From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Error when using refpolicy with apache httpd service
Date: Wed, 12 Oct 2011 17:39:14 +0200 [thread overview]
Message-ID: <1318433954.2238.63.camel@vortex> (raw)
In-Reply-To: <1318432505.1949.11.camel@x220.mydomain.internal>
On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote:
> On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm very strange that the /sbin/init is labeled bin_t
> >
> >
> > The /sbin/init is point to /bin/systemd
> >
> >
> > I check in the /system/init.fc have defiled:
> >
> >
> > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> > # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > So, I changed it to:
> >
> >
> > /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
> > /sbin/init --
> > gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > And then, I make, install, load and relabel it again.
> >
> >
> > But after that, the /sbin/init still have labeled bin_t (instead of
> > the /bin/systemd is now have init_exec_t)
> >
> >
> > I'm very strange. So, I try to relabel it by command:
> >
> >
> > chcon -t init_exec_t /sbin/init
>
> The /sbin/init symbolic link can be bin_t, no problem.
>
> /sbin/systemd though should be type init_exec_t.
>
> The problem is that reference policy currently does not support systemd.
>
> systemd is not stable yet.
>
> refpolicy is waiting until systemd is stable before she will support it,
> because there are too many changes happening to systemd currently.
>
> You could probably, atleast to some extend, work around the issues by
> making init a unconfined domain, but that will probably cause issues as
> well. So if you are not comfortable with selinux you may want to avoid
> that.
>
> ?nstead use the policy provided/supported by your distribution instead.
Consider Justin Mattock has recently submitted an initial patch (derived
from F15, I suppose) for better supporting systemd in the reference
policy:
18th September 2011
[RFC 1/2]selinux-contrib: add systemd support to refpolicy git
[RFC 2/2] refpolicy: add systemd support to tresys main policy
It's probably worth trying that out (along with the init_systemd
boolean), if it's using systemd...
Regards,
Guido
next prev parent reply other threads:[~2011-10-12 15:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
2011-10-12 14:58 ` Guido Trentalancia
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
[not found] ` <1318425414.1949.6.camel@x220.mydomain.internal>
[not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
2011-10-12 15:15 ` Dominick Grift
2011-10-12 15:39 ` Guido Trentalancia [this message]
2011-10-24 4:25 ` Justin Mattock
2011-10-24 14:53 ` Justin Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1318433954.2238.63.camel@vortex \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.