On Sat, Jan 25, 2014 at 08:48:25PM +0100, Luis Ressel wrote: > This patch makes run_init unneccessary for "normal" init scripts (those > labeled initrc_exec_t). However, it's still neccessary for scripts with > custom types, such as iptables. > > Looking at the openrc code clearly shows that rc-service doesn't make > any attempt to transition to the correct domain (initrc_t) beforce > execv()'ing the script. > > Are there any plans to change this?
OpenRC doesn't do much SELinux specific here, beyond calling the run_init code. There are no plans (from me) currently to update the behavior to also support the other, named init scripts as this should be handled by the policy. When a named script exists, there usually is an interface for that domain as well that allows the given role/type to execute the script and have it transition to the right domain and role. For instance, for postgresql_initrc_exec_t, you have postgresql_admin(). If you assign this to, say, sysadm_t/sysadm_r, then the regular system administrator on the system can handle these services as well. I have tried to implement a rule that grants an "operate all service scripts" privilege to a domain, but that didn't work out fine (yet). That being said, there is a build option (I think it is called direct_sysadm or so) that should support this - but that breaks the integrated run_init implementation iirc. Wkr, Sven Vermeulen
