user_t daemons(Re: mDNSResponder running in user_t)
Richard Hally
rhally at mindspring.com
Sat Oct 2 22:23:21 UTC 2004
Yuichi Nakamura wrote:
>I found iiim(htt_server) is running also "user_t".
>Daemon programs started using su runs as "user_t".
>
>Transition like
>initrc_t(initrc script)->su_exec_t->initrc_su_t(su)->user_t(daemon)
>is happening.
>
>I think su command or initscripts or daemon should be fixed.
>
>
>Tom London <selinux at gmail.com> wrote:
>
>
>
>>Running strict/enforcing, off of latest Rawhide.
>>
>>'ps agxZ' yields:
>>system_u:system_r:rpcd_t 2419 ? Ss 0:00 rpc.statd
>>system_u:system_r:rpcd_t 2447 ? Ss 0:00 rpc.idmapd
>>user_u:user_r:user_t 2551 ? Ssl 0:00 mDNSResponder
>>system_u:system_r:fsdaemon_t 2563 ? S 0:00 /usr/sbin/smartd
>>
>>Should mDNSResponder be running as user_u:user_r:user_t?
>>daemon_base_domain() generates a
>>domain_auto_trans(initrc_t, howl_exec_t, howl_t)
>>
>>So, should it be running in howl_t?
>>
>>It gets started from /etc/rc.d/init.d/mDNSResponder:
>> su -s /bin/bash - nobody -c mDNSResponder $OTHER_MDNSRD_OPTS
>>
>>
>>>/dev/null
>>>
>>>
>>That right?
>> tom
>>--
>>Tom London
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>
>---
>Yuichi Nakamura
>Japan SELinux Users Group(JSELUG)
> http://www.selinux.gr.jp/
>Hitachi Software
> http://www.selinux.hitachi-sk.co.jp/en
>The George Washington University
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
Dan Walsh has come up with a new program called "runuser" (in the latest
coreutils) that is intended to replace "su" in these situations (e.g.
init scripts) . Try replacing "su" with "runuser" in the script and see
what happens.
HTH
Richard Hally
More information about the selinux
mailing list