daemons running as initrc_t
Ken YANG
spng.yang at gmail.com
Fri Jul 20 05:45:09 UTC 2007
Daniel J Walsh wrote:
> Tom London wrote:
>> [root at localhost ~]# ps agxZ | grep initrc_t
>> system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local
>> system_u:system_r:initrc_t 3174 ? Ss 0:00
>> NetworkManagerDispatcher
>> --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
>> system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t
>> [root at localhost ~]#
>>
>> So, nasd and Network run in initrc_t.
>>
>> Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
> Yes anyone out there looking to get their feet wet in writing policy,
> this is probably a good one to start on.
i don't know whether tom has worked on this. if not, i will try, but
i am not familiar with network audio system :-)
>
> Try out system-config-selinux, go to modules tab and select new.
> Comments welcome. I plan on writing up a
> tutorial on this, soon.
>>
>> What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t,
>> other?)?
>>
> This really needs a different interface also. And the scripts need to
> be labeled. One problem with this is
> these scripts could do anything so writing a policy to do this
> dispatcher would need to be able to transition
> to lots of domains. Maybe add an interface to it so, it like apache can
> run scripts in different contexts.
>
> But we would have to ship an NetworkManager_unconfined_script_exec_t,
> for the default.
>> tom
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list