[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: extras package that require changes in selinux-policy (initng)

From: Stephen Smalley <sds tycho nsa gov>
To: dragoran <dragoran feuerpokemon de>
Cc: fedora-extras-list redhat com, Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
Subject: Re: extras package that require changes in selinux-policy (initng)
Date: Thu, 02 Feb 2006 12:49:17 -0500

On Thu, 2006-02-02 at 18:07 +0100, dragoran wrote:
> checked this and found out that initng does not execute any scripts.
> the "scripts" are just files that contain infos about which daemon 
> should be started and which deps it has.
> this results in hald beeing started directly from initng using execv(). 
> This results in hald (and other services) run as init_t. If I put 
> /sbin/service hald start into the exec line hald runs as hald_t.
> Why is a script required to get into the correct domain? Is there any 
> way to fix this without adding setexeccon() for every daemon?

The current policy only defines domain transitions from init (init_t) to
rc (initrc_t) -> daemons.  It doesn't define direct domain transitions
from init_t to the daemon domains, except for a few cases where that has
been necessary (getty, gdm).  The policy could certainly also include
additional transitions directly from init_t to the daemon domains, and
that would work, but it will bloat the policy a bit to include both sets
of transitions.  The script isn't required; it just happens to be the
current init approach, so that is what policy was written for.  Adding
setexeccon() to every daemon wouldn't be desirable or helpful.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: extras package that require changes in selinux-policy (initng)
  - From: dragoran

References:
- Re: extras package that require changes in selinux-policy (initng)
  - From: dragoran

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]