From: Carlos Anisio Monteiro <monteiro@ipen.br>
To: Stephen Smalley <sds@epoch.ncsc.mil>,
Russell Coker <russell@coker.com.au>,
Daniel J Walsh <dwalsh@redhat.com>,
selinux@tycho.nsa.gov
Subject: Re: process context
Date: Mon, 20 Oct 2003 08:54:39 -0200 [thread overview]
Message-ID: <3F93BEEF.9060904@ipen.br> (raw)
In-Reply-To: 1066392235.31764.6.camel@moss-spartans.epoch.ncsc.mil
[-- Attachment #1: Type: text/plain, Size: 2188 bytes --]
Stephen Smalley wrote:
>On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote:
>
>
>>Hi.
>>
>>The system have many process running in the following context:
>>system_u:system_r:kernel_t (see example below).
>>
>>
><snip>
>
>
>>This is happen in the time of boot.
>>
>>Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't
>>they running in the proper context?
>>P.ex.:
>>init - system_u:system_r:init_t
>>klogd - system_u:system_r:klogd_t
>>cron - system_u:system_r:cron_t
>>
>>If yes. How I resolve ???
>>
>>
>
>The possible scenarios are:
>1) You never labeled /sbin/init with system_u:object_r:init_exec_t.
>Based on your prior email, you have labeled /sbin/init, so this is not
>the cause.
>
>2) You labeled /sbin/init initially, but you are running prelink on your
>system and do not have the patched prelink program, so prelink is
>cheerfully unlinking it and re-creating it with the default type,
>causing it to fall back into sbin_t. You can check for this by doing a
>'ls --context /sbin/init' again. Dan Walsh has a patched prelink
>program that preserves security contexts available from his site,
>ftp://people.redhat.com/dwalsh/SELinux. prelink is enabled by default
>in Fedora Core.
>
>3) /sbin/init is labeled correctly, but the policy is not loaded prior
>to starting it, so the domain transition rule isn't defined when the
>execution occurs. This would happen if you failed to load the policy
>from an initrd prior to execution of /sbin/init, or if you are trying to
>perform the initial policy load via /sbin/init itself without
>re-exec'ing it after performing the load.
>
>
>
I loaded the policy in the initrd image and the boot process and the
contexts are fine. The policies must be loaded prior to init process.
*I am much obliged to you*.
However, alway that I change one policy I have to update the policies in
the initrd image. Or, can I load the minimum of policies in the initrd
image and the remainder as script in the /etc/init.d directory? So, the
update to policies in initrd image should be very little.
Again, thanks! Thanks!
--
Carlos Anisio Monteiro <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil
[-- Attachment #2: Type: text/html, Size: 2814 bytes --]
next prev parent reply other threads:[~2003-10-20 13:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-16 18:57 process context Carlos Anisio Monteiro
2003-10-17 3:27 ` Russell Coker
2003-10-17 4:17 ` Russell Coker
2003-10-17 10:36 ` kamal
2003-10-17 11:24 ` Russell Coker
2003-10-17 12:08 ` Stephen Smalley
2003-10-17 12:03 ` Stephen Smalley
2003-10-20 10:54 ` Carlos Anisio Monteiro [this message]
2003-10-20 14:01 ` Daniel J Walsh
2003-10-21 1:07 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F93BEEF.9060904@ipen.br \
--to=monteiro@ipen.br \
--cc=dwalsh@redhat.com \
--cc=russell@coker.com.au \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.