On 05/13/2011 03:06 PM, Sven Vermeulen wrote:
Hi all,
I've put selinux-base-policy-2.20101213-r14 in the hardened-dev.git overlay.
Its main addition is support for openrc (which is now stable and was hunting
for my patience the last few days) which is done by a few labelling
statements (especially for /lib(64)?/rc/... stuff) as well as to "allow
run_init_t initrc_exec_t:file execute_no_trans", this because
/sbin/runscript was previously a binary and is now a wrapper (hence the
additional rule).
In the further future, we might want to relabel runscript to bin_t (as
run_init_t already has execute_no_trans on those) but for those systems that
have not migrated to openrc yet, such a change would mean disaster.
I've added a reminder for myself around August to make this switch /if/
other architectures have also migrated to openrc (ok, I know we do not
support SELinux on those, but (1.) that doesn't mean no-one uses it, and
(2.) there are a few people waiting for openrc migration until things cool
down).
Sadly, to support openrc, SELinux users will also need to add the following
line to their /etc/fstab (wrapped):
rc-svcdir /lib64/rc/init.d tmpfs \
rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,\
nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
I tried labelling /lib64/rc to initrc_state_t, but then I had to put a lot
of other allow rules for less related domains towards initrc_state_t.
Mounting the init.d as initrc_state_t requires no additional updates on the
policy (well, perhaps a few cosmetic ones to hide denials that are seemingly
not needed). Perhaps we could have the openrc people update the
/lib64/rc/sh/init.sh file to do this automatically on SELinux systems, but
let us first see how things turn out.
Just posting this so that others will know about it. We determined that
/lib64/rc/init.d needs to be relabled to initrc_state_t on the file
system using the same relabel that we do for /dev. I believe the manual
is being updated to add this information. In addition, a rule has to be
added to init.fc and init.te to relabel this directory (
/lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t,
s0) (or something similar), as well as add the mounton privilege using
files_mountpoint(initrc_state_t). Once that is done, there is no longer
a need for the fstab stuff.
Anyway, this addition to the /etc/fstab has been put in the SELinux handbook
in hardened-doc.git overlay.
Wkr,
Sven Vermeulen
