On Sun, Aug 21, 2011 at 01:39:15PM +0200, Rados??aw Smogura wrote:
> I'm not SeLinux guroo, but at eye glance it looks like init (runint) script
> 1. reads contexts/run_init_type (but I think this is done to password
> authentication)
> 2. then it reads and changes to contexts/initrc_context domain.
>
> This is made in policycoreutils-extras/runscript_selinux.c. There are some
> comments about initrc_devpts_t.
>
> Maybe changin 2. will be solution, instead of read contexts/initrc_context
> take context from target script?
The solution to support <domain>_initrc_exec_t must be a policy-based one
afaik. I don't think it'll be too difficult to find (the places within
refpolicy that are offering interfaces just for Gentoo's integrated run_init
are documented), it'll just take some time to get it in proper shape.
Question is, will this then support the reason for this (i.e. role-based
support for calling only selected init scripts)?
Wkr,
Sven Vermeulen
