Hi,
run_init /usr/sbin/httpd -k start
leads to system_u:system_r:initrc_t:s0 root 3977 1 0 19:57 ? 00:00:00 /usr/sbin/httpd -k start
It should be httpd_t
sesearch -ACT -t httpd_exec_t has the transition type_transition initrc_t httpd_exec_t : process httpd_t;
Yes, but I think run_init is supposed to be run with init scripts, not the respective daemon:
run_init /etc/init.d/httpd
On the other hand, httpd's init script doesn't have initrc_exec_t, but its own "initrc_exec_t subtype":
# ls -Z /etc/init.d/httpd -rwxr-xr-x. root root system_u:object_r:httpd_initrc_exec_t:s0 /etc/init.d/httpd
So best would be to just do "service httpd start", which will call the corresponding init script, where the proper transitions will happen.
Best regards, Michael
On 09/17/2015 10:29 AM, Michael Bunk wrote:
Yes, but I think run_init is supposed to be run with init scripts, not the respective daemon:
run_init /etc/init.d/httpd
On the other hand, httpd's init script doesn't have initrc_exec_t, but its own "initrc_exec_t subtype":
# ls -Z /etc/init.d/httpd -rwxr-xr-x. root root system_u:object_r:httpd_initrc_exec_t:s0 /etc/init.d/httpd
So best would be to just do "service httpd start", which will call the corresponding init script, where the proper transitions will happen.
Sure. My point are about a way how to get a service running with correct SELinux identities using a service script on RHEL6.
Best regards, Michael
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org