On Thu, 2006-02-02 at 18:07 +0100, dragoran wrote: > checked this and found out that initng does not execute any scripts. > the "scripts" are just files that contain infos about which daemon > should be started and which deps it has. > this results in hald beeing started directly from initng using execv(). > This results in hald (and other services) run as init_t. If I put > /sbin/service hald start into the exec line hald runs as hald_t. > Why is a script required to get into the correct domain? Is there any > way to fix this without adding setexeccon() for every daemon? The current policy only defines domain transitions from init (init_t) to rc (initrc_t) -> daemons. It doesn't define direct domain transitions from init_t to the daemon domains, except for a few cases where that has been necessary (getty, gdm). The policy could certainly also include additional transitions directly from init_t to the daemon domains, and that would work, but it will bloat the policy a bit to include both sets of transitions. The script isn't required; it just happens to be the current init approach, so that is what policy was written for. Adding setexeccon() to every daemon wouldn't be desirable or helpful. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
