From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Error when using refpolicy with apache httpd service
Date: Wed, 12 Oct 2011 16:58:34 +0200 [thread overview]
Message-ID: <1318431514.2238.57.camel@vortex> (raw)
In-Reply-To: <1318422025.1949.3.camel@x220.mydomain.internal>
On Wed, 2011-10-12 at 14:20 +0200, Dominick Grift wrote:
> On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm new to SELinux general and try to research refpolicy. When I apply
> > refpolicy on Fedora 15 with Apache httpd service, and config the
> > build.config to type mcs. When I install and load to system, I
> > touch .autorelabel and reboot the system.
> > After that, I started the httpd service and
> > checked the command: ps-axZ | grep httpd and saw that this service is
> > run by type kernel_t:s0
> > I think it must something wrong. It must be run by httpd_t but it not.
> > I checked the audit log file and saw that have a log file
> >
> >
> > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
> > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
> >
> >
> > Do you have any ideal? Please help me to fix this.
>
>
> Looks like kernel_t never transitioned to the init_t domain. I am not
> sure what kind of init system you are using but its executable file
> should be labelled init_exec_t i believe so that kernel_t can use that
> as an entry file to the init_t domain.
>
> might just be a labelling issue (make sure to relabel the file system)
>
> also whats the output of sestatus -v?
He/she is probably using upstart as init and therefore needs:
setsebool -P init_upstart=on
If systemd is being used, then it might need a patch (eventually derived
from Fedora) and then:
setsebool -P init_systemd=on
Regards,
Guido
next prev parent reply other threads:[~2011-10-12 14:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
2011-10-12 14:58 ` Guido Trentalancia [this message]
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
[not found] ` <1318425414.1949.6.camel@x220.mydomain.internal>
[not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
2011-10-12 15:15 ` Dominick Grift
2011-10-12 15:39 ` Guido Trentalancia
2011-10-24 4:25 ` Justin Mattock
2011-10-24 14:53 ` Justin Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1318431514.2238.57.camel@vortex \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.