From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 12 Oct 2011 17:39:14 +0200 Subject: [refpolicy] Error when using refpolicy with apache httpd service In-Reply-To: <1318432505.1949.11.camel@x220.mydomain.internal> References: <1318422025.1949.3.camel@x220.mydomain.internal> <1318425414.1949.6.camel@x220.mydomain.internal> <1318432505.1949.11.camel@x220.mydomain.internal> Message-ID: <1318433954.2238.63.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote: > On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm very strange that the /sbin/init is labeled bin_t > > > > > > The /sbin/init is point to /bin/systemd > > > > > > I check in the /system/init.fc have defiled: > > > > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > > > So, I changed it to: > > > > > > /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > > /sbin/init -- > > gen_context(system_u:object_r:init_exec_t,s0) > > > > > > And then, I make, install, load and relabel it again. > > > > > > But after that, the /sbin/init still have labeled bin_t (instead of > > the /bin/systemd is now have init_exec_t) > > > > > > I'm very strange. So, I try to relabel it by command: > > > > > > chcon -t init_exec_t /sbin/init > > The /sbin/init symbolic link can be bin_t, no problem. > > /sbin/systemd though should be type init_exec_t. > > The problem is that reference policy currently does not support systemd. > > systemd is not stable yet. > > refpolicy is waiting until systemd is stable before she will support it, > because there are too many changes happening to systemd currently. > > You could probably, atleast to some extend, work around the issues by > making init a unconfined domain, but that will probably cause issues as > well. So if you are not comfortable with selinux you may want to avoid > that. > > ?nstead use the policy provided/supported by your distribution instead. Consider Justin Mattock has recently submitted an initial patch (derived from F15, I suppose) for better supporting systemd in the reference policy: 18th September 2011 [RFC 1/2]selinux-contrib: add systemd support to refpolicy git [RFC 2/2] refpolicy: add systemd support to tresys main policy It's probably worth trying that out (along with the init_systemd boolean), if it's using systemd... Regards, Guido