On 02/22/2010 01:25 PM, Justin Mattock wrote:
You don't need to rebuild sysvinit; it already has the selinux support
in opensuse.
The only issue is how they have configured /etc/inittab (which you still
haven't sent) or how they have set up their init scripts. Things to
look for:
- Does /etc/inittab invoke the rc scripts directly or indirectly via a
shell command?
- Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g.
with initrc_exec_t)? Otherwise they won't transition properly.
- Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If
not, then an attempt to execve() them will fail and it will fall back on
the caller to feed them to the shell, at which point you won't have the
normal domain transition.
--
Stephen Smalley
National Security Agency
my bad.. got tied up looking for the avc's denial
of init. attached is inittab-orig of what suse has.
I'll throw in the inittab from my other system to see
if it changes things, then if not look at the file labels
alright here's what I see in /etc/init*
for /etc/init.d
I have all init.d daemons labeled as
system_u:object_r:initrc_exec_t.
in that directory there is rc0.d that is labeled
system_u:object_r:etc_t
inside rc0.d the label is the same.
there also is boot.d
which is labeled the same as rc0.d
ls -lZ /sbin/init
system_u:object_r:init_exec_t
ls -Z /etc/init.d/rc*
has system_u:object_r:etc_t
(I'll go through each one to make sure).
head /etc/init.d/rc*
shows all files having
#! /bin/sh
(I can send you those, but might be too big
of a file).
I think this might be label related
due to the system booting the first time without
any issues, then crashing after lebeling
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
