On 08/22/2012 09:36 PM, Michael Hampton wrote:
I am trying to write a SELinux policy for a daemon which will be started from an init script on CentOS 6. I seem to be most of the way there, except when running its init script (with "service bitcoin start"), the daemon starts and runs as unconfined_u:
ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind
I generated the policy using selinux-polgengui which was included with CentOS 6 selecting "Standard Init Daemon".
The init script seems to be correctly labeled:
root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_u:object_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin
The daemon also seems to be correctly labeled:
root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_u:object_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind
The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if necessary.
I expected the daemon to run as system_u. When the system boots, the daemon is started as system_u as expected, but not when I start or restart it with 'service bitcoin restart'. What's going on here and how do I fix it?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
If you execute
# run_init service bitcoin restart
on CentOS 6 you will end up with system_u as you expect. Basically if
you execute a service script as unconfined_u, then your identity is not
supposed to be changed.
Regards,
Miroslav
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
