On Mon, 2004-07-12 at 08:53, Stephen Smalley wrote: > The fact that it is running in user_u likely means that it is being > started via su (to run in some pseudo user identity), and since that > pseudo user identity does not exist in the policy, it is being remapped > to user_u. I confirmed this; /etc/init.d/mDNSResponder does a su -s /bin/bash - nobody -c mDNSResponder to start the daemon. As "nobody" doesn't exist as a user identity in the SELinux policy, su ends up falling back to user_u as the default. Hence, to start with, you would want to replace the use of su with a wrapper program to set the uid/gid without performing a domain transition, and you would still need to define a domain for mDNSResponder. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
