Sorry for opening the old discussion again. If you don't ML logs in local, please see the archives: http://marc.info/?t=114825463100001&r=1&w=2 Christopher J. PeBenito wrote: > I agree with James on this, I don't think we want to impose semantics in > the MCS categories, and that this > >> Another possibility is to have the ability to configure which categories are >> assigned to a daemon via run_init or some similar program. It would not be >> difficult to read a config file that maps the domain of a daemon to the range >> that should be granted to it. > > is useful so that if users do want to run a daemon with categories, they > can. Is it still unavailable on the current SELinux userspace utilities, isn't it? If we could start the init-scripts via runcon by hand, it seems to me the daemon processes performs with multi categories. | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart | Stopping httpd: [ OK ] | Starting httpd: [ OK ] | [root@saba ~]# ps -AZ | grep httpd | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd | : But it is unavailable when the system kicks init-script on startup time. Is there any good idea? In the recent days, I'm working for an apache module (mod_selinux.so) which launches web application handler under an individual security context based on http-authentication. I'm looking for the way to assign a few dozens of categories on httpd server processes which are launched at system startup time. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
