On 16/06/09 14:53, Dominick Grift wrote:
On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
unconfined_t -> squid_exec_t -> unconfined_t
But unconfined processes starting init scripts have a transition
unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
So any time you are using a confined process you should use the init
script to start them, otherwise you could get mislabeled files.
The AVC denial was about squid_t trying to access var_run_t.
If unconfined_t executed squid_exec_t then the domain would not be
squid_t.
If squid would run as squid_t then the pid would not be var_run_t.
The AVC denial does not seem to make sense. Maybe only if two squid
processes were running, one unconfined and one confined, that were
conflicting.
Perhaps squid was first run unconfined, creating /var/run/squid.pid that
was var_run_t, then run again using the initscript, causing the denial
when trying to access the pidfile?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
