On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote:
> On 06/16/2009 08:32 AM, Daniel J Walsh wrote:
>> Unconfined processes tend to stay unconfined. That is what uses expect,
>> telling them that they are executing an uconfined process that suddenly
>> becomes confined, seems wrong to them. That being said, you can end up
>> with mislabeled files because of this.
>>
>> So
>>
>>
>> unconfined_t -> squid_exec_t -> unconfined_t
>>
>> But unconfined processes starting init scripts have a transition
>>
>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t ->
squid_t
>>
>> So any time you are using a confined process you should use the init
>> script to start them, otherwise you could get mislabeled files.
>
>
> I also just wrote a blog on this.
>
>
http://danwalsh.livejournal.com/29041.html
Hmm...when did this change? It used to be the case that a domain
transition was also defined directly from unconfined_t to the daemon
domain when running the daemon binary, precisely because users and
scriptlets sometimes do that.
About FC5 time frame. The most common error caused by this was
AVC's about getattr in homedir, redirection of stdout blowing up because
squid_t can not write to user_tmp_t. Etc.