On Wed, Oct 3, 2012 at 9:14 PM, Sven Vermeulen <sven.vermeulen@xxxxxxxxx> wrote:
> On Sun, Sep 30, 2012 at 7:48 PM, Sven Vermeulen
> <sven.vermeulen@xxxxxxxxx> wrote:
>> The "Authenticating root." is normal. The execvp error isn't. I get
>> the following denial, but I don't think this is the cause of the error
>> (mainly because it worked previously):
>>
>> Sep 30 19:44:02 testsys kernel: [20516.783063] type=1400
>> audit(1349027042.720:264): avc: denied { entrypoint } for pid=20672
>> comm="run_init" path="/sbin/rc-service" dev="vda1" ino=2373161
>> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:bin_t
>> tclass=file
> [...]
>
> OK so allowing the following fixes the behavior, yet I'm still not
> aware why and if this additional rule is really a good idea. Of
> course, without any transition permission, having an entrypoint has no
> real threats with it, does it?
>
> """
> allow initrc_t bin_t:file entrypoint;
> """
Hmm, sorry for replying to my own stuff here (I should wait with
hitting send until I've slept a good while). There are already quite a
few transitions possible towards initrc_t, and marking bin_t as an
entrypoint doesn't make much sense...
Wkr,
Sven Vermeulen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
