Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517456

Summary: Boot in enforcing mode and remove selinux_gentoo init script
Product: Gentoo Linux Reporter: Jason Zaman <perfinion>
Component: SELinuxAssignee: Jason Zaman <perfinion>
Status: RESOLVED FIXED    
Severity: normal CC: perfinion, selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=517450
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 481182    
Bug Blocks:    

Description Jason Zaman gentoo-dev 2014-07-18 21:00:31 UTC 
Once OpenRC 0.13 is released, it implements all the functionality of selinux_gentoo earlier during boot so the enforcing=0 and then switching to enforcing later should not be required.

A few minor policy additions are needed to allow restorecon -r /dev and a few labels then enforcing=1 should work fine. then selinux_gentoo becomes redundant and can be removed.

So far the following are needed:

/sbin/openrc           --      gen_context(system_u:object_r:rc_exec_t,s0)

dev_setattr_all_blk_files(initrc_t)
dev_setattr_all_chr_files(initrc_t)

and also deciding on a label for /run/tmpfiles.d

See also:
https://bugs.gentoo.org/show_bug.cgi?id=516956
Comment 1 Jason Zaman gentoo-dev 2014-08-08 11:37:58 UTC 
OpenRC has been labeled properly and is in the master branch.
The fixes for restorecon on /dev and /sys are in openrc git and will be in the next release.

A policy for tmpfiles/checkpath is in the testing branch and has been sent upstream for comments.
Comment 2 Jason Zaman gentoo-dev 2015-07-04 12:45:11 UTC 
+  04 Jul 2015; Jason Zaman <perfinion@gentoo.org>
+  +policycoreutils-2.4-r1.ebuild, policycoreutils-9999.ebuild:
+  bump of policycoreutils-extra, fixes bugs 544598, 517456, 517450

fixed and blocks older openrc
Comment 3 Jason Zaman gentoo-dev 2015-09-06 12:59:01 UTC 
the stable version has dropped the init script