daemons running as initrc_t
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 19 16:10:31 UTC 2007
Tom London wrote:
> [root at localhost ~]# ps agxZ | grep initrc_t
> system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local
> system_u:system_r:initrc_t 3174 ? Ss 0:00
> NetworkManagerDispatcher
> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
> system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t
> [root at localhost ~]#
>
> So, nasd and Network run in initrc_t.
>
> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
Yes anyone out there looking to get their feet wet in writing policy,
this is probably a good one to start on.
Try out system-config-selinux, go to modules tab and select new.
Comments welcome. I plan on writing up a
tutorial on this, soon.
>
> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t,
> other?)?
>
This really needs a different interface also. And the scripts need to
be labeled. One problem with this is
these scripts could do anything so writing a policy to do this
dispatcher would need to be able to transition
to lots of domains. Maybe add an interface to it so, it like apache can
run scripts in different contexts.
But we would have to ship an NetworkManager_unconfined_script_exec_t,
for the default.
> tom
More information about the fedora-selinux-list
mailing list