Re: SELinux Policy in OpenSUSE 11.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 22, 2010 at 2:10 PM, Justin P. mattock
<justinmattock@xxxxxxxxx> wrote:
> On 02/22/2010 01:25 PM, Justin Mattock wrote:
>>>
>>> You don't need to rebuild sysvinit; it already has the selinux support
>>> in opensuse.
>>>
>>> The only issue is how they have configured /etc/inittab (which you still
>>> haven't sent) or how they have set up their init scripts.  Things to
>>> look for:
>>> - Does /etc/inittab invoke the rc scripts directly or indirectly via a
>>> shell command?
>>> - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g.
>>> with initrc_exec_t)?  Otherwise they won't transition properly.
>>> - Do the scripts under /etc/init.d and /etc/rc.d have a #! header?  If
>>> not, then an attempt to execve() them will fail and it will fall back on
>>> the caller to feed them to the shell, at which point you won't have the
>>> normal domain transition.
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>>
>> my bad.. got tied up looking for the avc's denial
>> of init. attached is inittab-orig of what suse has.
>>
>> I'll throw in the inittab from my other system to see
>> if it changes things, then if not look at the file labels
>>
>
>
> alright here's what I see in /etc/init*
>
> for /etc/init.d
> I have all init.d daemons labeled as
> system_u:object_r:initrc_exec_t.
>
> in that directory there is rc0.d that is labeled
> system_u:object_r:etc_t
> inside rc0.d the label is the same.
> there also is boot.d
> which is labeled the same as rc0.d
>
> ls -lZ /sbin/init
> system_u:object_r:init_exec_t
>
> ls -Z /etc/init.d/rc*
> has system_u:object_r:etc_t
> (I'll go through each one to make sure).
>
> head /etc/init.d/rc*
> shows all files having
> #! /bin/sh
> (I can send you those, but might be too big
> of a file).
>
> I think this might be label related
> due to the system booting the first time without
> any issues, then crashing after lebeling
>
>
>
> Justin P. Mattock
>
>

heres everything in /etc/init.d/*
(only label changed was auditd
just to see).


-- 
Justin P. Mattock

Attachment: ls_Z
Description: Binary data

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux