selinux-policy-targeted-3.3.1-126.fc9.noarch

This is custom policy and would need to be written by you.  Not sure what you atr trying to do, but you could set a script as httpd_unconfined_script_exec_t or just add the rules you require using audit2allow.

hello there,

it is - service dirsrv-admin start - that fails raising these errors
have checked fcontext for initscript - ok, as policy aplies
it policy's rules that prevent transition I speak of in bug title
it all works(starting dirsrv-admin using the same syntax) if only not invoked by "service ..." but from console line

when run from initscript, selinux source domain is: initrc_t:s0
$SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"

Source Context:  unconfined_u:system_r:initrc_t:s0Target Context:  unconfined_u:system_r:unconfined_t:s0Target Objects:  /usr/sbin/httpd.worker [ process ]
Source:  runconSource Path:  /usr/bin/runcon

when run from console, selinux sdomain is unconfined, right? and below works
runcon -t unconfined_t -- /usr/sbin/httpd.worker -DOmitDeflate -k start -f /etc/dirsrv/admin-serv/httpd.conf

so there is nothing custom about it,
hope I'm being less vague this time, apologies
cheers

So you are saying this is in the init script?

This is wrong, the init script should not be executing runcon

and unconfined_t should never be run as a service, this is a user type.

yes - for me it's the init script, nothing custom - nothing in scripts, nothing in policy
that is why I think of it as a bug - I believe policy is having broken rules

Source Context                unconfined_u:system_r:initrc_t:s0
Target Context                unconfined_u:system_r:unconfined_t:s0
Target Objects                /usr/sbin/httpd.worker [ process ]
Source                        runcon
Source Path                   /usr/bin/runcon
Port                          <Unknown>
Host                          pawellap
Source RPM Packages           coreutils-6.10-35.fc9
Target RPM Packages           httpd-2.2.9-1.fc9
Policy RPM                    selinux-policy-3.3.1-127.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     pawellap
Platform                      Linux pawellap 2.6.27.19-78.2.30.fc9.x86_64 #1 SMP
                              Tue Feb 24 19:44:45 EST 2009 x86_64 x86_64
Alert Count                   11
First Seen                    Tue Mar 17 09:26:40 2009
Last Seen                     Sat Mar 28 13:50:22 2009
Local ID                      11b80595-eae8-4204-8e6b-cf58388f21ba
Line Numbers                  

Raw Audit Messages            

node=pawellap type=AVC msg=audit(1238248222.119:3413): avc:  denied  { transition } for  pid=10321 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process

node=pawellap type=SYSCALL msg=audit(1238248222.119:3413): arch=c000003e syscall=59 success=no exit=-13 a0=7fffc4f89e96 a1=7fffc4f88c48 a2=7fffc4f88c78 a3=7fffc4f88860 items=0 ppid=10311 pid=10321 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

/etc/rc.d/init.d/dirsrv-admin calls /usr/sbin/start-ds-admin - it's rpm's
rpms are up to today availably ones
cheers

Is this issue related to https://bugzilla.redhat.com/show_bug.cgi?id=442228 ?

Yes, do not run runcon in an init script.

runcon is a testing tool or perhaps can be used by mls people, but we can setup proper rules and transtions to make initrc work correctly.

But we need to get back to the original problem you were trying to fix.

problem is that when I(or at boot time) invoke: service dirsrv-admin start - I get denials as in my last  comment(and there is nothing changed by me in scripts nor in policy, all as rpms installed it)

I initially submitted this bug in Fedora DS - not much of a reply I got - therefore put it here

what more I found, these scripts:
/usr/sbin/start-ds-admin
/etc/init.d/dirsrv-admin
are exact same files on both f9 and f10 (both with latest rpms)

what else I see is that f10 has this:
allow initrc_t unconfined_t : process { transition sigchld }
and f9 has it not

I can remember that I was! working on f9, my guess - there's been change in policy, I cannot remember when I applied these updates

apologies, in last comment - I was! working=it was working
and I refer to f10 for this obvious reason - it is working in f10 while, as I mentioned, scripts are the same

Yes two things will break here initrc_t is no longer allowed to transiton to unconfined_t, and RBAC can and will start to break this.  Finally by using runcon within a script you will break on any non targeted system or any system that plans on running without unconfined.pp being installed.  IE Fedora Directory Server will not be allowed to run in secure environments.

We are working on adding the patches from https://bugzilla.redhat.com/show_bug.cgi?id=442228 to Fedora Directory Server.  I believe if we implement the selinux policy specified in 442228, that will solve this problem, since we won't be using runcon -t unconfined_t anymore.  Agreed?  If so, I'm going to close this bug as a duplicate of 442228.

yes, fine with me
it's just a bit peculiar that f10 which natural successor to f9 does not receive these changes in policy around the same time.

*** This bug has been marked as a duplicate of bug 442228 ***