Re: squid denial on F11 for var_run_t

On 16/06/09 14:53, Dominick Grift wrote:
> On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
>
>>>>> unconfined_t -> squid_exec_t -> unconfined_t
>>>>>
>>>>> But unconfined processes starting init scripts have a transition
>>>>>
>>>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
>>>>>
>>>>> So any time you are using a confined process you should use the init
>>>>> script to start them, otherwise you could get mislabeled files.
>
> The AVC denial was about squid_t trying to access var_run_t.
>
> If unconfined_t executed squid_exec_t then the domain would not be
> squid_t.
>
> If squid would run as squid_t then the pid would not be var_run_t.
>
> The AVC denial does not seem to make sense. Maybe only if two squid
> processes were running, one unconfined and one confined, that were
> conflicting.

Perhaps squid was first run unconfined, creating /var/run/squid.pid that was var_run_t, then run again using the initscript, causing the denial when trying to access the pidfile?

Paul. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

• This message: [ Message body ]
• Next message: Dominick Grift: "Re: squid denial on F11 for var_run_t"
• Previous message: Daniel J Walsh: "Re: selinux denying dev-kit, and others"
• In reply to: Dominick Grift: "Re: squid denial on F11 for var_run_t"
• Next in thread: Dominick Grift: "Re: squid denial on F11 for var_run_t"
• Reply: Dominick Grift: "Re: squid denial on F11 for var_run_t"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]