-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote: > Daniel J Walsh wrote: >> Seems like you have a mislabeld program running as initrc_t? >> >> ps -eZ | grep initrc_t > > Are there some docs on how to fix up an programs running as initrc_t > (and when it is required to do so)? I notice that puppetd is in this > situation on my system, but I don't know if that's a potential problem > nor how to correct it if it is. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No any system daemon that does not have policy will run as initrc_t, if these daemons executed confined applications, you could see AVC's. But ordinarily an initrc_t domains will run as "unconfined". It is the equivalent of the unconfined_t domain for a logged in user. We could write policy for puppetd and it would run under a different context. Puppetd probably needs to do just about anything, so writing a standard policy for it to work everywhere is impossible, so it would have to be uncofined. A lot of times AVC's for a confined domain referrring to initrc_t indicates a leaked file descriptor. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkhzs2oACgkQrlYvE4MpobObKQCffuDxLZZi8VO6fMN9YsgwL8ZF mCwAnjemACoAtARCctYhU13o2Lb7DuSm =8Mj3 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
