SELinux MLS

Robert Gabriel ephemeric at gmail.com
Tue Jul 2 11:45:43 UTC 2013 

Greetz,

I'm struggling with this.

I have MLS enabled along with a freshly relabelled, rebooted system.

I have mapped my Linux user to SELinux user staff_u and do a domain
transition

via sudo.

So, here is the dumb question: how do I start httpd?

%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL

[root at pluto ~]# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
[root at pluto ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    SystemLow
robert                    staff_u                   SystemLow-SystemHigh
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh

[root at pluto ~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

staff_u         user       SystemLow  SystemLow-SystemHigh
auditadm_r staff_r secadm_r sysadm_r system_r

[root at pluto ~]# service httpd start
env: /etc/init.d/httpd: Permission denied

[root at pluto ~]# secon -f /usr/sbin/httpd
user: system_u
role: object_r
type: httpd_exec_t
sensitivity: SystemLow
clearance: SystemLow
mls-range: SystemLow

Do I have to transition to some domain (newrole?) or can I be in a domain
(allowed of

course) that will execute the process and then do the transition?

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130702/ee79fec4/attachment.html>

More information about the selinux mailing list