On Fri, 17 Sep 2004 10:39, Chris PeBenito <pebenito@gentoo.org> wrote: > Here's a patch for Gentoo-specific initrc, against sourceforge CVS.

+allow initrc_t initrc_state_t:lnk_file { create read unlink setattr };
+allow initrc_t initrc_state_t:file create_file_perms;
+allow initrc_t initrc_state_t:dir { add_name remove_name read write rmdir
create rename setattr };

Why not create_dir_file(initrc_t, initrc_state_t)? It does the same things and is easier to read.

+allow initrc_t etc_runtime_t:dir read;

Your patch doesn't include any .fc entries to label a directory as etc_runtime_t. Also the only reference to etc_runtime_t:dir in the CVS seems to be in macros/program/rssh_macros.te (a bug in rssh_macros.te, I've attached a patch to fix it).

It seems that your patch is incomplete in this regard.

+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)

This isn't something I expected, I'm not sure if it's desirable to do it like that but I can't think of any better way. Steve, what do you think about this?

The initrc_state_t stuff is something that will get more general use I think. In both Debian and Fedora there is work on making machines boot from CD-ROM which needs such things. Is that what it's being used for in Gentoo?

Your patch is good, but I think we need to think about making it more generic before putting it in CVS. Probably making the CVS policy more like what you are doing in Gentoo in some ways will be better for everyone.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-diff attachment: diff