avc denial using runuser from initrc_exec_t
Daniel J Walsh
dwalsh at redhat.com
Tue May 29 16:58:18 UTC 2007
Philip Tricca wrote:
> I'm trying to fix up an init scrip to play nice with SELinux (strict
> policy 2.6.6-69.fc6). Digging through mailing list archives I found
> recommendations to replace the use of su with /sbin/runuser for the
> change from root to a lesser privileged user. My problem comes when
> calling /sbin/runuser. I get 2 avcs:
>
> type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX
> comm="runuser" scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key
>
> type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX
> comm="runuser" scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket
>
> Every daemon on my system seems to set its own uid (has allow X_t
> self:capability { ... setuid setgid ...}) so I've been unable to find
> an example of an init script (initrc_exec_t) that uses runuser. From
> what I've gathered this would require adding some permissions to the
> initrc_t domain, so either I'm doing something wrong (the likely case)
> or if runuser is intended to be used from init scripts (it is used in
> /etc/init.d/functions) then initrc_t should have these privileges ...
> any thoughts?
>
> TIA,
> - Philip
>
What was the original reason for attempting any of this? What avc's are
you seeing in your applications? If you are running your own daemons,
they should just work and not need you to change anything. (In targeted
policy at least.)
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list