[DSE-Dev] Bug#690086: selinux-policy-default: Upstart jobs do not transition properly

[Paul Donohue]

Package: selinux-policy-default
Version: 2:2.20110726-3
Severity: normal

Upstart runs as init_t.  When running SysV init scripts, Upstart transitions to
initrc_t when the init script is run, then transitions again to an appropriate
domain when the daemon executable is run.

However, when managing jobs directly with Upstart (for example, sshd in Ubuntu),
this doesn't work properly.  Upstart does not transition to initrc_t before
running the daemon executable, so the normal daemon transition does not occur.

The simple fix is to edit the Upstart job and have it run the daemon using
'runcon'.  However, this is not really a scalable solution.

The best way I can think to fix this is to extend the policy to allow init_t to
transition directly to daemon contexts.  Basically, in
policy/modules/system/init.if, domtrans_pattern(init_t, $2, $1) should be added
next to any call to domtrans_pattern(initrc_t, $2, $1).  I can submit a patch
for this if it would help.

Of course, I'm open to other fixes if someone knows of a better solution.

Thanks.