On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote: > >>> unconfined_t -> squid_exec_t -> unconfined_t > >>> > >>> But unconfined processes starting init scripts have a transition > >>> > >>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > >>> > >>> So any time you are using a confined process you should use the init > >>> script to start them, otherwise you could get mislabeled files. The AVC denial was about squid_t trying to access var_run_t. If unconfined_t executed squid_exec_t then the domain would not be squid_t. If squid would run as squid_t then the pid would not be var_run_t. The AVC denial does not seem to make sense. Maybe only if two squid processes were running, one unconfined and one confined, that were conflicting. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
