Bug 190323 - initrc_context file should have initrc_t
Summary: initrc_context file should have initrc_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-01 06:39 UTC by Russell Coker
Modified: 2008-01-30 19:06 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:06:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Russell Coker 2006-05-01 06:39:20 UTC
Description of problem:

In RHEL4 the run_init program does not work.  It incorrectly specifies 
unconfined_t as the domain for it's child process thus overriding the 
domain_auto_trans() rule for initrc_exec_t and thus prevents a daemon started 
with it from running in the correct context.  This means that the 
command "run_init service httpd restart" will result in the httpd processes 
running in the unconfined_t domain.

This is normally not a problem as run_init is not needed in the supported 
configuration and is generally not used in the targeted policy.

But to avoid user confusion I believe that we need to fix this as a low 
priority issue in an update (this issue does not deserve it's own update but 
is worth tagging on to another more important issue).

The solution is to replace unconfined_t with initrc_t in the 
file /etc/selinux/targeted/contexts/initrc_context (making such a change 
manually can be used as a work-around for anyone who wants it fixed now).

Fixing this issue has no possibility of breaking any supported functionality.

Comment 2 Daniel Walsh 2006-05-09 16:02:36 UTC
Fixed in selinux-policy-targeted-1.17.30-2.134

Comment 3 Daniel Walsh 2008-01-30 19:06:17 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.


Note You need to log in before you can comment on or make changes to this bug.