From: Stephen Smalley <sds@tycho.nsa.gov>
To: "c.r.madhusudhanan@gmail.com" <c.r.madhusudhanan@gmail.com>
Cc: dwalsh@redhat.com, SELinux@tycho.nsa.gov
Subject: Re: Wrong context for user
Date: Fri, 24 Jun 2011 10:11:30 -0400 [thread overview]
Message-ID: <1308924690.15355.72.camel@moss-pluto> (raw)
In-Reply-To: <BANLkTimkpy3RPkT5Mzg-Uc140KPbEcX4=w@mail.gmail.com>
On Fri, 2011-06-24 at 09:44 -0400, c.r.madhusudhanan@gmail.com wrote:
> Hello Daniel, Stephen,
>
> Thanks for the quick reply.
>
> Yes it looks login runs in the wrong context,
> system_u:system_r:kernel_t and most of the processes are.
>
> I am loading selinux policies from init, so I would expect all daemons
> should show their respective contexts.
>
> Attached is the "ps -aeZ" output.
>
> BTW, when I do "run_init /etc/init.d/sshd restart" the context changes
> from
> "system_u:system_r:kernel_t" to "system_u:system_r:initrc_t" but not
> to sshd_t.
Once policy is loaded, you have to make the first transition to init_t
for the init process. That can be done in one of several ways:
- load policy before execing /sbin/init from the real root (e.g. from
initramfs), and then you'll transition naturally when you exec
the /sbin/init binary if the file is labeled init_exec_t. I think we
did this when using upstart in Fedora to avoid modifying upstart itself.
- load policy from within /sbin/init and then re-exec yourself, using an
environment variable or argument to only do on the first invocation.
This is what the original patches to SysVinit did in Fedora (and I think
it is what systemd does too).
- load policy from init and invoke setcon() to dynamically switch to the
init context before proceeding. Not preferred, but possible.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-06-24 14:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-24 12:04 Wrong context for user c.r.madhusudhanan
2011-06-24 12:53 ` Daniel J Walsh
2011-06-24 12:57 ` Stephen Smalley
2011-06-24 13:44 ` c.r.madhusudhanan
2011-06-24 13:55 ` Daniel J Walsh
2011-06-24 14:11 ` Stephen Smalley [this message]
2011-06-24 14:44 ` c.r.madhusudhanan
2011-06-24 14:48 ` Stephen Smalley
2011-06-24 14:52 ` c.r.madhusudhanan
2011-06-24 15:09 ` Stephen Smalley
2011-06-24 15:50 ` c.r.madhusudhanan
2011-06-24 21:26 ` Sam Gandhi
2011-06-28 15:34 ` c.r.madhusudhanan
2011-07-01 13:23 ` Stephen Smalley
2011-07-01 13:50 ` Stephen Smalley
2011-07-05 14:43 ` c.r.madhusudhanan
2011-07-01 13:56 ` Stephen Smalley
2011-07-01 16:17 ` Stephen Smalley
2011-07-06 14:14 ` c.r.madhusudhanan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1308924690.15355.72.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=SELinux@tycho.nsa.gov \
--cc=c.r.madhusudhanan@gmail.com \
--cc=dwalsh@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.