Stuck in init_t

Stephen Smalley sds at tycho.nsa.gov
Wed May 14 17:22:58 UTC 2008 

On Wed, 2008-05-14 at 11:12 -0400, Sciola, Dario wrote:
> Classification: UNCLASSIFIED
> 
> Hi,
> 
> I've got a small application that I'm trying to get running as a
> service on and FC8 SELinux box. I've got an entry in my inittab file
> to kick start the app, but all my attempts at writing an appropriate
> policy leaves that app running in the init_t domain.

This kind of question likely belongs on selinux at tycho.nsa.gov, not here
- it isn't really Fedora-specific.

> The inittab file entry is:
> 
>  cds:2345:respawn:/usr/bin/CDSserver -l -p 2732 
>   
> ps -efZ (observing this as a 'root' user) gives:
> 
> system_u:system_r:init_t:s0 root 2663 1 0 10:01 ?
> 00:00:00 /usr/bin/CDSserver -l -p 2732
> 
> My .te file contains:
> 
>    policy_module(cdsserver,1.0.3) 
> 
>    ######################################## 
>    # 
>    # Declarations 
>    # 
>    ########################################
> 
>    # Type declarations 
>    ###################
> 
>    # the target domain: 
>    type cds_t;
> 
>    # Entrypoint for exec 
>    type cds_exec_t;
> 
> 
>    # domain type 
>    #domain_type(cds_t)
> 
>    # Mark cds_t as a domain and cds_exec_t as an entrypoint 
>    init_daemon_domain(cds_t, cds_exec_t)

init_daemon_domain is for a normal daemon started by an /etc/rc.d
script, not for something directly started by /sbin/init.

You want init_domain() instead I think.

>    domain_entry_file(cds_t, cds_exec_t)

This should be covered by the above.

>    allow cds_t self:process execmem;

Better if you can avoid that.

>    ...
> 
> My .fc file contains:
> 
>    /usr/bin/CDSserver --
> gen_context(system_u:object_r:cds_exec_t,s0)
> 
> 
> My .if file contains:
> 
>    interface(`cds_domtrans',` 
>         gen_require(` 
>                 type cds_t, cds_exec_t; 
>         ')
> 
>         domain_auto_trans($1,cds_exec_t,cds_t) 
>   
>         allow $1 cds_t:fd use; 
>         allow cds_t $1:fd use; 
>         allow cds_t $1:fifo_file rw_file_perms; 
>         allow cds_t $1:process sigchld; 
>    ')
> 
> I've also tried putting init_t as $1 in the domain_auto_trans()

An .if file serves no purpose unless you have something that calls the
interfaces it defines.  It just defines a set of interfaces for
other .te files to use.

> Why isn't the process transitioning to cds_t? I've looked at a lot of
> sites and examples and can't seem to figure out my problem. The policy
> is the targeted FC8 policy. Module compiles and loads (semodule) fine.
> 
> # sestatus 
> SELinux status:                 enabled 
> SELinuxfs mount:                /selinux 
> Current mode:                   permissive 
> Mode from config file:          permissive 
> Policy version:                 21 
> Policy from config file:        targeted 
>   
> Any ideas?
> 
> 
> Dario Sciola
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list