SELinux MLS
Douglas Brown
d46.brown at student.qut.edu.au
Wed Jul 3 11:32:17 UTC 2013
Full splunk or just the universal forwarder? Interested to know how you go.
Cheers,
Doug
From: Robert Gabriel <ephemeric at gmail.com<mailto:ephemeric at gmail.com>>
Date: Wednesday, 3 July 2013 9:29 PM
To: Daniel J Walsh <dwalsh at redhat.com<mailto:dwalsh at redhat.com>>
Cc: "selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>" <selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>>
Subject: Re: SELinux MLS
On 3 July 2013 13:11, Daniel J Walsh <dwalsh at redhat.com<mailto:dwalsh at redhat.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/02/2013 08:24 AM, Robert Gabriel wrote:
> On 2 July 2013 13:49, Bryan Harris <bryanlharris at me.com<mailto:bryanlharris at me.com>
> <mailto:bryanlharris at me.com<mailto:bryanlharris at me.com>>> wrote:
>
> Hi Robert,
>
> On Jul 02, 2013, at 06:45 AM, Robert Gabriel <ephemeric at gmail.com<mailto:ephemeric at gmail.com>
> <mailto:ephemeric at gmail.com<mailto:ephemeric at gmail.com>>> wrote:
>> [root at pluto ~]# service httpd start env: /etc/init.d/httpd: Permission
>> denied
>
> I'm not an MLS expert by any means but I think you want to run a command
> like so,
>
> run_init service httpd start
>
> Bryan
>
>
> Thank you!
>
> I have read the entire RHEL 6 SELinux Guide (and now searched) and they
> don't mention run_init anywhere!
>
> Thank you.
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
In targeted policy we allow unconfined_r roles to transition to system_r. But
in MLS policy you are forced to run run_init to do the transition.
Luckily most of this will disappear in RHEL7, since systemd will be starting
system daemons, and we will not need this transition for most system daemons.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHUBs8ACgkQrlYvE4MpobMCEgCeI2HwQdj4+dkybNxXGnYyDYHB
AhUAoLRATmfNOojy0lVhIgeE1Yqq+T2j
=NCO1
-----END PGP SIGNATURE-----
Thank you.
It's happening now, I'm moving on to allowing Splunk to work.
Thank you Daniel, your blog has proved invaluable in terms of troubleshooting info!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130703/3e8f98f6/attachment.html>
More information about the selinux
mailing list