[redhat-lspp] Xinetd patches for selinux context configuration
James Antill
jantill at redhat.com
Tue Nov 28 23:13:11 UTC 2006
I've created the patches to allow selinux context to be specified for
xinetd and they seem to work, however one problem is that xinetd isn't
allowed to transition to any other domains. Eg:
type=AVC msg=audit(1164755336.496:24242): avc: denied { transition } for pid=22285 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:inetd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1164755097.924:24194): avc: denied { transition } for pid=21497 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:inetd_t:s0 tcontext=user_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1164755203.968:24207): avc: denied { entrypoint } for pid=21825 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116 scontext=user_u:system_r:fingerd_t:s0 tcontext=user_u:object_r:httpd_exec_t:s0 tclass=file
...so either the setexeccon fails, because xinetd isn't allowed to
transition to that context ... or the context doesn't have the ability
to exec anything but itself (you can transition to fingerd_t and then
exec fingerd_exec_t ... but that doesn't do anything).
Example config.:
# selinux_context = user_u:system_r:inetd_t:SystemLow-SystemHigh
selinux_context = user_u:system_r:httpd_t
# selinux_context = user_u:system_r:fingerd_t
Anyway, here are the patches/rpms:
http://people.redhat.com/jantill/xinetd/
--
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061128/7f675aff/attachment.sig>
More information about the redhat-lspp
mailing list