Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517450 - sys-apps/openrc: migrate runscript_selinux.so from policycoreutils-extra-$version.tar.bz2 of sys-apps/policycoreutils directly to OpenRC
Summary: sys-apps/openrc: migrate runscript_selinux.so from policycoreutils-extra-$ver...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jason Zaman
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: openrc-0.14
  Show dependency tree
 
Reported: 2014-07-18 20:43 UTC by Jason Zaman
Modified: 2015-09-06 12:53 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Zaman gentoo-dev 2014-07-18 20:43:56 UTC
OpenRC currently dlopen()'s runscript_selinux.so provided by sys-apps/policycoreutils

This is not good since OpenRC is more than a gentoo project so it should be self contained. We need to decide how we want the integration to be and then implement the code directly in the openrc package.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-07-18 22:10:33 UTC
(In reply to Jason Zaman from comment #0)
> OpenRC currently dlopen()'s runscript_selinux.so provided by
> sys-apps/policycoreutils

I'm not following; policycoreutils doesn't look Gentoo specific, it's from http://www.selinuxproject.org
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2014-07-18 22:12:23 UTC
Like eg. http://pkgs.fedoraproject.org/cgit/policycoreutils.git/
Comment 3 Jason Zaman gentoo-dev 2014-07-18 22:30:08 UTC
It is provided by that package but it comes from policycoreutils-extra-1.31.tar.bz2 which is the gentoo-specific extras.

Upstream's repo is at: https://github.com/SELinuxProject/selinux/tree/master/policycoreutils which does not contain any runscript stuff.

WilliamH thinks its weird the way it is currently (I agree) and wants this merged in to openrc itself instead of dlopen()ing.

The aim is possibly also to make the user flow more transparent at the same time by not requiring run_init prefixed for some init scripts (the ones that are foo_initrc_exec_t). See section "Transparent full system administration" at
http://article.gmane.org/gmane.linux.gentoo.hardened/6266
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-07-18 22:54:28 UTC
Ah, and because runscript is part of OpenRC, ... yes, I agree too
Comment 5 William Hubbs gentoo-dev 2014-11-03 16:35:25 UTC
This is applied in commit 1932360 and will be part of OpenRC-0.14.
I would like to thank Jason Zaman <jason@perfinion.com> for the patch.
Comment 6 Jason Zaman gentoo-dev 2014-11-03 17:02:47 UTC
Two more perms have been added to the selinux policy.

needed to support password auth without pam:
auth_read_shadow(run_init_t)

Needed to support pam_rootok.so so a password is not required
allow run_init_t self:passwd { passwd rootok };


Next steps are to wait for openRC stabilization then remove runscript_selinux.so from policycoreutils.
Comment 7 Jason Zaman gentoo-dev 2015-07-04 12:44:41 UTC
+  04 Jul 2015; Jason Zaman <perfinion@gentoo.org>
+  +policycoreutils-2.4-r1.ebuild, policycoreutils-9999.ebuild:
+  bump of policycoreutils-extra, fixes bugs 544598, 517456, 517450

fixed and blocks older openrc