Hi,
rpm runs a helper after glibc updates that does a /sbin/service sshd
condrestart. The present policy doesn't properly transition domains for
this restarting of sshd by rpm, so if you have updated your glibc, your
sshd may be running in the wrong domain. ps -eZ | grep sshd should show
a context of system_u:system_r:sshd_t. If it does not, then do a
/sbin/service sshd condrestart. Policy patch below.
Index: policy/domains/program/unused/rpm.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/rpm.te,v
retrieving revision 1.24
diff -u -r1.24 rpm.te
--- policy/domains/program/unused/rpm.te 12 Jul 2004 16:41:48 -0000 1.24
+++ policy/domains/program/unused/rpm.te 12 Aug 2004 18:42:44 -0000
@@ -59,6 +59,7 @@
allow rpm_t devtty_t:chr_file rw_file_perms;
domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
ifdef(`cups.te', `
r_dir_file(cupsd_t, rpm_var_lib_t)
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
Show replies by date