrc's integrated >>>>> run_init stuff. This type is different from initrc_context >>>>> (which contains "system_u:system_r:initrc_t:s0"). When an >>>>> admin runs an init script, it transitions to run_init_type >>>>> which does authentication and only then is allowed to exec >>>>> into initrc_context to actually run the script. >>>>> >>>>> My question is basically: should this file be renamed? I >>>>> can easily fix it in openrc upstream so that debian and any >>>>> others get it too and keep the legacy in gentoo for a >>>>> while. >>>> >>>> What do you suggest it be renamed to? >>> >>> I can't think of anything great. openrc_run_init_type seems a >>> little long or maybe just openrc_run_init? >> >> i would just use "openrc" then if you use the libselinux >> functionality the file will end up with name "opentc_contexts", >> then inside there you can for example define for example >> "run_init_type = TYPE" > > That sounds much more reasonable. I will prepare the patch for > openrc first then so I can make sure everything works and then send > the patch to refpol. Once the context file is merged in, i'll send > the patch to openrc. > Here is an example patch to libselinux https://dwalsh.fedorapeople.org/SELinux/Patches/0008-Add-selinux_systemd _contexts_path.patch It would look pretty much the same except for the name > -- Jason > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW3aWiAAoJECV0jlU3+Udp6bkL/RDY7DMX8VOTRVvmpx4wvMSo 9AZ94RFAtv/ikqYYBeN9lq/bS1PEZBzabIyySY5nagmf5Igg/yLP6VfZPgz/ZJv7 aIAUPM1h5A9Pj7gEkB4WzI+u7lL7x9EIT9m2UkjRwxLCXJ9NErKTMCT3i5TBiSr3 paWTCT6eGTUTET5ygEz9vu1ievpNJAgAy6w0QUANWXIJPD0dUVFl+KICYyespJST qbrNcwA8Dhw3H7eVNrWAMCbURTzR+qF0W68Beht5LdOVsIh+9mvmjzuNAH9rO8Sh Y59gP0frVKKCM21u7JFlsNMlc6zFOdskoM5duqmSaU3cfBWv8BPKbFgEh+TgcqGf duDsEJXytTVx5IUDyqF1pI9igSTZfvijAmpdu7JIBbXX6gMi6vcdLDnt/DT9J6di 1jAmCzaisFtvPAuibBdi+jOrqT/KMfVISNWf9I7B9SQHEOUF3Aszs4MU8ZBCBiRe z5F+OvFG8vy8w89ym7eSjJvIlFkctsHG21LymPmSiQ== =aCiq -----END PGP SIGNATURE-----