On Mon, 2010-05-03 at 09:56 -0700, Justin P. Mattock wrote:
> On 05/03/2010 09:31 AM, Stephen Smalley wrote:
> > On Sun, 2010-05-02 at 21:54 -0700, Justin Mattock wrote:
> >> I've been racking my brain for the last few days on
> >> this one, and seem(for the life of me), have no solution.
> >>
> >> at first thought this was opensuse specific, but it's not
> >> i.g. my cblfs systems hit this as well(if not all systems at that).
> >>
> >> when adding /etc/initscript somehow SELinux can't figure how to
> >> transistion with the whole SHELL -c thing.
> >>
> >> under init.c #800(sysvinit-2.85)
> >> the code is this:
> >>
> >> /* See if there is an "initscript" (except in single user mode). */
> >> if (access(INITSCRIPT, R_OK) == 0&& runlevel != 'S') {
> >> /* Build command line using "initscript" */
> >> args[1] = SHELL;
> >> args[2] = INITSCRIPT;
> >> args[3] = ch->id;
> >> args[4] = ch->rlevel;
> >> args[5] = "unknown";
> >> for(f = 0; actions[f].name; f++) {
> >> if (ch->action == actions[f].act) {
> >> args[5] = actions[f].name;
> >> break;
> >> }
> >> }
> >>
> >>
> >> any ideas why SELinux gets confused with this, and
> >> doesn't want to transistion?
> >
> > In the above code, you are exec'ing the shell and just passing the
> > script as an argument, not exec'ing the script. So you need a domain
> > transition on the shell rather than the script, or you need to perform a
> > setexecon() in the code.
> >
>
> Thanks for the info on this..
>
> I'll have a look at seeing how todo this
> (I enjoy the challenge).
>
> As an example on setexecon() I was looking
> at the sulogin.c patch for SELinux, but still
> need to figure out how to actually do this.
Well, you can do it without using setexeccon() just by configuring
policy to domain transition from init_t to initrc_t on shell_exec_t.
That's what happens if you enable init_upstart=on. So I think it is
mostly just a matter of making that the default and dropping the legacy
transition to sysadm_t for single-user mode.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
