Hi,
I'm new to SELinux general and try to research refpolicy. When I apply
refpolicy on Fedora 15 with Apache httpd service, and config the
build.config to type mcs. When I install and load to system, I touch
.autorelabel and reboot the system.
After that, I started the httpd service and
checked the command: ps-axZ | grep httpd and saw that this service is run by
type kernel_t:s0
I think it must something wrong. It must be run by httpd_t but it not. I
checked the audit log file and saw that have a log file
denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
Do you have any ideal? Please help me to fix this.
Regard,
Quang Thuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20111012/bcc08cfc/attachment.html
On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote:
> Hi,
>
>
> I'm new to SELinux general and try to research refpolicy. When I apply
> refpolicy on Fedora 15 with Apache httpd service, and config the
> build.config to type mcs. When I install and load to system, I
> touch .autorelabel and reboot the system.
> After that, I started the httpd service and
> checked the command: ps-axZ | grep httpd and saw that this service is
> run by type kernel_t:s0
> I think it must something wrong. It must be run by httpd_t but it not.
> I checked the audit log file and saw that have a log file
>
>
> denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
> ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
>
>
> Do you have any ideal? Please help me to fix this.
Looks like kernel_t never transitioned to the init_t domain. I am not
sure what kind of init system you are using but its executable file
should be labelled init_exec_t i believe so that kernel_t can use that
as an entry file to the init_t domain.
might just be a labelling issue (make sure to relabel the file system)
also whats the output of sestatus -v?
>
> Regard,
> Quang Thuan
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Wed, 2011-10-12 at 14:20 +0200, Dominick Grift wrote:
> On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm new to SELinux general and try to research refpolicy. When I apply
> > refpolicy on Fedora 15 with Apache httpd service, and config the
> > build.config to type mcs. When I install and load to system, I
> > touch .autorelabel and reboot the system.
> > After that, I started the httpd service and
> > checked the command: ps-axZ | grep httpd and saw that this service is
> > run by type kernel_t:s0
> > I think it must something wrong. It must be run by httpd_t but it not.
> > I checked the audit log file and saw that have a log file
> >
> >
> > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
> > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
> >
> >
> > Do you have any ideal? Please help me to fix this.
>
>
> Looks like kernel_t never transitioned to the init_t domain. I am not
> sure what kind of init system you are using but its executable file
> should be labelled init_exec_t i believe so that kernel_t can use that
> as an entry file to the init_t domain.
>
> might just be a labelling issue (make sure to relabel the file system)
>
> also whats the output of sestatus -v?
He/she is probably using upstart as init and therefore needs:
setsebool -P init_upstart=on
If systemd is being used, then it might need a patch (eventually derived
from Fedora) and then:
setsebool -P init_systemd=on
Regards,
Guido