[refpolicy] context file for openrc

[refpolicy] context file for openrc

[Jason Zaman]

Hi all,

I recently realized that gentoo's selinux-base package creates the
context file /etc/selinux/*/contexts/run_init_type which contains
"run_init_t". This file is missing from refpolicy and should be added
since the rest of openrc's selinux support has been in refpolicy for
ages.

The run_init_type file is used by openrc's integrated run_init stuff.
This type is different from initrc_context (which contains
"system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
transitions to run_init_type which does authentication and only then is
allowed to exec into initrc_context to actually run the script.

My question is basically: should this file be renamed? I can easily fix
it in openrc upstream so that debian and any others get it too and keep the
legacy in gentoo for a while.

I will send a patch adding the file as soon as the name is OK'd

-- Jason

[refpolicy] context file for openrc

[Christopher J. PeBenito]

On 3/7/2016 4:15 AM, Jason Zaman wrote:
> Hi all,
> 
> I recently realized that gentoo's selinux-base package creates the
> context file /etc/selinux/*/contexts/run_init_type which contains
> "run_init_t". This file is missing from refpolicy and should be added
> since the rest of openrc's selinux support has been in refpolicy for
> ages.
> 
> The run_init_type file is used by openrc's integrated run_init stuff.
> This type is different from initrc_context (which contains
> "system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
> transitions to run_init_type which does authentication and only then is
> allowed to exec into initrc_context to actually run the script.
> 
> My question is basically: should this file be renamed? I can easily fix
> it in openrc upstream so that debian and any others get it too and keep the
> legacy in gentoo for a while.

What do you suggest it be renamed to?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] context file for openrc

[Jason Zaman]

On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito wrote:
> On 3/7/2016 4:15 AM, Jason Zaman wrote:
> > Hi all,
> > 
> > I recently realized that gentoo's selinux-base package creates the
> > context file /etc/selinux/*/contexts/run_init_type which contains
> > "run_init_t". This file is missing from refpolicy and should be added
> > since the rest of openrc's selinux support has been in refpolicy for
> > ages.
> > 
> > The run_init_type file is used by openrc's integrated run_init stuff.
> > This type is different from initrc_context (which contains
> > "system_u:system_r:initrc_t:s0"). When an admin runs an init script, it
> > transitions to run_init_type which does authentication and only then is
> > allowed to exec into initrc_context to actually run the script.
> > 
> > My question is basically: should this file be renamed? I can easily fix
> > it in openrc upstream so that debian and any others get it too and keep the
> > legacy in gentoo for a while.
> 
> What do you suggest it be renamed to?

I can't think of anything great. openrc_run_init_type seems a little long
or maybe just openrc_run_init?

[refpolicy] context file for openrc

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/07/2016 03:49 PM, Jason Zaman wrote:
> On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito
> wrote:
>> On 3/7/2016 4:15 AM, Jason Zaman wrote:
>>> Hi all,
>>> 
>>> I recently realized that gentoo's selinux-base package creates
>>> the context file /etc/selinux/*/contexts/run_init_type which
>>> contains "run_init_t". This file is missing from refpolicy and
>>> should be added since the rest of openrc's selinux support has
>>> been in refpolicy for ages.
>>> 
>>> The run_init_type file is used by openrc's integrated run_init
>>> stuff. This type is different from initrc_context (which
>>> contains "system_u:system_r:initrc_t:s0"). When an admin runs
>>> an init script, it transitions to run_init_type which does
>>> authentication and only then is allowed to exec into
>>> initrc_context to actually run the script.
>>> 
>>> My question is basically: should this file be renamed? I can
>>> easily fix it in openrc upstream so that debian and any others
>>> get it too and keep the legacy in gentoo for a while.
>> 
>> What do you suggest it be renamed to?
> 
> I can't think of anything great. openrc_run_init_type seems a
> little long or maybe just openrc_run_init?

i would just use "openrc" then if you use the libselinux functionality
the file will end up with name "opentc_contexts", then inside there
you can for example define for example "run_init_type = TYPE"

> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW3ZZsAAoJECV0jlU3+UdpiJoMAIQYmMb7GyYykbEGljFEdSYQ
6NtPjl+1Kf3m6C1j7ykNgw51RDyNlSonSKakQ9vuM9eDKH9yOBtyENFIEjPREXQQ
3hO4yc85Xv/QkvTDdgCgrsOWdghynWzb9JXERFjgemRmtKask5ejKr7W4+vZJVOp
HjsjJ1B6vwGAMjgG+1Rtqdj545bB/reLCLtd1D6esZ8erNoMYrXBUX3mbl0ElHkg
+fI4pAk9ArXWca4f3Qmqqbht7BCYmj7flsoDPbzU3eVRSv8Clbs9as5sw47x0n1G
QCSSzWEoxggPMZ3bvSaS2LpF4/sySmxS0+mF4hVc6CkU4JrP8RUrZTwW7d7C+00X
LiTtFGY21ZuE0+6WlCDjAeF6WczWsXUnB9Rl6haqUfKK4y99YKRS1/3GRj/VfvoM
WVHnA1UtsUUQWWjnSO8OgrI+9nWboc/CEbezNFANDM2qRGMMVe42N/I4j9SkW7SW
vmWNSXWOkVgJHQwvF8e4VAZyB59OL6kw4za01MATkw==
=4myX
-----END PGP SIGNATURE-----

