On Tue, 2009-06-16 at 15:10 +0100, Paul Howarth wrote: > On 16/06/09 14:53, Dominick Grift wrote: > > On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote: > > > >>>>> unconfined_t -> squid_exec_t -> unconfined_t > >>>>> > >>>>> But unconfined processes starting init scripts have a transition > >>>>> > >>>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > >>>>> > >>>>> So any time you are using a confined process you should use the init > >>>>> script to start them, otherwise you could get mislabeled files. > > > > The AVC denial was about squid_t trying to access var_run_t. > > > > If unconfined_t executed squid_exec_t then the domain would not be > > squid_t. > > > > If squid would run as squid_t then the pid would not be var_run_t. > > > > The AVC denial does not seem to make sense. Maybe only if two squid > > processes were running, one unconfined and one confined, that were > > conflicting. > > Perhaps squid was first run unconfined, creating /var/run/squid.pid that > was var_run_t, then run again using the initscript, causing the denial > when trying to access the pidfile? > > Paul. Yes that is was i think happened. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
