Yuichi Nakamura wrote: >I found iiim(htt_server) is running also "user_t". >Daemon programs started using su runs as "user_t". > >Transition like >initrc_t(initrc script)->su_exec_t->initrc_su_t(su)->user_t(daemon) >is happening. > >I think su command or initscripts or daemon should be fixed. > > >Tom London <selinux@xxxxxxxxx> wrote: > > > >>Running strict/enforcing, off of latest Rawhide. >> >>'ps agxZ' yields: >>system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd >>system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd >>user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder >>system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd >> >>Should mDNSResponder be running as user_u:user_r:user_t? >>daemon_base_domain() generates a >>domain_auto_trans(initrc_t, howl_exec_t, howl_t) >> >>So, should it be running in howl_t? >> >>It gets started from /etc/rc.d/init.d/mDNSResponder: >> su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS >> >> >>>/dev/null >>> >>> >>That right? >> tom >>-- >>Tom London >> >>-- >>fedora-selinux-list mailing list >>fedora-selinux-list@xxxxxxxxxx >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > >--- >Yuichi Nakamura >Japan SELinux Users Group(JSELUG) > http://www.selinux.gr.jp/ >Hitachi Software > http://www.selinux.hitachi-sk.co.jp/en >The George Washington University > >-- >fedora-selinux-list mailing list >fedora-selinux-list@xxxxxxxxxx >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Dan Walsh has come up with a new program called "runuser" (in the latest coreutils) that is intended to replace "su" in these situations (e.g. init scripts) . Try replacing "su" with "runuser" in the script and see what happens. HTH Richard Hally
