Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Mar 7, 2008, at 3:08 PM, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:

On Thu, 2008-03-06 at 16:45 -0500, Daniel J Walsh wrote:

Stephen Smalley wrote:

On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
Upstart spawns a shell during boot and, without this patch, it will transition to the sysadm_t domain, but remain in the system_r role. Services started by that shell will fail to start, even in permissive mode, if system_u:system_r:sysadm_someservice_t is an invalid context. We really don't want to be starting services from the sysadm_t domain 
during boot.
So it should probably transition to initrc_t, so apps started this way 
would have a chance of transitioning properly.


No, the shell will execute /etc/rc.d/rc to start processing the init
scripts, and thats when it'll transition to initrc_t.  If we do it on
shell execution, it may cause problems for things executed directly out 
of init, like getty.


Ok corecmd_exec_shell then.


The attached patch works for me.

joe

Attachment: init.te.patch
Description: Binary data
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux