On Wed, Jul 14, 2010 at 01:09:26PM -0700, Harley Race wrote:
Ladies and Gentlemen,
I am contacting this list because I have questions about how selinux has been implemented
in Fedora/RHEL/CentOS. I am trying to write a startup script for Tomcat 5.5. I created a
tomcat user and group. Made sure that file permissions were set correctly. Tomcat will
start, but when you do a
ps -efZ
instead of tomcat running in system_u, it is running in root. If I check pid and lock
file, though permissions are set correctly, a "ls -laZ" reveals that tomcat
writes the pid and lock files with root user context instead of system_u. Same thing with
log files, they are written with root:object_r:var_log_t instead of
system_u:object_r:var_log_t. Any ideas in what could be going wrong? Selinux is running
with targeted policy.
I tried using both runuser and daemon(), with still the same results.
Startup script is attached.
Depends on the context of the process that runs the script. But the identity field in a
context is not important in Redhat distros. The type field is what i would worry about.
The "root" identity in a security context is not the same as the Linux root
account. It is just a attribute used to map roles and sensitivities/compartments to Linux
accounts.
Basically it just tells me that a Linux login that was mapped to the root SElinux user
group ran the script or another agent did.
It also tells me the script was not executed by the system (init).
You could probably run the script with the system_u field with runcon:
runcon -u system myscript
But like i said, its not important. The type field is important and it looks like that is
not optimal yet. (Looks like the script runs unrestricted)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux