On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote:
> Just posting this so that others will know about it. We determined that
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file
> system using the same relabel that we do for /dev. I believe the manual
> is being updated to add this information. In addition, a rule has to be
> added to init.fc and init.te to relabel this directory (
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t,
> s0) (or something similar), as well as add the mounton privilege using
> files_mountpoint(initrc_state_t). Once that is done, there is no longer
> a need for the fstab stuff.
Still not there yet.
One major pita is that the various management scripts (rc-update &
rc-status) are now wrappers over /sbin/rc. As a result, when you execute the
scripts, they are all transitioning to the run_init_t domain.
As a result, we have to add several permissions to run_init_t which
were previously managed by sysadm_t. For instance, rc-update needs write
privileges in /etc/runlevels (etc_t). Changing the type isn't that easy,
because the files are also used (read) by various other domains, which would
then also need to be patched, and all that just for Gentoo.
The moment I notice that I'm deviating too much from things because of a
single reason (having wrappers over /sbin/rc) I tend to look for other
answers. I have a few ones up my sleeve, but need to test them out :-(
Wkr,
Sven Vermeulen
