KaiGai Kohei wrote: > Sorry for opening the old discussion again. > > If you don't ML logs in local, please see the archives: > http://marc.info/?t=114825463100001&r=1&w=2 > > Christopher J. PeBenito wrote: >> I agree with James on this, I don't think we want to impose semantics in >> the MCS categories, and that this >> >>> Another possibility is to have the ability to configure which categories are >>> assigned to a daemon via run_init or some similar program. It would not be >>> difficult to read a config file that maps the domain of a daemon to the range >>> that should be granted to it. >> is useful so that if users do want to run a daemon with categories, they >> can. > > Is it still unavailable on the current SELinux userspace utilities, isn't it? Shall we start to implement an extention of run_init and others based on the above Russell's idea? Now, I have a plan to store configuration files at: /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON} or /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions and, add a new option to run_init as: run_init [-n <daemon>] <script> [<args> ...] It intends to see the per-daemon default range, instead of the initrc_contexts. and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l" when the given daemon has its own range.) The last also need to have a discussion in the Fedora developer's list. Dan, do you think it is a hopefull proposition? Thanks, > If we could start the init-scripts via runcon by hand, it seems to me the > daemon processes performs with multi categories. > > | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart > | Stopping httpd: [ OK ] > | Starting httpd: [ OK ] > | [root@saba ~]# ps -AZ | grep httpd > | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd > | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd > | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd > | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd > | : > > But it is unavailable when the system kicks init-script on startup time. > Is there any good idea? > > In the recent days, I'm working for an apache module (mod_selinux.so) which > launches web application handler under an individual security context based > on http-authentication. > I'm looking for the way to assign a few dozens of categories on httpd server > processes which are launched at system startup time. > > Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
