squid denial on F11 for var_run_t
Dominick Grift
domg472 at gmail.com
Tue Jun 16 13:53:56 UTC 2009
On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote:
> >>> unconfined_t -> squid_exec_t -> unconfined_t
> >>>
> >>> But unconfined processes starting init scripts have a transition
> >>>
> >>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
> >>>
> >>> So any time you are using a confined process you should use the init
> >>> script to start them, otherwise you could get mislabeled files.
The AVC denial was about squid_t trying to access var_run_t.
If unconfined_t executed squid_exec_t then the domain would not be
squid_t.
If squid would run as squid_t then the pid would not be var_run_t.
The AVC denial does not seem to make sense. Maybe only if two squid
processes were running, one unconfined and one confined, that were
conflicting.
More information about the selinux
mailing list