extras package that require changes in selinux-policy (initng)
dragoran
dragoran at feuerpokemon.de
Thu Feb 2 17:48:36 UTC 2006
Stephen Smalley wrote:
>On Thu, 2006-02-02 at 18:07 +0100, dragoran wrote:
>
>
>>checked this and found out that initng does not execute any scripts.
>>the "scripts" are just files that contain infos about which daemon
>>should be started and which deps it has.
>>this results in hald beeing started directly from initng using execv().
>>This results in hald (and other services) run as init_t. If I put
>>/sbin/service hald start into the exec line hald runs as hald_t.
>>Why is a script required to get into the correct domain? Is there any
>>way to fix this without adding setexeccon() for every daemon?
>>
>>
>
>The current policy only defines domain transitions from init (init_t) to
>rc (initrc_t) -> daemons. It doesn't define direct domain transitions
>from init_t to the daemon domains, except for a few cases where that has
>been necessary (getty, gdm). The policy could certainly also include
>additional transitions directly from init_t to the daemon domains, and
>that would work, but it will bloat the policy a bit to include both sets
>of transitions. The script isn't required; it just happens to be the
>current init approach, so that is what policy was written for. Adding
>setexeccon() to every daemon wouldn't be desirable or helpful.
>
>
>
so what is the solution? use setexecon() to run the daemons as initrc_t
to let the domain transitions take effect?
this should also be init_t -> initrc_t -> daemon .. or did I miss /
missunderstood something?
More information about the fedora-extras-list
mailing list