On Mon, Feb 22, 2010 at 6:00 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote: >> On 02/19/2010 01:25 PM, Stephen Smalley wrote: >> > On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: >> >> setsebool -P init_upstart=on >> >> setsebool -P xdm_sysadm_login=on >> >> setsebool -P xserver_object_manager=on >> > >> > I think you only need the first boolean setting. >> > And we should likely introduce an ifdef for suse in refpolicy that >> > always disables that transition so that you don't have to artificially >> > turn on that boolean. >> > >> >> as a test I built the policy with init_upstart=off >> system crashes and burns with gdm/xserver(dbus error). >> then changing to init_upstart=on xserver/gdm started right up. >> >> my question is why? especially if this is sysvinit. > > The refpolicy defines a domain transition from init_t to sysadm_t upon > executing a shell so that the single-user mode shell is automatically > run in sysadm_t, and it defines a domain transition from init_t to > initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts > are automatically run in initrc_t. This worked with sysvinit in Fedora > and Debian. However, upstart launches all services via shell command > and thus all services would be run in sysadm_t if we kept that > transition, so the refpolicy has the following logic (in > system/init.te): > > tunable_policy(`init_upstart',` > corecmd_shell_domtrans(init_t, initrc_t) > ',` > # Run the shell in the sysadm role for single-user mode. > # causes problems with upstart > sysadm_shell_domtrans(init_t) > ') > > This snippet means: if init_upstart=on, then transition from init_t to > initrc_t upon executing a shell, else transition from init_t to sysadm_t > upon executing a shell. > > I had suggested trying init_upstart=on in OpenSUSE because the sestatus > and pstree output showed that most processes launched by init were > running in sysadm_t, similar to what would happen on a system using > upstart if that boolean were not enabled. > > This suggests that something is different about the sysvinit setup in > OpenSUSE. It might be useful to see your /etc/inittab file contents. > > -- > Stephen Smalley > National Security Agency > > alright attached is dmesg and audit.log both were cleaned out before the initial boot. yesterday I rebuilt sysvinit with the version I use on my system and the patch that dan had given me. but during the whole thing I can't remember If I was able to bootup without the init_upstart boolean turned on.(I'll rebuild that package and see if this is the case, if so then this tells me that whatever/however suse built sysvinit acts more like upstart(but could be wrong)). (BTW: I'll go(if need be) and file these, later on once I get this thing cleaned and sorted out) -- Justin P. Mattock
Attachment:
dmesg
Description: Binary data
