[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

avc denial using runuser from initrc_exec_t

I'm trying to fix up an init scrip to play nice with SELinux (strict policy 2.6.6-69.fc6). Digging through mailing list archives I found recommendations to replace the use of su with /sbin/runuser for the change from root to a lesser privileged user. My problem comes when calling /sbin/runuser. I get 2 avcs:

type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX comm="runuser" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key

type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX comm="runuser" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket

Every daemon on my system seems to set its own uid (has allow X_t self:capability { ... setuid setgid ...}) so I've been unable to find an example of an init script (initrc_exec_t) that uses runuser. From what I've gathered this would require adding some permissions to the initrc_t domain, so either I'm doing something wrong (the likely case) or if runuser is intended to be used from init scripts (it is used in /etc/init.d/functions) then initrc_t should have these privileges ... any thoughts?

- Philip

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]