squid denial on F11 for var_run_t
Dominick Grift
domg472 at gmail.com
Tue Jun 16 13:53:56 UTC 2009
On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
> >>> unconfined_t -> squid_exec_t -> unconfined_t
> >>>
> >>> But unconfined processes starting init scripts have a transition
> >>>
> >>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
> >>>
> >>> So any time you are using a confined process you should use the init
> >>> script to start them, otherwise you could get mislabeled files.
The AVC denial was about squid_t trying to access var_run_t.
If unconfined_t executed squid_exec_t then the domain would not be
squid_t.
If squid would run as squid_t then the pid would not be var_run_t.
The AVC denial does not seem to make sense. Maybe only if two squid
processes were running, one unconfined and one confined, that were
conflicting.
More information about the fedora-selinux-list
mailing list