On Wed, 2008-05-14 at 11:12 -0400, Sciola, Dario wrote: > Classification: UNCLASSIFIED > > Hi, > > I've got a small application that I'm trying to get running as a > service on and FC8 SELinux box. I've got an entry in my inittab file > to kick start the app, but all my attempts at writing an appropriate > policy leaves that app running in the init_t domain. This kind of question likely belongs on selinux@xxxxxxxxxxxxx, not here - it isn't really Fedora-specific. > The inittab file entry is: > > cds:2345:respawn:/usr/bin/CDSserver -l -p 2732 > > ps -efZ (observing this as a 'root' user) gives: > > system_u:system_r:init_t:s0 root 2663 1 0 10:01 ? > 00:00:00 /usr/bin/CDSserver -l -p 2732 > > My .te file contains: > > policy_module(cdsserver,1.0.3) > > ######################################## > # > # Declarations > # > ######################################## > > # Type declarations > ################### > > # the target domain: > type cds_t; > > # Entrypoint for exec > type cds_exec_t; > > > # domain type > #domain_type(cds_t) > > # Mark cds_t as a domain and cds_exec_t as an entrypoint > init_daemon_domain(cds_t, cds_exec_t) init_daemon_domain is for a normal daemon started by an /etc/rc.d script, not for something directly started by /sbin/init. You want init_domain() instead I think. > domain_entry_file(cds_t, cds_exec_t) This should be covered by the above. > allow cds_t self:process execmem; Better if you can avoid that. > ... > > My .fc file contains: > > /usr/bin/CDSserver -- > gen_context(system_u:object_r:cds_exec_t,s0) > > > My .if file contains: > > interface(`cds_domtrans',` > gen_require(` > type cds_t, cds_exec_t; > ') > > domain_auto_trans($1,cds_exec_t,cds_t) > > allow $1 cds_t:fd use; > allow cds_t $1:fd use; > allow cds_t $1:fifo_file rw_file_perms; > allow cds_t $1:process sigchld; > ') > > I've also tried putting init_t as $1 in the domain_auto_trans() An .if file serves no purpose unless you have something that calls the interfaces it defines. It just defines a set of interfaces for other .te files to use. > Why isn't the process transitioning to cds_t? I've looked at a lot of > sites and examples and can't seem to figure out my problem. The policy > is the targeted FC8 policy. Module compiles and loads (semodule) fine. > > # sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 21 > Policy from config file: targeted > > Any ideas? > > > Dario Sciola > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
