extras package that require changes in selinux-policy (initng)
dragoran
dragoran at feuerpokemon.de
Tue Jan 31 15:47:40 UTC 2006
Daniel J Walsh wrote:
> dragoran wrote:
>
>> Hello.
>> I am working on selinux support in initng, which is in review for
>> extras now [1].
>> But it seems that initng requires a policy to work (just tested in
>> targeted mode)
>> Using the default context (sbin_t) lets all apps that are started
>> from initng run as kernel_t.
>
> What is the path? We can set it up in policy.
>> Relabling /sbin/initng to init_exec_t (same as init) fixes this and
>> the processes run as init_t and udev_t for udev, but some issues
>> still remain.
>
> I will add to policy.
ok thx
>> hald,httpd, etc. also run as init_t which is *wrong* they have to get
>> into their own domain. How is this handled in sysvinit?
>> After reading the code I havn't found anything about it.
>
> Are the startup scripts marked initrc_exec_t?
>
>
yes I did chcon -t initrc_exec_t on all files in /etc/initng/system and
/etc/initng/daemons
>> The patch I wrote can be found here:
>> http://bugzilla.initng.thinktux.net/show_bug.cgi?id=365
>> Did I do something wrong? Did I miss something?
>> After fixing this we will run into an other problem. Every time the
>> filesystem gots relabled initng will become sbin_t which will break it.
>> To fix this we need to modify the selinux-policy. What should be done
>> if a package in extras requires to change a core package?
>> Should I just fill a bug against it and hope that it will be released
>> as an update for FC4, and gets into rawhide too?
>> Was unable to find anything about it in the wiki.
>> 1: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173459
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
More information about the fedora-extras-list
mailing list