hotplug_t?

Axel Thimm Axel.Thimm at ATrpms.net
Tue Aug 1 22:19:11 UTC 2006 

On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote:
> On Tue, 2006-08-01 at 15:21 +0200, Axel Thimm wrote:
> > On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote:
> > > On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote:
> > > > Does the following output help? Looks like anything called from sshd
> > > > gets into hotplug_t. The main sshd process runs under
> > > > system_u:system_r:kernel_t.
> > > 
> > > sshd running in kernel_t is the problem; that should never happen (init
> > > transitions to init_t, then everything flows from it; nothing should
> > > ever transition back into kernel_t).  Only kernel threads should have
> > > kernel_t (init will start life as kernel_t but then transition; usermode
> > > helpers like modprobe and hotplug should transition upon the exec).
> > 
> > Hm. there are tons of processes in kernel_t, in fact almost everything
> > but sshd initiated processes, httpd, rotatelog and spamd.
> > 
> > Maybe I need to restart init yet another time (e.g. reboot). Would
> > that make sense?
> 
> It would if init were running in kernel_t too.  But given that it is
> running in init_t, I don't understand how its descendants got back to
> kernel_t.  Unless the transition to init_t happened after starting the
> descendants, e.g. you manually told init to re-exec via telinit.

I didn't do so consiously. I rebooted the system and there is no
hotplug_t trace anymore in the processes. What I think I missed is the
reboot after the fixfiles command. But I don't understand how init
would go back and forth into different security contexts.

Anyway for me I'm happy that the system is in a normal selinux state
(I hope) and that I can start using selinux in real life (permissive
for now while learning).

Thanks!
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060802/c0867e30/attachment.sig>

More information about the fedora-selinux-list mailing list