On Fri, 2008-07-25 at 11:50 -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On Fri, 2008-07-25 at 15:42 +1000, Murray McAllister wrote: > >> Hi, > >> > >> On Red Hat Enterprise Linux 5 (policy-targeted), I run my main user > >> account as "user_u:system_r:unconfined_t". When I do a "sudo service > >> httpd start", httpd runs as "user_u:system_r:httpd_t". > >> > >> On Fedora 9 (policy-targeted), I run my main user account as > >> "unconfined_u:unconfined_r:unconfined_t". When I do a "sudo service > >> httpd start", httpd runs as "unconfined_u:system_r:httpd_t". > >> > >> "httpd.conf" is configured on each system to run as the user and > >> group "apache". > >> > >> With regards to Fedora 9, am I doing something wrong? Is it okay for > >> the SELinux user to be "unconfined_u" for services? > >> > >> Thanks for any advice, > > > > It is non-ideal but not a vulnerability (since the TE policy > > governs what domains can be reached from the service domain, e.g. > > httpd_t). > > > > Ideally it would be transitioned to system_u. Requires > > SELinux to support automatic user identity transitions, > > something we didn't expect would be needed since user > > identity is normally set explicitly by programs. SELinux has > > a "run_init" program that will explicitly transition into a > > system context for restarting system services, but it isn't > > integrated into /sbin/service and friends - early on in > > Fedora SELinux integration, they ran into problems with > > seamlessly making it work with existing usage patterns. > > > > There have been some preliminary patches floated to add user > > identity transitions to SELinux. Not sure what the status is > > on that - Joshua? > > I dropped them when Ubuntu worked around the issue in policy. I can dig > them out again but I'm not sure its worth bumping the policy version > just for this and not convinced its entirely necessary anyway. It has been a long-standing problem with SELinux. As I said at the time, I think it is worth adding the user transition support - I just didn't want to rush the merging of it to suit the Ubuntu schedule. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
