auditd went crazy
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 8 18:35:22 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Todd Zullinger wrote:
> Daniel J Walsh wrote:
>> Seems like you have a mislabeld program running as initrc_t?
>>
>> ps -eZ | grep initrc_t
>
> Are there some docs on how to fix up an programs running as initrc_t
> (and when it is required to do so)? I notice that puppetd is in this
> situation on my system, but I don't know if that's a potential problem
> nor how to correct it if it is.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No any system daemon that does not have policy will run as initrc_t, if
these daemons executed confined applications, you could see AVC's. But
ordinarily an initrc_t domains will run as "unconfined". It is the
equivalent of the unconfined_t domain for a logged in user.
We could write policy for puppetd and it would run under a different
context. Puppetd probably needs to do just about anything, so writing a
standard policy for it to work everywhere is impossible, so it would
have to be uncofined.
A lot of times AVC's for a confined domain referrring to initrc_t
indicates a leaked file descriptor.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkhzs2oACgkQrlYvE4MpobObKQCffuDxLZZi8VO6fMN9YsgwL8ZF
mCwAnjemACoAtARCctYhU13o2Lb7DuSm
=8Mj3
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list