From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 12 Oct 2011 14:20:25 +0200 Subject: [refpolicy] Error when using refpolicy with apache httpd service In-Reply-To: References: Message-ID: <1318422025.1949.3.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote: > Hi, > > > I'm new to SELinux general and try to research refpolicy. When I apply > refpolicy on Fedora 15 with Apache httpd service, and config the > build.config to type mcs. When I install and load to system, I > touch .autorelabel and reboot the system. > After that, I started the httpd service and > checked the command: ps-axZ | grep httpd and saw that this service is > run by type kernel_t:s0 > I think it must something wrong. It must be run by httpd_t but it not. > I checked the audit log file and saw that have a log file > > > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid" > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file > > > Do you have any ideal? Please help me to fix this. Looks like kernel_t never transitioned to the init_t domain. I am not sure what kind of init system you are using but its executable file should be labelled init_exec_t i believe so that kernel_t can use that as an entry file to the init_t domain. might just be a labelling issue (make sure to relabel the file system) also whats the output of sestatus -v? > > Regard, > Quang Thuan > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy