[DSE-Dev] ifupdown & SE Linux

[Václav Ovsík]

On Wed, Sep 17, 2008 at 04:24:47PM +0200, Václav Ovsík wrote:
>... 
> The second problem for SE Linux is, that interfaces with allow-hotplug
> are brought up through udevd. That means, network scripts are run under
> udev_t domain. This can be fixed by changing `allow-hotplug' to `auto'
> for now. I have started to write domain ifupdown_t some time ago, but
> I have stucked on changing ifupdown package, not certain the way it
> should go. Policy module ifupdown can be completed with file context 
> defined for both locations /var/run/network and /dev/shm/network
> nevertheless I think. Should I try to complete the ifupdown module?

Hmm, separate domain is probably nonsense. I rethink this while walking
to bus yesterday. There maybe a number of if-{pre,post}-{up,down}
scripts, that may need access similar to other init scripts, so initrc_t
is logical domain for ifupdown.

Index: selinux-policy-src/policy/modules/system/init.fc
===================================================================
--- selinux-policy-src.orig/policy/modules/system/init.fc	2008-09-17 18:54:09.000000000 +0200
+++ selinux-policy-src/policy/modules/system/init.fc	2008-09-17 18:57:39.000000000 +0200
@@ -28,6 +28,11 @@
 #
 # /sbin
 #
+ifdef(`distro_debian',`
+/sbin/ifdown		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/ifup		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
 
I am going to ask this change to refpolicy at oss.tresys.com.
Regards
-- 
Zito