[refpolicy] context file for openrc

[Jason Zaman]

On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote:
> On 03/07/2016 03:49 PM, Jason Zaman wrote:
> > On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J. PeBenito
> > wrote:
> >> On 3/7/2016 4:15 AM, Jason Zaman wrote:
> >>> Hi all,
> >>> 
> >>> I recently realized that gentoo's selinux-base package creates
> >>> the context file /etc/selinux/*/contexts/run_init_type which
> >>> contains "run_init_t". This file is missing from refpolicy and
> >>> should be added since the rest of openrc's selinux support has
> >>> been in refpolicy for ages.
> >>> 
> >>> The run_init_type file is used by openrc's integrated run_init
> >>> stuff. This type is different from initrc_context (which
> >>> contains "system_u:system_r:initrc_t:s0"). When an admin runs
> >>> an init script, it transitions to run_init_type which does
> >>> authentication and only then is allowed to exec into
> >>> initrc_context to actually run the script.
> >>> 
> >>> My question is basically: should this file be renamed? I can
> >>> easily fix it in openrc upstream so that debian and any others
> >>> get it too and keep the legacy in gentoo for a while.
> >> 
> >> What do you suggest it be renamed to?
> > 
> > I can't think of anything great. openrc_run_init_type seems a
> > little long or maybe just openrc_run_init?
> 
> i would just use "openrc" then if you use the libselinux functionality
> the file will end up with name "opentc_contexts", then inside there
> you can for example define for example "run_init_type = TYPE"

That sounds much more reasonable. I will prepare the patch for openrc
first then so I can make sure everything works and then send the patch
to refpol. Once the context file is merged in, i'll send the patch to
openrc.

-- Jason

[refpolicy] context file for openrc

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/07/2016 04:37 PM, Jason Zaman wrote:
> On Mon, Mar 07, 2016 at 03:55:46PM +0100, Dominick Grift wrote:
>> On 03/07/2016 03:49 PM, Jason Zaman wrote:
>>> On Mon, Mar 07, 2016 at 09:45:24AM -0500, Christopher J.
>>> PeBenito wrote:
>>>> On 3/7/2016 4:15 AM, Jason Zaman wrote:
>>>>> Hi all,
>>>>> 
>>>>> I recently realized that gentoo's selinux-base package
>>>>> creates the context file
>>>>> /etc/selinux/*/contexts/run_init_type which contains
>>>>> "run_init_t". This file is missing from refpolicy and 
>>>>> should be added since the rest of openrc's selinux support
>>>>> has been in refpolicy for ages.
>>>>> 
>>>>> The run_init_type file is used by openrc's integrated
>>>>> run_init stuff. This type is different from initrc_context
>>>>> (which contains "system_u:system_r:initrc_t:s0"). When an
>>>>> admin runs an init script, it transitions to run_init_type
>>>>> which does authentication and only then is allowed to exec
>>>>> into initrc_context to actually run the script.
>>>>> 
>>>>> My question is basically: should this file be renamed? I
>>>>> can easily fix it in openrc upstream so that debian and any
>>>>> others get it too and keep the legacy in gentoo for a
>>>>> while.
>>>> 
>>>> What do you suggest it be renamed to?
>>> 
>>> I can't think of anything great. openrc_run_init_type seems a 
>>> little long or maybe just openrc_run_init?
>> 
>> i would just use "openrc" then if you use the libselinux
>> functionality the file will end up with name "opentc_contexts",
>> then inside there you can for example define for example
>> "run_init_type = TYPE"
> 
> That sounds much more reasonable. I will prepare the patch for
> openrc first then so I can make sure everything works and then send
> the patch to refpol. Once the context file is merged in, i'll send
> the patch to openrc.
> 

Here is an example patch to libselinux

https://dwalsh.fedorapeople.org/SELinux/Patches/0008-Add-selinux_systemd
_contexts_path.patch

It would look pretty much the same except for the name

> -- Jason
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW3aWiAAoJECV0jlU3+Udp6bkL/RDY7DMX8VOTRVvmpx4wvMSo
9AZ94RFAtv/ikqYYBeN9lq/bS1PEZBzabIyySY5nagmf5Igg/yLP6VfZPgz/ZJv7
aIAUPM1h5A9Pj7gEkB4WzI+u7lL7x9EIT9m2UkjRwxLCXJ9NErKTMCT3i5TBiSr3
paWTCT6eGTUTET5ygEz9vu1ievpNJAgAy6w0QUANWXIJPD0dUVFl+KICYyespJST
qbrNcwA8Dhw3H7eVNrWAMCbURTzR+qF0W68Beht5LdOVsIh+9mvmjzuNAH9rO8Sh
Y59gP0frVKKCM21u7JFlsNMlc6zFOdskoM5duqmSaU3cfBWv8BPKbFgEh+TgcqGf
duDsEJXytTVx5IUDyqF1pI9igSTZfvijAmpdu7JIBbXX6gMi6vcdLDnt/DT9J6di
1jAmCzaisFtvPAuibBdi+jOrqT/KMfVISNWf9I7B9SQHEOUF3Aszs4MU8ZBCBiRe
z5F+OvFG8vy8w89ym7eSjJvIlFkctsHG21LymPmSiQ==
=aCiq
-----END PGP SIGNATURE-----