Philip Tricca wrote:
I'm trying to fix up an init scrip to play nice with SELinux (strict
policy 2.6.6-69.fc6). Digging through mailing list archives I found
recommendations to replace the use of su with /sbin/runuser for the
change from root to a lesser privileged user. My problem comes when
calling /sbin/runuser. I get 2 avcs:
type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX
comm="runuser" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key
type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX
comm="runuser" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket
Every daemon on my system seems to set its own uid (has allow X_t
self:capability { ... setuid setgid ...}) so I've been unable to find
an example of an init script (initrc_exec_t) that uses runuser. From
what I've gathered this would require adding some permissions to the
initrc_t domain, so either I'm doing something wrong (the likely case)
or if runuser is intended to be used from init scripts (it is used in
/etc/init.d/functions) then initrc_t should have these privileges ...
any thoughts?
TIA,
- Philip
What was the original reason for attempting any of this? What avc's are
you seeing in your applications? If you are running your own daemons,
they should just work and not need you to change anything. (In targeted
policy at least.)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
