On Sun, May 15, 2011 at 12:25:32AM +0200, Sven Vermeulen wrote:
> I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
> overlay. It does not resolve all problems, but at least Gentoo Hardened with
> SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook
> has been updated with that what Chris R. said).
Small update. I'm going to push out -r16 after the regression tests finish.
> But there is still some work ahead.
> - rc-update currently *does* *not* *work*. Not good. I know.
> The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so
> transitions to run_init_t which does not have the rights to write in
> /etc/runlevels (etc_t). Calling rc-update with run_init doesn't help
> either (transitions to initrc_t which also has no rights to write to
> etc_t)
This is fixed; from -r16, my proposal would be to use an intermediate domain
(sysadm_initrc_notrans_t) which, when executing an initrc_exec_t file (like
/sbin/rc) transitions back to sysadm_t.
The intermediate domain can be entered through an initrc_notrans_exec_t
file.
> - rc-status works if you use "run_init rc-status". Allowing rc-status to
> work without run_init is possible as well (-r15 offers the
> gentoo_init_manage_script_status_files interface for this which we can
> apply to run_init_t, but you'll also need to add in a
> term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to
> be an ugly situation then
This is fixed as well using the same method.
When installing -r16, you want to relabel the /sbin/rc-* and /bin/rc-* files
to make use of this though.
Wkr,
Sven Vermeulen
