squid denial on F11 for var_run_t

Daniel J Walsh dwalsh at redhat.com
Tue Jun 16 13:18:35 UTC 2009

On 06/16/2009 08:57 AM, Stephen Smalley wrote:
> On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote:
>> On 06/16/2009 08:32 AM, Daniel J Walsh wrote:
>>> Unconfined processes tend to stay unconfined.  That is what uses expect,
>>> telling them that they are executing an uconfined process that suddenly
>>> becomes confined, seems wrong to them.  That being said, you can end up
>>> with mislabeled files because of this.
>>> So
>>> unconfined_t ->  squid_exec_t ->  unconfined_t
>>> But unconfined processes starting init scripts have a transition
>>> unconfined_t ->  initrc_exec_t ->  initrc_t ->  squid_exec_t ->  squid_t
>>> So any time you are using a confined process you should use the init
>>> script to start them, otherwise you could get mislabeled files.
>> I also just wrote a blog on this.
>> http://danwalsh.livejournal.com/29041.html
> Hmm...when did this change?  It used to be the case that a domain
> transition was also defined directly from unconfined_t to the daemon
> domain when running the daemon binary, precisely because users and
> scriptlets sometimes do that.
About FC5 time frame.  The most common error caused by this was

AVC's about getattr in homedir, redirection of stdout blowing up because 
squid_t can not write to user_tmp_t.  Etc.

More information about the fedora-selinux-list mailing list