squid denial on F11 for var_run_t
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 16 12:49:55 UTC 2009
On 06/16/2009 08:32 AM, Daniel J Walsh wrote:
> Unconfined processes tend to stay unconfined. That is what uses expect,
> telling them that they are executing an uconfined process that suddenly
> becomes confined, seems wrong to them. That being said, you can end up
> with mislabeled files because of this.
>
> So
>
>
> unconfined_t -> squid_exec_t -> unconfined_t
>
> But unconfined processes starting init scripts have a transition
>
> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
>
> So any time you are using a confined process you should use the init
> script to start them, otherwise you could get mislabeled files.
I also just wrote a blog on this.
http://danwalsh.livejournal.com/29041.html
More information about the fedora-selinux-list
mailing list