[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: extras package that require changes in selinux-policy (initng)

Stephen Smalley wrote:

On Thu, 2006-02-02 at 18:07 +0100, dragoran wrote:
checked this and found out that initng does not execute any scripts.
the "scripts" are just files that contain infos about which daemon should be started and which deps it has. this results in hald beeing started directly from initng using execv(). This results in hald (and other services) run as init_t. If I put /sbin/service hald start into the exec line hald runs as hald_t. Why is a script required to get into the correct domain? Is there any way to fix this without adding setexeccon() for every daemon?

The current policy only defines domain transitions from init (init_t) to
rc (initrc_t) -> daemons.  It doesn't define direct domain transitions
from init_t to the daemon domains, except for a few cases where that has
been necessary (getty, gdm).  The policy could certainly also include
additional transitions directly from init_t to the daemon domains, and
that would work, but it will bloat the policy a bit to include both sets
of transitions.  The script isn't required; it just happens to be the
current init approach, so that is what policy was written for.  Adding
setexeccon() to every daemon wouldn't be desirable or helpful.

so what is the solution? use setexecon() to run the daemons as initrc_t to let the domain transitions take effect? this should also be init_t -> initrc_t -> daemon .. or did I miss / missunderstood something?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]