SELinux base policy rev 3 in hardened-dev
 

Hi guys,

Back again with the spamming "SELinux base policy rev ## in hardened-dev"
mails, but now for the 2.20120215 policies.

Changes since rev 2:

<no bug> Allow sysadm to call qemu directly to launch virtual guests from commandline
<no bug> Allow su to get the security file system attributes, needed for su calls
#401857 Set /usr/share/GNUstep/Makefiles/*.sh (and mkinstalldirs) as #bin_t t allow building gnustep-base
#403143 Add TCP 3128 as http_cache_port_t (default port for squid cache)
<no bug> Update usermanage/selinux util role attributes to include the proper types
<no bug> Allow mount to get the security file system attributes, needed for rootcontext mounts

There is still an issue that amade on #gentoo-hardened reported, that is
that our integrated run_init support in the init scripts is suddenly not
working anymore. I'm too tired to look at that right now, so that'll be for
tomorrow.

Point is, I *think* we need to have a role transition between run_init_t and
initrc_t, but it shouldn't be automated (SELinux supports automated role
transitions, but then we would switch roles the moment we touch /sbin/rc,
which is also the case when we run rc-config and the like, in many cases
where we need to remain in the current role).

Or, in the notation @@ = execute, --> = transition:

sysadm_r:sysadm_t @@ initrc_exec_t --> sysadm_r:run_init_t
@@ rc_exec_t --> sysadm_r:run_init_t
@@ initrc_exec_t --> system_r:initrc_t

I think that's something openrc does (with its support for SELinux, through
/lib64/rc/runscript_selinux.so) or needs to do, but I have no clue how we do
all that.

Until then, you can use "run_init" to launch init scripts, like most (if not
all) other distributions work:

run_init /etc/init.d/apache start

or using rc-service

run_init rc-service apache start

But as I said, I'll look at it more closely tomorrow. It's probably a change
I forgot to forward-port or so...

Wkr,
Sven Vermeulen