avc denial using runuser from initrc_exec_t
Philip Tricca
phil at noggle.biz
Fri May 25 20:16:38 UTC 2007
I'm trying to fix up an init scrip to play nice with SELinux (strict
policy 2.6.6-69.fc6). Digging through mailing list archives I found
recommendations to replace the use of su with /sbin/runuser for the
change from root to a lesser privileged user. My problem comes when
calling /sbin/runuser. I get 2 avcs:
type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX
comm="runuser" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key
type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX
comm="runuser" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket
Every daemon on my system seems to set its own uid (has allow X_t
self:capability { ... setuid setgid ...}) so I've been unable to find an
example of an init script (initrc_exec_t) that uses runuser. From what
I've gathered this would require adding some permissions to the initrc_t
domain, so either I'm doing something wrong (the likely case) or if
runuser is intended to be used from init scripts (it is used in
/etc/init.d/functions) then initrc_t should have these privileges ...
any thoughts?
TIA,
- Philip
More information about the fedora-selinux-list
mailing list