Daniel J Walsh wrote:
dragoran wrote:
Hello.
I am working on selinux support in initng, which is in review for
extras now [1].
But it seems that initng requires a policy to work (just tested in
targeted mode)
Using the default context (sbin_t) lets all apps that are started
from initng run as kernel_t.
What is the path? We can set it up in policy.
Relabling /sbin/initng to init_exec_t (same as init) fixes this and
the processes run as init_t and udev_t for udev, but some issues
still remain.
I will add to policy.
ok thx
hald,httpd, etc. also run as init_t which is *wrong* they have to get
into their own domain. How is this handled in sysvinit?
After reading the code I havn't found anything about it.
Are the startup scripts marked initrc_exec_t?
yes I did chcon -t initrc_exec_t on all files in /etc/initng/system and
/etc/initng/daemons
The patch I wrote can be found here:
http://bugzilla.initng.thinktux.net/show_bug.cgi?id=365
Did I do something wrong? Did I miss something?
After fixing this we will run into an other problem. Every time the
filesystem gots relabled initng will become sbin_t which will break it.
To fix this we need to modify the selinux-policy. What should be done
if a package in extras requires to change a core package?
Should I just fill a bug against it and hope that it will be released
as an update for FC4, and gets into rawhide too?
Was unable to find anything about it in the wiki.
1: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173459
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
