avc denied from mDNSResponder

Stephen Smalley sds at epoch.ncsc.mil
Mon Jul 12 20:08:28 UTC 2004


On Mon, 2004-07-12 at 08:53, Stephen Smalley wrote:
> The fact that it is running in user_u likely means that it is being
> started via su (to run in some pseudo user identity), and since that
> pseudo user identity does not exist in the policy, it is being remapped
> to user_u.

I confirmed this; /etc/init.d/mDNSResponder does a su -s /bin/bash -
nobody -c mDNSResponder to start the daemon.  As "nobody" doesn't exist
as a user identity in the SELinux policy, su ends up falling back to
user_u as the default.  Hence, to start with, you would want to replace
the use of su with a wrapper program to set the uid/gid without
performing a domain transition, and you would still need to define a
domain for mDNSResponder.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list