From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 12 Oct 2011 16:58:34 +0200 Subject: [refpolicy] Error when using refpolicy with apache httpd service In-Reply-To: <1318422025.1949.3.camel@x220.mydomain.internal> References: <1318422025.1949.3.camel@x220.mydomain.internal> Message-ID: <1318431514.2238.57.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-10-12 at 14:20 +0200, Dominick Grift wrote: > On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm new to SELinux general and try to research refpolicy. When I apply > > refpolicy on Fedora 15 with Apache httpd service, and config the > > build.config to type mcs. When I install and load to system, I > > touch .autorelabel and reboot the system. > > After that, I started the httpd service and > > checked the command: ps-axZ | grep httpd and saw that this service is > > run by type kernel_t:s0 > > I think it must something wrong. It must be run by httpd_t but it not. > > I checked the audit log file and saw that have a log file > > > > > > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid" > > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0 > > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file > > > > > > Do you have any ideal? Please help me to fix this. > > > Looks like kernel_t never transitioned to the init_t domain. I am not > sure what kind of init system you are using but its executable file > should be labelled init_exec_t i believe so that kernel_t can use that > as an entry file to the init_t domain. > > might just be a labelling issue (make sure to relabel the file system) > > also whats the output of sestatus -v? He/she is probably using upstart as init and therefore needs: setsebool -P init_upstart=on If systemd is being used, then it might need a patch (eventually derived from Fedora) and then: setsebool -P init_systemd=on Regards, Guido