[DSE-Dev] logsave used in checkfs and checkroot

[Erich Schubert]

Hello Philip,
Yeah, I also detected that problem back when I had still time to work on
Debian-SELinux...

In fact, initrc_t should have rather few permissions, so all the
filesystem-checking code should probably be moved from
checkroot.sh/checkfs.sh to a different script. Maybe it will work to
just give these files an appropriate domain (and init_t a transition
permission to this domain). While I would consider making the init.d
scripts rather minimal and moving the actual code to a new script
in /usr/sbin the cleanest solution from a file system labeling point of
view you'll want to give people an option to modify these scripts (which
is why the code resides in /etc in the first place...)

This is just one of the thousand tiny bits where SELinux on Debian
doesn't work right yet. :-( (And in fact I doubt it will be much better
with other distributions. Or AppArmor: it wouldn't have 'learned' this
behaviour unless you had a damaged filesystem at boot, I guess!)

Regards,
Erich