OpenRC currently dlopen()'s runscript_selinux.so provided by sys-apps/policycoreutils This is not good since OpenRC is more than a gentoo project so it should be self contained. We need to decide how we want the integration to be and then implement the code directly in the openrc package.
(In reply to Jason Zaman from comment #0) > OpenRC currently dlopen()'s runscript_selinux.so provided by > sys-apps/policycoreutils I'm not following; policycoreutils doesn't look Gentoo specific, it's from http://www.selinuxproject.org
Like eg. http://pkgs.fedoraproject.org/cgit/policycoreutils.git/
It is provided by that package but it comes from policycoreutils-extra-1.31.tar.bz2 which is the gentoo-specific extras. Upstream's repo is at: https://github.com/SELinuxProject/selinux/tree/master/policycoreutils which does not contain any runscript stuff. WilliamH thinks its weird the way it is currently (I agree) and wants this merged in to openrc itself instead of dlopen()ing. The aim is possibly also to make the user flow more transparent at the same time by not requiring run_init prefixed for some init scripts (the ones that are foo_initrc_exec_t). See section "Transparent full system administration" at http://article.gmane.org/gmane.linux.gentoo.hardened/6266
Ah, and because runscript is part of OpenRC, ... yes, I agree too
This is applied in commit 1932360 and will be part of OpenRC-0.14. I would like to thank Jason Zaman <jason@perfinion.com> for the patch.
Two more perms have been added to the selinux policy. needed to support password auth without pam: auth_read_shadow(run_init_t) Needed to support pam_rootok.so so a password is not required allow run_init_t self:passwd { passwd rootok }; Next steps are to wait for openRC stabilization then remove runscript_selinux.so from policycoreutils.
+ 04 Jul 2015; Jason Zaman <perfinion@gentoo.org> + +policycoreutils-2.4-r1.ebuild, policycoreutils-9999.ebuild: + bump of policycoreutils-extra, fixes bugs 544598, 517456, 517450 fixed and blocks older openrc