hotplug_t?
Stephen Smalley
sds at tycho.nsa.gov
Tue Aug 1 13:29:11 UTC 2006
On Tue, 2006-08-01 at 15:14 +0200, Axel Thimm wrote:
> On Tue, Aug 01, 2006 at 09:08:37AM -0400, Stephen Smalley wrote:
> > On Tue, 2006-08-01 at 07:05 +0200, Axel Thimm wrote:
> > > Process contexts:
> > > Current context: root:system_r:hotplug_t:SystemLow-SystemHigh
> > > Init context: system_u:system_r:init_t
> > > /sbin/mingetty system_u:system_r:kernel_t
> > > /usr/sbin/sshd system_u:system_r:kernel_t
> >
> > That's puzzling; init is in the correct domain (init_t) but mingetty and
> > sshd are in kernel_t rather than getty_t init starts life in kernel_t,
> > then re-execs into init_t after loading policy, then performs normal
> > startup. But there are no transitions back into kernel_t. And the
> > files appear to have the right contexts.
>
> Restarting sshd from a root:system_r:hotplug_t:SystemLow-SystemHigh
> root login results in a root:system_r:unconfined_t:SystemLow-SystemHigh
> master sshd process. Is that correct?
Yes, sshd is unconfined in targeted policy.
> # rpm -q selinux-policy-targeted SysVinit
> selinux-policy-targeted-2.3.2-1.fc5
> SysVinit-2.86-2.2.2
> # rpm -V selinux-policy-targeted
> # /usr/sbin/semodule -l
> amavis 1.0.5
> clamav 1.0.4
> dcc 1.0.1
> pyzor 1.0.4
> razor 1.0.1
> # cmp /etc/selinux/targeted/modules/active/policy.kern /etc/selinux/targeted/policy/policy.20
This looks sane, although I think there is a newer update of policy.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list