Re: extras package that require changes in selinux-policy (initng)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



dragoran schrieb:

Daniel J Walsh wrote:

dragoran wrote:

Hello.
I am working on selinux support in initng, which is in review for extras now [1]. But it seems that initng requires a policy to work (just tested in targeted mode) Using the default context (sbin_t) lets all apps that are started from initng run as kernel_t.


What is the path?  We can set it up in policy.


Relabling /sbin/initng to init_exec_t (same as init) fixes this and the processes run as init_t and udev_t for udev, but some issues still remain.


I will add to policy.


ok thx

hald,httpd, etc. also run as init_t which is *wrong* they have to get into their own domain. How is this handled in sysvinit?
After reading the code I havn't found anything about it.


Are the startup scripts marked initrc_exec_t?


yes I did chcon -t initrc_exec_t on all files in /etc/initng/system and /etc/initng/daemons

checked this and found out that initng does not execute any scripts.
the "scripts" are just files that contain infos about which daemon should be started and which deps it has. this results in hald beeing started directly from initng using execv(). This results in hald (and other services) run as init_t. If I put /sbin/service hald start into the exec line hald runs as hald_t. Why is a script required to get into the correct domain? Is there any way to fix this without adding setexeccon() for every daemon?


--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list

[Index of Archives]     [Fedora General Discussion]     [Fedora Art]     [Fedora Docs]     [Fedora Package Review]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Backpacking]     [KDE Users]

  Powered by Linux