daemons running as initrc_t

Daniel J Walsh dwalsh at redhat.com
Thu Jul 19 16:10:31 UTC 2007

Tom London wrote:
> [root at localhost ~]# ps agxZ | grep initrc_t
> system_u:system_r:initrc_t       2818 ?        S      0:00 nasd -b -local
> system_u:system_r:initrc_t       3174 ?        Ss     0:00
> NetworkManagerDispatcher
> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
> system_u:system_r:unconfined_t   3802 pts/0    S+     0:00 grep initrc_t
> [root at localhost ~]#
> So, nasd and Network run in initrc_t.
> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
Yes anyone out there looking to get their feet wet in writing policy, 
this is probably a good one to start on.

Try out system-config-selinux, go to modules tab and select new.  
Comments welcome.  I plan on writing up a
tutorial on this, soon.
> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, 
> other?)?
This really needs a different interface also.  And the scripts need to 
be labeled.  One problem with this is
these scripts could do anything so writing a policy to do this 
dispatcher would need to be able to transition
to lots of domains.  Maybe add an interface to it so, it like apache can 
run scripts in different contexts.

But we would have to ship an NetworkManager_unconfined_script_exec_t, 
for the default.
> tom

More information about the fedora-selinux-list mailing list