squid denial on F11 for var_run_t
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 16 13:18:35 UTC 2009
On 06/16/2009 08:57 AM, Stephen Smalley wrote:
> On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote:
>> On 06/16/2009 08:32 AM, Daniel J Walsh wrote:
>>> Unconfined processes tend to stay unconfined. That is what uses expect,
>>> telling them that they are executing an uconfined process that suddenly
>>> becomes confined, seems wrong to them. That being said, you can end up
>>> with mislabeled files because of this.
>>>
>>> So
>>>
>>>
>>> unconfined_t -> squid_exec_t -> unconfined_t
>>>
>>> But unconfined processes starting init scripts have a transition
>>>
>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
>>>
>>> So any time you are using a confined process you should use the init
>>> script to start them, otherwise you could get mislabeled files.
>>
>>
>> I also just wrote a blog on this.
>>
>> http://danwalsh.livejournal.com/29041.html
>
> Hmm...when did this change? It used to be the case that a domain
> transition was also defined directly from unconfined_t to the daemon
> domain when running the daemon binary, precisely because users and
> scriptlets sometimes do that.
>
About FC5 time frame. The most common error caused by this was
AVC's about getattr in homedir, redirection of stdout blowing up because
squid_t can not write to user_tmp_t. Etc.
More information about the fedora-selinux-list
mailing list