From: Russell Coker <russell@coker.com.au>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: init patch for loading policy
Date: Wed, 22 Oct 2003 02:00:35 +1000 [thread overview]
Message-ID: <200310220200.35514.russell@coker.com.au> (raw)
In-Reply-To: <1066748352.27065.100.camel@moss-spartans.epoch.ncsc.mil>
On Wed, 22 Oct 2003 00:59, Stephen Smalley wrote:
> On Tue, 2003-10-21 at 10:43, Russell Coker wrote:
> > The results I have so far indicate that this approach has significant
> > problems.
> >
> > Diverting /sbin/init with a shell script works better than this.
>
> Ok, thanks for looking into it. So what exactly is the problem with
> diverting /sbin/init again?
No insurmountable problem. I have the following script as /sbin/init, I have
the real init as /sbin/init.real, and I modified the telinit sym-link
accordingly. It seems that init gets re-exec'd for some reason I'm still not
sure about. That means that bash gets run in init_t and wants some extra
access. But that's not significant.
Diverting /sbin/init may be our best option.
allow init_t devtty_t:chr_file { read write };
allow init_t proc_t:file { read };
#!/bin/sh
if [ ! -d /proc/1 ]; then
mount -n /proc
fi
grep -q selinuxfs /proc/filesystems || exec /sbin/init.real "$@"
if [ ! -f /selinux/enforce ]; then
mount -n /selinux
/usr/sbin/load_policy /etc/security/selinux/policy.15
if [ -f /selinux/enforce ]; then
echo 1 > /selinux/enforce
else
echo "Can't set enforcing mode"
fi
fi
exec /sbin/init.real "$@"
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-10-21 16:00 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-19 15:48 init patch for loading policy Russell Coker
2003-10-20 8:21 ` Carsten Grohmann
2003-10-20 18:02 ` Stephen Smalley
2003-10-20 20:10 ` Daniel J Walsh
2003-10-20 20:46 ` Stephen Smalley
2003-10-20 20:56 ` Daniel J Walsh
2003-10-21 12:19 ` Stephen Smalley
2003-10-21 0:52 ` Russell Coker
2003-10-21 12:29 ` Stephen Smalley
2003-10-21 14:43 ` Russell Coker
2003-10-21 14:59 ` Stephen Smalley
2003-10-21 16:00 ` Russell Coker [this message]
2003-10-21 18:38 ` Daniel J Walsh
2003-10-21 20:14 ` Bastian Blank
2003-10-21 17:50 ` Daniel J Walsh
2003-10-22 22:31 ` Joubert Berger
2003-10-23 1:42 ` Russell Coker
2003-10-21 18:07 ` Daniel J Walsh
2003-10-21 18:54 ` Stephen Smalley
2003-10-21 19:56 ` Stephen Smalley
2003-10-21 12:32 ` Stephen Smalley
2003-10-21 13:56 ` Russell Coker
2003-10-20 20:47 ` Bastian Blank
2003-10-21 0:57 ` Russell Coker
2003-10-21 6:26 ` Bastian Blank
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200310220200.35514.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.