From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC] No transitioning temporary domains?
Date: Wed, 20 Jul 2011 13:48:32 -0400 [thread overview]
Message-ID: <4E2714F0.3030606@tresys.com> (raw)
In-Reply-To: <20110720170838.GB18951@siphos.be>
On 07/20/11 13:08, Sven Vermeulen wrote:
> In Gentoo, we have a setup for our init system where various scripts are all
> wrappers on top of /sbin/rc. Now, the /sbin/rc binary itself needs to be
> labeled initrc_exec_t (for the standard init stuff), but the scripts that
> refer to it all have specific functionalities. The problem is that these
> scripts do not present these functionalities - they just call /sbin/rc with
> the option that tells the rc binary how it should behave.
Quite unfortunate.
> When these scripts are labeled bin_t, then any call of these scripts results
> in the action to run in the run_init_t domain:
> sysadm_t -(bin_t)-> sysadm_t -(initrc_exec_t)-> run_init_t
>
> Most of these scripts however do not need to run in the run_init_t domain.
> As a matter of fact, the script should run in the current domain.
>
> What I have devised, but which I find ugly (almost to the point that I was
> reluctant to share ;-) is to create an intermediate domain which, when
> executing initrc_exec_t, transitions back to the original domain, like so:
> sysadm_t -(bin_t)-> sysadm_initrc_notrans_t -(initrc_exec_t)-> sysadm_t
>
> At first, I made that intermediate domain through a template() definition
> (in this case within init.if) but that has the issue that, if you need to
> create some additional privileges (like allowing file descriptor usages) you
> don't have "control" over the type (iow, you'd need to give the rights in a
> .te file where the specific type isn't declared).
>
> So now, my idea is to create the type definition locally, and then call an
> interface which makes the necessary transition rules.
>
> What's your guys' take on this?
That definitely is horribly ugly.
Here's something you can try. Make a new type, eg rc_exec_t, and label
/sbin/rc with it. Make it so when init execs it, it goes to initrc_t,
and initrc_t and sysadm_t have execute_no_trans.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-07-20 17:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-20 17:08 [refpolicy] [RFC] No transitioning temporary domains? Sven Vermeulen
2011-07-20 17:48 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E2714F0.3030606@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.