I am trying to write a SELinux policy for a daemon which will be started from an init
script on CentOS 6. I seem to be most of the way there, except when running its init
script (with "service bitcoin start"), the daemon starts and runs as
unconfined_u:
ps -eZ | grep bitcoin
unconfined_u:system_r:bitcoin_t:s0 19993 ? 00:00:00 bitcoind
I generated the policy using selinux-polgengui which was included with CentOS 6 selecting
"Standard Init Daemon".
The init script seems to be correctly labeled:
root@buildbox-el6 ~ # ls -Z /etc/rc.d/init.d/bitcoin
-rwxr-xr-x. root root system_u:object_r:bitcoin_initrc_exec_t:s0 /etc/rc.d/init.d/bitcoin
The daemon also seems to be correctly labeled:
root@buildbox-el6 ~ # ls -Z /usr/sbin/bitcoind
-rwxr-xr-x. root root system_u:object_r:bitcoin_exec_t:s0 /usr/sbin/bitcoind
The bitcoin.if and bitcoin.te are as generated by the tool, though I can provide them if
necessary.
I expected the daemon to run as system_u. When the system boots, the daemon is started as
system_u as expected, but not when I start or restart it with 'service bitcoin
restart'. What's going on here and how do I fix it?
Show replies by thread