On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote: > On Tue, 2006-08-01 at 15:21 +0200, Axel Thimm wrote: > > On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: > > > On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > > > > Does the following output help? Looks like anything called from sshd > > > > gets into hotplug_t. The main sshd process runs under > > > > system_u:system_r:kernel_t. > > > > > > sshd running in kernel_t is the problem; that should never happen (init > > > transitions to init_t, then everything flows from it; nothing should > > > ever transition back into kernel_t). Only kernel threads should have > > > kernel_t (init will start life as kernel_t but then transition; usermode > > > helpers like modprobe and hotplug should transition upon the exec). > > > > Hm. there are tons of processes in kernel_t, in fact almost everything > > but sshd initiated processes, httpd, rotatelog and spamd. > > > > Maybe I need to restart init yet another time (e.g. reboot). Would > > that make sense? > > It would if init were running in kernel_t too. But given that it is > running in init_t, I don't understand how its descendants got back to > kernel_t. Unless the transition to init_t happened after starting the > descendants, e.g. you manually told init to re-exec via telinit. I didn't do so consiously. I rebooted the system and there is no hotplug_t trace anymore in the processes. What I think I missed is the reboot after the fixfiles command. But I don't understand how init would go back and forth into different security contexts. Anyway for me I'm happy that the system is in a normal selinux state (I hope) and that I can start using selinux in real life (permissive for now while learning). Thanks! -- Axel.Thimm at ATrpms.net
Attachment:
pgpfra2MkvQgn.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
