Re: initrc_t has no execmod in targeted policy

[Vladimir Simonov <Vladimir.Simonov@acronis.com>]

Hi,

Ok. Thank you a lot.
I'll investigate deeper which code triggers
relocation.

Best regards
Vladimir Simonov

Stephen Smalley wrote:
> On Mon, 2006-02-06 at 22:35 +0300, Vladimir Simonov wrote:
> 
>>Really dlopen-ed shared libs are quite typical -
>>created with --shared, -fpic, etc. They (and daemon itself)
>>do not use direct mmap/mprotect syscalls (just libc calls).
>>Daemon is called from simple bash init script located in
>>/etc/init.d. And I don't put bash script/demon/libs
>>into initrc_t domain directly. I suspect they are in initrc_t
>>by selinux magic.
> 
> 
> dlopen doesn't normally require text relocations - that reflects a
> defect in how the DSO was built usually.  See the URLs I referenced for
> more info.
> 
> Programs stay in the caller's domain unless a domain transition is
> defined.  So your daemon stays in initrc_t unless you put it into its
> own domain.
> 
> 
>>So some question remains:
>>Does selinux (on FC4) permit dlopen call from initrc_t domain?
>>If not, then why?
> 
> 
> See above.  The question is what DSO has text relocations, and why.
> 
> 
>>I'm afraid even if I put all above staff into separate domain
>>(but start daemon from init scripts) the daemon will be moved
>>to initrc_t domain by selinux. Am I correct?
> 
> 
> No, if you define a domain for the daemon and label its executable with
> the corresponding entrypoint type, then executing it (directly or via
> the init script) will transition into the daemon's domain when the
> executable is run.  
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.