On 8/21/2011 10:18 AM, Sven Vermeulen wrote:
On Sun, Aug 21, 2011 at 01:39:15PM +0200, Rados??aw Smogura wrote:
I'm not SeLinux guroo, but at eye glance it looks like init (runint) script
1. reads contexts/run_init_type (but I think this is done to password
authentication)
2. then it reads and changes to contexts/initrc_context domain.
This is made in policycoreutils-extras/runscript_selinux.c. There are some
comments about initrc_devpts_t.
Maybe changin 2. will be solution, instead of read contexts/initrc_context
take context from target script?
The solution to support<domain>_initrc_exec_t must be a policy-based one
afaik. I don't think it'll be too difficult to find (the places within
refpolicy that are offering interfaces just for Gentoo's integrated run_init
are documented), it'll just take some time to get it in proper shape.
Is there a specific reason that the domain-specific initrc
support cannot be made part of run_init? Instead of reading
a single default context from initrc_context, you could
instead label, for ex. the init script itself, and have
run_init use that instead?
ISTM that the reason the existing domain-specific init
policy doesn't work is because run_init is doing something
unexpected, so it makes sense that fixing run_init would be
the correct solution...
--Mike
