|Main Archive Page > Month Archives > fedora-selinux archives|
On 16/06/09 14:53, Dominick Grift wrote:
> On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
>>>>> unconfined_t -> squid_exec_t -> unconfined_t
>>>>> But unconfined processes starting init scripts have a transition
>>>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
>>>>> So any time you are using a confined process you should use the init
>>>>> script to start them, otherwise you could get mislabeled files.
> The AVC denial was about squid_t trying to access var_run_t.
> If unconfined_t executed squid_exec_t then the domain would not be
> If squid would run as squid_t then the pid would not be var_run_t.
> The AVC denial does not seem to make sense. Maybe only if two squid
> processes were running, one unconfined and one confined, that were
Perhaps squid was first run unconfined, creating /var/run/squid.pid that was var_run_t, then run again using the initscript, causing the denial when trying to access the pidfile?
Paul. -- fedora-selinux-list mailing list email@example.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list