On Mon, 2008-02-04 at 18:08 +0000, Eoin Ryan wrote: > Hi All, > > Apologies in advance if this is slightly off topic. Over the last few > years I've gained some experience with SELinux using the targeted > policy, but now after discovering the new support in RHEL5 I've > decided to learn about the strict/mls policies and hopefully > contribute in some way one day. > > I have a test RHEL5 system running the strict policy, but I'm confused > about how services/daemons can be controlled by the superuser. The > sysadm_t does not have permission to execute initrc_exec_t, but does > have permission to execute /usr/sbin/httpd directly as it's > httpd_exec_t. The type_transition rules allow mainly the system > startup types (init_t etc) to transition to initrc_exec_t, but there > is no transition from sysadm_t defined. This seems to say that > services can only be started and stopped during bootup and shutdown. > > Am I missing something here, or does a transition to initrc_exec_t > need to be defined for some SELinux user via a policy module? Sorry > if my terminology is a little off. Depends on your policy build settings. If DIRECT_INITRC was set to n in build.conf, then you have to use run_init to run init scripts from an admin shell, so you can do: run_init /etc/init.d/httpd restart -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
