extras package that require changes in selinux-policy (initng)

[dragoran]

dragoran schrieb:

> Daniel J Walsh wrote:
>
>> dragoran wrote:
>>
>>> Hello.
>>> I am working on selinux support in initng, which is in review for 
>>> extras now [1].
>>> But it seems that initng requires a policy to work (just tested in 
>>> targeted mode)
>>> Using the default context (sbin_t) lets all apps that are started 
>>> from initng run as kernel_t.
>>
>>
>> What is the path?  We can set it up in policy.
>
>
>>> Relabling /sbin/initng to init_exec_t (same as init) fixes this and 
>>> the processes run as init_t and udev_t for udev, but some issues 
>>> still remain.
>>
>>
>> I will add to policy.
>
>
> ok thx
>
>>> hald,httpd, etc. also run as init_t which is *wrong* they have to 
>>> get into their own domain. How is this handled in sysvinit?
>>> After reading the code I havn't found anything about it.
>>
>>
>> Are the startup scripts marked initrc_exec_t?
>>
>>
> yes I did chcon -t initrc_exec_t on all files in /etc/initng/system 
> and /etc/initng/daemons
>
checked this and found out that initng does not execute any scripts.
the "scripts" are just files that contain infos about which daemon 
should be started and which deps it has.
this results in hald beeing started directly from initng using execv(). 
This results in hald (and other services) run as init_t. If I put 
/sbin/service hald start into the exec line hald runs as hald_t.
Why is a script required to get into the correct domain? Is there any 
way to fix this without adding setexeccon() for every daemon?