Hello, On a RHEL5.3 system, I am trying to run snmpd in a different domain (not system_u:system_r:snmpd_t )if someone tries to run a specific init script I provide : i.e if someone executes /etc/init.d/ft-snmp, snmpd runs in system_u:system_r:ftsnmpd_t or else it runs in system_u:system_r:snmpd_t. Does this make sense or I am missing something ? To try this out, I thought of changing the file context of /etc/init.d/ft-snmp to system_u:object_r:ftsnmp_initrc_exec_t and then using domain_auto_trans() on it. My preliminary fc and te files are here : [root@icefyres devel]# cat lsb-ft-snmp.te policy_module(lsb-ft-snmp,2.1.0) type ftsnmp_t; domain_type(ftsnmp_t) type ftsnmp_exec_t; domain_entry_file(ftsnmp_t, ftsnmp_exec_t) type ftsnmp_log_t; logging_log_file(ftsnmp_log_t) type ftsnmp_tmp_t; files_tmp_file(ftsnmp_tmp_t) type ftsnmp_initrc_exec_t; [root@icefyres devel]# cat lsb-ft-snmp.fc /opt/ft/sbin/ftlsubagent -- gen_context(system_u:object_r:ftsnmp_exec_t,s0) /opt/ft/sbin/ftltrapsubagent -- gen_context(system_u:object_r:ftsnmp_exec_t,s0) /etc/init.d/ft-snmp -- gen_context(system_u:object_r:ftsnmp_initrc_exec_t:s0) After loading lsb-ft-snmp.pp and relabeling the file system, I see that although, ftlsubagent and ftltrapsubagent have the intended contexts (system_u:object_r:ftsnmp_exec_t), /etc/init.d/ft-snmp's context is still system_u:object_r:initrc_exec_t and not system_u:object_r:ftsnmp_initrc_exec_t Is this the correct way to change the context of the ft-snmp init script ? Thanks, Bandan -- BSD -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
