[DSE-User] SELinux on Wheezy: init
Arno Schuring
aelschuring at hotmail.com
Wed Feb 8 22:22:53 UTC 2012
The modifications I've had to make to init are quite minimal. They are
needed because, with /run now on tmpfs, many initscripts need to restore
subdirectories that were previously created during install.
This has another side-effect for SELinux: the existing pid_filetrans
rules might no longer be sufficient because they assumed
that /var/run/<subdir> was labeled correctly. This is no longer the
case.
I see only two solutions to restore the labels:
- have each script perform a restorecon invocation. This is ugly and
violates the selinux principle of zero awareness in the program
- define a script_domain for each init script so that the correct
labeling can be enforced with type transitions. This is overkill
Neither solution is appealing, which is why the next patches do not
have the same fcontext pattern for /var/run and /run.
(this patch was not tested directly since init is part of the base
policy. Instead, I've used a local module with the same rules)
Regards,
Arno
-8<--
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cfba657..f8611a1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.17.0)
+policy_module(init, 1.17.1)
gen_require(`
class passwd rootok;
@@ -250,6 +250,9 @@ allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
storage_var_run_filetrans_fixed_disk(initrc_t)
+create_dirs_pattern(initrc_t, var_run_t, var_run_t)
+setattr_dirs_pattern(initrc_t, var_run_t, var_run_t)
+
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
More information about the Selinux-user
mailing list