Re: SELinux Policy in OpenSUSE 11.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote:
> On 02/19/2010 01:25 PM, Stephen Smalley wrote:
> > On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote:
> >> setsebool -P init_upstart=on
> >> setsebool -P xdm_sysadm_login=on
> >> setsebool -P xserver_object_manager=on
> >
> > I think you only need the first boolean setting.
> > And we should likely introduce an ifdef for suse in refpolicy that
> > always disables that transition so that you don't have to artificially
> > turn on that boolean.
> >
> 
> as a test I built the policy with init_upstart=off
> system crashes and burns with gdm/xserver(dbus error).
> then changing to init_upstart=on xserver/gdm started right up.
> 
> my question is why? especially if this is sysvinit.

The refpolicy defines a domain transition from init_t to sysadm_t upon
executing a shell so that the single-user mode shell is automatically
run in sysadm_t, and it defines a domain transition from init_t to
initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts
are automatically run in initrc_t.  This worked with sysvinit in Fedora
and Debian.  However, upstart launches all services via shell command
and thus all services would be run in sysadm_t if we kept that
transition, so the refpolicy has the following logic (in
system/init.te):

tunable_policy(`init_upstart',`
        corecmd_shell_domtrans(init_t, initrc_t)
',`
        # Run the shell in the sysadm role for single-user mode.
        # causes problems with upstart
        sysadm_shell_domtrans(init_t)
')

This snippet means:  if init_upstart=on, then transition from init_t to
initrc_t upon executing a shell, else transition from init_t to sysadm_t
upon executing a shell.

I had suggested trying init_upstart=on in OpenSUSE because the sestatus
and pstree output showed that most processes launched by init were
running in sysadm_t, similar to what would happen on a system using
upstart if that boolean were not enabled.

This suggests that something is different about the sysvinit setup in
OpenSUSE.  It might be useful to see your /etc/inittab file contents.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux