Stephen Smalley wrote: > On Fri, 2008-07-25 at 15:42 +1000, Murray McAllister wrote: >> Hi, >> >> On Red Hat Enterprise Linux 5 (policy-targeted), I run my main user >> account as "user_u:system_r:unconfined_t". When I do a "sudo service >> httpd start", httpd runs as "user_u:system_r:httpd_t". >> >> On Fedora 9 (policy-targeted), I run my main user account as >> "unconfined_u:unconfined_r:unconfined_t". When I do a "sudo service >> httpd start", httpd runs as "unconfined_u:system_r:httpd_t". >> >> "httpd.conf" is configured on each system to run as the user and >> group "apache". >> >> With regards to Fedora 9, am I doing something wrong? Is it okay for >> the SELinux user to be "unconfined_u" for services? >> >> Thanks for any advice, > > It is non-ideal but not a vulnerability (since the TE policy > governs what domains can be reached from the service domain, e.g. > httpd_t). > > Ideally it would be transitioned to system_u. Requires > SELinux to support automatic user identity transitions, > something we didn't expect would be needed since user > identity is normally set explicitly by programs. SELinux has > a "run_init" program that will explicitly transition into a > system context for restarting system services, but it isn't > integrated into /sbin/service and friends - early on in > Fedora SELinux integration, they ran into problems with > seamlessly making it work with existing usage patterns. > > There have been some preliminary patches floated to add user > identity transitions to SELinux. Not sure what the status is > on that - Joshua? I dropped them when Ubuntu worked around the issue in policy. I can dig them out again but I'm not sure its worth bumping the policy version just for this and not convinced its entirely necessary anyway. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
