Bug 147454 - Deamons run in different security contexts
Deamons run in different security contexts
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-07 22:41 EST by Bojan Smojver
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-08 13:46:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2005-02-07 22:41:07 EST
When a daemon (for instance httpd) is started at boot time, it
inherits some of the security context from the init process. For
instance, httpd shows:

user_u:system_r:httpd_t 7089 ? Ss 0:00 /usr/sbin/httpd

The init process itself looks like this:

user_u:system_r:unconfined_t 1 ? S 0:01 init [3]

However, if the daemon is restarted by running "service httpd
restart", it looks like this:

root:system_r:httpd_t 8052 ? Ss 0:00 /usr/sbin/httpd

The implications of this are related to creation of files performed by
Apache daemon. In the first instance, the files will be created like
this (again, an example):

-rw-------  apache apache user_u:object_r:httpd_cache_t __app.dir

In the second instance (after the daemon restart), the files will have
a different security context:

-rw-------  apache apache root:object_r:httpd_cache_t __app.dir

I guess there should be only one security context for any given daemon.
Comment 1 Stephen Smalley 2005-02-08 12:22:26 EST
In the original upstream SELinux, we required users to use the run_init
program to run init scripts so that they would transition to the right
user identity and role and restarted daemons would inherit them.  This
was viewed as a useability problem for Fedora, so automatic
transitions were introduced for the roles and domains upon running
init scripts and daemons, but SELinux does not presently support
automatic transitions for user identity; we had always expected user
identity transitions to be explicitly performed by authentication
programs.
In the targeted policy, there is effectively only one user identity
and one role anyway; the others are just for compatibility with the
strict policy.  Only case where this matters is if apache was going to
be allowed to relabel its own files (not likely), in which case it
might run afoul of the constraint on relabeling files with a different
user identity.

Note You need to log in before you can comment on or make changes to this bug.