extras package that require changes in selinux-policy (initng)

[Daniel J Walsh]

dragoran wrote:
> Hello.
> I am working on selinux support in initng, which is in review for 
> extras now [1].
> But it seems that initng requires a policy to work (just tested in 
> targeted mode)
> Using the default context (sbin_t) lets all apps that are started from 
> initng run as kernel_t.
What is the path?  We can set it up in policy.
> Relabling /sbin/initng to init_exec_t (same as init) fixes this and 
> the processes run as init_t and udev_t for udev, but some issues still 
> remain.
I will add to policy.
> hald,httpd, etc. also run as init_t which is *wrong* they have to get 
> into their own domain. How is this handled in sysvinit?
> After reading the code I havn't found anything about it.
Are the startup scripts marked initrc_exec_t?


> The patch I wrote can be found here: 
> http://bugzilla.initng.thinktux.net/show_bug.cgi?id=365
> Did I do something wrong? Did I miss something?
> After fixing this we will run into an other problem. Every time the 
> filesystem gots relabled initng will become sbin_t which will break it.
> To fix this we need to modify the selinux-policy. What should be done 
> if a package in extras requires to change a core package?
> Should I just fill a bug against it and hope that it will be released 
> as an update for FC4, and gets into rawhide too?
> Was unable to find anything about it in the wiki.
> 1: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173459
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list