Re: service and system-config-services restart daemons in incorrect type under mls policy

[Stephen Smalley <sds tycho nsa gov>]

On Thu, 2007-04-26 at 14:55 -0500, Joe Nall wrote:
> I'm running an mls/permissive policy on FC6 and service and system- 
> config-services start daemons in the user's selinux context rather  
> than those in /etc/selinux/mls/contexts/initrc_context. Since our  
> policies use init_daemon_domain to establish domain transitions, they  
> are not transitioning into the correct domain on user initiated (re) 
> starts.
> 
> "run_init service <service> restart" - works, but leaves us in a  
> situation where documentation doesn't match experience. What is the  
> right approach to getting the transitions to work properly? Patch  
> service and friends? Write a more generic transition?

That should be governed by the DIRECT_INITRC= setting in the refpolicy
build.conf (or as overridden on the make command line in the .spec file
for building the policy).  DIRECT_INITRC=y (as in -targeted) turns on
direct role transitions and domain transitions from sysadm_r:sysadm_t to
system_r:initrc_t and/or system_r:<daemon domain>, although we can't yet
automatically transition the user identity field.

If you want the DIRECT_INITRC=n situation, then yes, you need to
integrate run_init or similar functionality into the init script and/or
service script infrastructure, as they have done in Hardened Gentoo.

-- 
Stephen Smalley
National Security Agency