From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 12 Oct 2011 17:15:05 +0200
Subject: [refpolicy] Error when using refpolicy with apache httpd service
In-Reply-To: <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
References: <CAP+-i3Dy-Kv3Tu2+MZo+JzUgWHavtWLbtmnDgEa6L+sKX093aA@mail.gmail.com>
	<1318422025.1949.3.camel@x220.mydomain.internal>
	<CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
	<1318425414.1949.6.camel@x220.mydomain.internal>
	<CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
Message-ID: <1318432505.1949.11.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> Hi,
> 
> 
> I'm very strange that the /sbin/init is labeled bin_t
> 
> 
> The /sbin/init is point to /bin/systemd
> 
> 
> I check in the /system/init.fc have defiled: 
> 
> 
> /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> 
> 
> So, I changed it to: 
> 
> 
> /bin/systemd     -- gen_context(system_u:object_r:init_exec_t,s0)
> /sbin/init        --
>  gen_context(system_u:object_r:init_exec_t,s0)
> 
> 
> And then, I make, install, load and relabel it again.
> 
> 
> But after that, the /sbin/init still have labeled bin_t (instead of
> the /bin/systemd is now have init_exec_t)
> 
> 
> I'm very strange. So, I try to relabel it by command: 
> 
> 
> chcon -t init_exec_t /sbin/init 

The /sbin/init symbolic link can be bin_t, no problem.

/sbin/systemd though should be type init_exec_t.

The problem is that reference policy currently does not support systemd.

systemd is not stable yet.

refpolicy is waiting until systemd is stable before she will support it,
because there are too many changes happening to systemd currently.

You could probably, atleast to some extend, work around the issues by
making init a unconfined domain, but that will probably cause issues as
well. So if you are not comfortable with selinux you may want to avoid
that.

?nstead use the policy provided/supported by your distribution instead.

> but it still have labeled sbin_t too.
> 
> 
> I don't know why and have no ideal.
> 
> 
> My system is Fedora 15 and using the lasted refpolicy
> I made step by step by this introduction:
> http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
> 
> 
> Please help me.
> 
> 
> 
> Regard, 
> Quang Thuan
>