[Initng] selinux support in initng
Ismael Luceno
ismael.luceno at gmail.com
Sun Feb 25 18:53:13 CET 2007
dragoran escribió:
> Ismael Luceno wrote:
>> dragoran escribió:
>>> Hello,
>>> Since the fedora-extras review for initng started work has started to
>>> add selinux support for initng. I started by porting the sysvinit
>>> patches to initng. This made it possible that selinux loads its
>>> policy at all.
>>> But then we run into an other problem:
>>> The selinux policy does not allow initng to do what it should do (=>
>>> does not work in enforcing mode).
>>> This is whats still missing until today.
>>> There is a bugreport in redhats bugzilla about this issue:
>>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179761
>>> One of the problems is that there are some fd leaks in initng.
>>> When a daemon or a script gets started in its own selinux domain it
>>> picks up one of the still open fds but they are not in its domain
>>> which causes problems (not allowed to use them; does not work
>>> correctly).
>>> I have no idea how to fix this thats why I am asking here...
>>> Any ideas how to get rid of the fd leaks issue?
>>> When this is solved we can see what avs are remaining and if they are
>>> fixable inside initng or not. If not we can modificy the policy to
>>> work with this.
>> The attached patch _may_ fix the fd-leaking issue.
>> But be careful, it's untested.
>>
> thx for the patch.
> I have used current-svn + your patch, ifiles 0.1.0 but initng fails to
> find the default runlevel (no boot).
> I tryed passing runlevel:runlevel/default to initng but no success. any
> idea whats wrong?
sed -i 's:^system$:runlevel/system:' /etc/initng/runlevel/*.runlevel
That should fix the problem.
However i've noticed a problem with the patch, it may close the
directory fd before it ends reading /proc/self/fd, so it will not
work...
Well, the fix is trivial, it should skip the directory fd...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://jw.dyndns.org/pipermail/initng/attachments/20070225/18161163/attachment.pgp
More information about the Initng
mailing list