On Fri, 2008-07-25 at 15:42 +1000, Murray McAllister wrote: > Hi, > > On Red Hat Enterprise Linux 5 (policy-targeted), I run my main user > account as "user_u:system_r:unconfined_t". When I do a "sudo service > httpd start", httpd runs as "user_u:system_r:httpd_t". > > On Fedora 9 (policy-targeted), I run my main user account as > "unconfined_u:unconfined_r:unconfined_t". When I do a "sudo service > httpd start", httpd runs as "unconfined_u:system_r:httpd_t". > > "httpd.conf" is configured on each system to run as the user and group > "apache". > > With regards to Fedora 9, am I doing something wrong? Is it okay for the > SELinux user to be "unconfined_u" for services? > > Thanks for any advice, It is non-ideal but not a vulnerability (since the TE policy governs what domains can be reached from the service domain, e.g. httpd_t). Ideally it would be transitioned to system_u. Requires SELinux to support automatic user identity transitions, something we didn't expect would be needed since user identity is normally set explicitly by programs. SELinux has a "run_init" program that will explicitly transition into a system context for restarting system services, but it isn't integrated into /sbin/service and friends - early on in Fedora SELinux integration, they ran into problems with seamlessly making it work with existing usage patterns. There have been some preliminary patches floated to add user identity transitions to SELinux. Not sure what the status is on that - Joshua? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
