dragoran schrieb:
Daniel J Walsh wrote:
dragoran wrote:
Hello.
I am working on selinux support in initng, which is in review for
extras now [1].
But it seems that initng requires a policy to work (just tested in
targeted mode)
Using the default context (sbin_t) lets all apps that are started
from initng run as kernel_t.
What is the path? We can set it up in policy.
Relabling /sbin/initng to init_exec_t (same as init) fixes this and
the processes run as init_t and udev_t for udev, but some issues
still remain.
I will add to policy.
ok thx
hald,httpd, etc. also run as init_t which is *wrong* they have to
get into their own domain. How is this handled in sysvinit?
After reading the code I havn't found anything about it.
Are the startup scripts marked initrc_exec_t?
yes I did chcon -t initrc_exec_t on all files in /etc/initng/system
and /etc/initng/daemons
checked this and found out that initng does not execute any scripts.
the "scripts" are just files that contain infos about which daemon
should be started and which deps it has.
this results in hald beeing started directly from initng using execv().
This results in hald (and other services) run as init_t. If I put
/sbin/service hald start into the exec line hald runs as hald_t.
Why is a script required to get into the correct domain? Is there any
way to fix this without adding setexeccon() for every daemon?
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list