From: justinmattock@yahoo.com (Justin Mattock) Date: Sun, 23 Oct 2011 21:25:31 -0700 (PDT) Subject: [refpolicy] Error when using refpolicy with apache httpd service In-Reply-To: <1318433954.2238.63.camel@vortex> References: <1318422025.1949.3.camel@x220.mydomain.internal> <1318425414.1949.6.camel@x220.mydomain.internal> <1318432505.1949.11.camel@x220.mydomain.internal> <1318433954.2238.63.camel@vortex> Message-ID: <1319430331.81049.YahooMailNeo@web114307.mail.gq1.yahoo.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com ----- Original Message ----- From: Guido Trentalancia To: Dominick Grift Cc: refpolicy Sent: Wednesday, October 12, 2011 8:39 AM Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote: > On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm very strange that the /sbin/init is labeled bin_t > > > > > > The /sbin/init is point to /bin/systemd > > > > > > I check in the /system/init.fc have defiled: > > > > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > > > So, I changed it to: > > > > > > /bin/systemd? ? -- gen_context(system_u:object_r:init_exec_t,s0) > > /sbin/init? ? ? ? -- > >? gen_context(system_u:object_r:init_exec_t,s0) > > > > > > And then, I make, install, load and relabel it again. > > > > > > But after that, the /sbin/init still have labeled bin_t (instead of > > the /bin/systemd is now have init_exec_t) > > > > > > I'm very strange. So, I try to relabel it by command: > > > > > > chcon -t init_exec_t /sbin/init > > The /sbin/init symbolic link can be bin_t, no problem. > > /sbin/systemd though should be type init_exec_t. > > The problem is that reference policy currently does not support systemd. > > systemd is not stable yet. > > refpolicy is waiting until systemd is stable before she will support it, > because there are too many changes happening to systemd currently. > > You could probably, atleast to some extend, work around the issues by > making init a unconfined domain, but that will probably cause issues as > well. So if you are not comfortable with selinux you may want to avoid > that. > > ?nstead use the policy provided/supported by your distribution instead. Consider Justin Mattock has recently submitted an initial patch (derived from F15, I suppose) for better supporting systemd in the reference policy: 18th September 2011 [RFC 1/2]selinux-contrib: add systemd support to refpolicy git [RFC 2/2] refpolicy: add systemd support to tresys main policy It's probably worth trying that out (along with the init_systemd boolean), if it's using systemd... Regards, Guido yeah, anybody have the time to go through that patch set feel free.. last I remember I was hitting some sandbox error for some reason, then ran out of? time due to external obligations. maybe if the weekend is permitting I can have another go at it.. as for the patch I pretty much just grepped dans git tree for systemd then copied it to refpolicy, but there is probably more to it than just grepping. Justin P. Mattock? _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy