From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] system_init.patch
Date: Wed, 24 Sep 2008 15:42:17 -0400 [thread overview]
Message-ID: <48DA9819.8040000@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/system_init.patch
label all /etc/rc\.d/rc\.[^/]+ as initrc_exec_t
system-config-services uses dbus to start and stop services via
+/usr/share/system-config-services/system-config-services-mechanism\.py
--
So this needs to be labeled an initrc_script_t script
init_spec_domtrans_script and init_domtrans_script need to use all init
scripts not just the ones labeled initrc_exec_t.
dbus can be used to start any binary, so added init_bin_domtrans_spec to
transition bin_t to initrc_t, via dbus.
init_script_role_transition is used by unconifned_t to transion
initsscripts to system_r when the user executes an initrc_t script.
upstart has dbus capabilities.
init needs to list inotify
init communicates with initrc_t via stream sockets
init calls setsched
initrc_t under mls can call runuser which attempts to send and audit message
initrc_ needs to be able to talk to /dev/initctrl
initscripts create links in /var/run
initrc talks to lvm_control
initrc_t can chat with consolekit
Lots of dontaudit commands to quiet init scripts using passwd file
descriptors
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjamBkACgkQrlYvE4MpobOp+wCguq2QiyAbtI3KcGOfBmO0lHGh
Q2UAoItsiOAlq7nd470Ub3nL9XpGayVu
=4Y96
-----END PGP SIGNATURE-----
next reply other threads:[~2008-09-24 19:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-24 19:42 Daniel J Walsh [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 22:09 [refpolicy] system_init.patch Daniel J Walsh
2010-02-12 20:00 ` Christopher J. PeBenito
2010-02-13 11:59 ` Daniel J Walsh
2010-02-23 22:25 Daniel J Walsh
2010-03-18 14:19 ` Christopher J. PeBenito
2010-03-18 17:01 ` Daniel J Walsh
2010-03-19 12:47 ` Christopher J. PeBenito
2010-03-19 14:05 ` Daniel J Walsh
2010-08-26 23:32 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48DA9819.8040000@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.