On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: > Would the proper solution be to add a transition to put that script in the right context when run from a shell? No. I think we just need to drop the transition to sysadm_t altogether (at least in the ifdef suse case) and have userspace explicitly arrange the transition for single-user mode (ala sulogin). > -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: Tuesday, February 23, 2010 8:40 AM > To: Justin P. mattock > Cc: Alan Rouse; Dominick Grift; selinux@xxxxxxxxxxxxx; Christopher J. PeBenito > Subject: Re: SELinux Policy in OpenSUSE 11.2 > > On Mon, 2010-02-22 at 22:17 -0800, Justin P. mattock wrote: > > ahh.. I see what you mean by transition i.g. with enable_upstart=0 > > > > under ps auxZ > > I see everything is with sysadm_t > > example when dbus starts: > > with enable_upstart=0 > > system_u:system_r:sysadm_t > > and continues to have sysadm_t > > > > (with enable_upstart=1) > > system_u:system_r:udev_t > > and all other daemons etc.. go into there proper > > name(udev_t,hald_t,xdm_t)down the line. > > > > > > I've looked at the file contexts, and > > am not seeing anything out of the ordinary (but could be wrong). > > > > any ideas? > > Looks like /etc/init.d/rc is labeled correctly. > And /etc/init.d/rc and /etc/init.d/boot have the #!/bin/sh prefix? > > Looking at the sysvinit code, it appears that it will invoke the command specified in /etc/inittab via a shell if: > - the command string has any meta characters in it that need interpretation (but your /etc/inittab didn't look that way), or > - the attempt to exec the command directly returns with errno ENOEXEC (this will happen if the script lacks a #!/path/to/interpreter header). > > The proper domain transition only happens upon direct execution of the script, not if it is invoked indirectly via the shell. > > -- > Stephen Smalley > National Security Agency > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
