Re: daemons running as initrc_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
> Tom London wrote:
>> [root@localhost ~]# ps agxZ | grep initrc_t
>> system_u:system_r:initrc_t       2818 ?        S      0:00 nasd -b -local
>> system_u:system_r:initrc_t       3174 ?        Ss     0:00
>> NetworkManagerDispatcher
>> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
>> system_u:system_r:unconfined_t   3802 pts/0    S+     0:00 grep initrc_t
>> [root@localhost ~]#
>>
>> So, nasd and Network run in initrc_t.
>>
>> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
> Yes anyone out there looking to get their feet wet in writing policy,
> this is probably a good one to start on.

i don't know whether tom has worked on this. if not, i will try, but
i am not familiar with network audio system :-)

> 
> Try out system-config-selinux, go to modules tab and select new. 
> Comments welcome.  I plan on writing up a
> tutorial on this, soon.
>>
>> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t,
>> other?)?
>>
> This really needs a different interface also.  And the scripts need to
> be labeled.  One problem with this is
> these scripts could do anything so writing a policy to do this
> dispatcher would need to be able to transition
> to lots of domains.  Maybe add an interface to it so, it like apache can
> run scripts in different contexts.
> 
> But we would have to ship an NetworkManager_unconfined_script_exec_t,
> for the default.
>> tom
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux