Re: squid denial on F11 for var_run_t

[Dominick Grift <domg472 gmail com>]

On Tue, 2009-06-16 at 15:10 +0100, Paul Howarth wrote:
> On 16/06/09 14:53, Dominick Grift wrote:
> > On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
> >
> >>>>> unconfined_t ->   squid_exec_t ->   unconfined_t
> >>>>>
> >>>>> But unconfined processes starting init scripts have a transition
> >>>>>
> >>>>> unconfined_t ->   initrc_exec_t ->   initrc_t ->   squid_exec_t ->   squid_t
> >>>>>
> >>>>> So any time you are using a confined process you should use the init
> >>>>> script to start them, otherwise you could get mislabeled files.
> >
> > The AVC denial was about squid_t trying to access var_run_t.
> >
> > If unconfined_t executed squid_exec_t then the domain would not be
> > squid_t.
> >
> > If squid would run as squid_t then the pid would not be var_run_t.
> >
> > The AVC denial does not seem to make sense. Maybe only if two squid
> > processes were running, one unconfined and one confined, that were
> > conflicting.
> 
> Perhaps squid was first run unconfined, creating /var/run/squid.pid that 
> was var_run_t, then run again using the initscript, causing the denial 
> when trying to access the pidfile?
> 
> Paul.
Yes that is was i think happened.