-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan-Frode Myklebust wrote:
| On Wed, May 14, 2008 at 09:39:52AM -0400, Daniel J Walsh wrote:
|> The problem is exactly the opposite of what you are asking.
|> unconfined_t transitions to very few domains currently while initrc_t
|> transitions to many. unconfined_t is a logged in user domain. So I
|> would not run init scripts as unconfined_t.
|
| Please, please, pretty please, may I be allowed to run a critical
filesystem
| and high availability solution unconfined until the vendors of these
implement
| and certify them for selinux? ;-)
|
|> The better answer is to fix the avc's that you are seeing when trying to
|> run ifconfig from initrc. What avc's are you seeing?
|
| I haven't tried running in permissive, so there will likely be more than
| these, but that's what I've got right now:
|
| type=AVC msg=audit(1210760976.747:24): avc: denied { read write }
for pid=4739 comm="ifconfig" path="socket:[17163]" dev=sockfs ino=17163
scontext=user_u:system_r:ifconfig_t:s0
tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket
| type=AVC msg=audit(1210758692.381:10): avc: denied { read } for
pid=4137 comm="mount" path="eventpoll:[17363]" dev=eventpollfs ino=17363
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=file
| type=AVC msg=audit(1210758684.281:6): avc: denied { append } for
pid=3763 comm="umount"
path="/var/adm/ras/mmfs.log.2008.05.14.11.51.24.lagring2" dev=dm-2
ino=720912 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
| type=AVC msg=audit(1210758692.378:9): avc: denied { relabelfrom }
for pid=4136 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
| type=AVC msg=audit(1210758692.381:10): avc: denied { read } for
pid=4137 comm="mount" path="eventpoll:[17360]" dev=eventpollfs ino=17360
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=file
|
|
|
| -jf
You are running unconfined. But your application is execing confined
applications. ifconfig and mount.
Looking at the above AVC messages Most seem to be leaked file
descriptors from your application and can be ignored.
The one to be concerned about is mounting of the unlabeled_t file
system. This looks like you have a file system that SELinux does not
know about?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgq/foACgkQrlYvE4MpobOMvACcDDWEOGburB5E1M7syyqVNLfm
XlsAn0tBo1q6NwnrPT3zTk+hO9sL/MK6
=srG9
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
