squid denial on F11 for var_run_t

Dominick Grift domg472 at gmail.com
Tue Jun 16 13:53:56 UTC 2009

On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:

> >>> unconfined_t ->  squid_exec_t ->  unconfined_t
> >>>
> >>> But unconfined processes starting init scripts have a transition
> >>>
> >>> unconfined_t ->  initrc_exec_t ->  initrc_t ->  squid_exec_t ->  squid_t
> >>>
> >>> So any time you are using a confined process you should use the init
> >>> script to start them, otherwise you could get mislabeled files.

The AVC denial was about squid_t trying to access var_run_t.

If unconfined_t executed squid_exec_t then the domain would not be

If squid would run as squid_t then the pid would not be var_run_t.

The AVC denial does not seem to make sense. Maybe only if two squid
processes were running, one unconfined and one confined, that were

More information about the fedora-selinux-list mailing list