On Wed, Jul 14, 2010 at 01:09:26PM -0700, Harley Race wrote: > Ladies and Gentlemen, > > I am contacting this list because I have questions about how selinux has been implemented in Fedora/RHEL/CentOS. I am trying to write a startup script for Tomcat 5.5. I created a tomcat user and group. Made sure that file permissions were set correctly. Tomcat will start, but when you do a > > ps -efZ > > instead of tomcat running in system_u, it is running in root. If I check pid and lock file, though permissions are set correctly, a "ls -laZ" reveals that tomcat writes the pid and lock files with root user context instead of system_u. Same thing with log files, they are written with root:object_r:var_log_t instead of system_u:object_r:var_log_t. Any ideas in what could be going wrong? Selinux is running with targeted policy. > > I tried using both runuser and daemon(), with still the same results. > > Startup script is attached. Depends on the context of the process that runs the script. But the identity field in a context is not important in Redhat distros. The type field is what i would worry about. The "root" identity in a security context is not the same as the Linux root account. It is just a attribute used to map roles and sensitivities/compartments to Linux accounts. Basically it just tells me that a Linux login that was mapped to the root SElinux user group ran the script or another agent did. It also tells me the script was not executed by the system (init). You could probably run the script with the system_u field with runcon: runcon -u system myscript But like i said, its not important. The type field is important and it looks like that is not optimal yet. (Looks like the script runs unrestricted) > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp039Pz9dudc.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
