[DSE-Dev] logsave used in checkfs and checkroot

Philip Tricca phil at noggle.biz
Fri Sep 21 14:14:08 UTC 2007


Erich Schubert wrote:
> In fact, initrc_t should have rather few permissions, so all the
> filesystem-checking code should probably be moved from
> checkroot.sh/checkfs.sh to a different script. Maybe it will work to
> just give these files an appropriate domain (and init_t a transition
> permission to this domain). While I would consider making the init.d
> scripts rather minimal and moving the actual code to a new script
> in /usr/sbin the cleanest solution from a file system labeling point of
> view you'll want to give people an option to modify these scripts (which
> is why the code resides in /etc in the first place...)

Your solution makes pretty good sense to me.  Would it be possible to
simply move the call:

logsave -s $FSCK_LOGFILE fsck $spinner -R -A $fix $force $FSCKTYPES_OPT

to a script (a very small script) in /usr/sbin leaving all of the
check[fs|root].sh intact?  This would preserve (as you note above) the
option to modify these scripts through /etc/defaults etc.

I suppose this new script could get its own domain, something like
fsck_prefsmount that can exec fsck and write to its log file.  I'm sure
there are interfaces in the modular policy (fstools?) that should be
used but I'm just throwing this out off the top of my head for now.

> This is just one of the thousand tiny bits where SELinux on Debian
> doesn't work right yet. :-( (And in fact I doubt it will be much better
> with other distributions. Or AppArmor: it wouldn't have 'learned' this
> behaviour unless you had a damaged filesystem at boot, I guess!)

It seems that the little details like this are always the most difficult
to handle correctly.  I've found little things here and there in Fedora
that seem to be suffering similarly eg. the Fedora LSB init functions
use /sbin/runuser to change users but since there isn't a domain for
runuser and initrc_t doesn't have sufficient privileges ... well it
doesn't work and the recommended fix is to not use the init functions.

Either way I'm looking for ways to make myself useful to the Debian
SELinux community.  Any input or suggestions on how to do this the
"right way" are very welcome.  When I get time over the weekend I'll
prototype something up and send it in as an RFC.

- Philip

More information about the SELinux-devel mailing list