[Initng] selinux support in initng
Ismael Luceno
ismael.luceno at gmail.com
Sun Feb 25 19:32:03 CET 2007
Ismael Luceno escribió:
> dragoran escribió:
>> Ismael Luceno wrote:
>>> dragoran escribió:
>>>> Hello,
>>>> Since the fedora-extras review for initng started work has started
>>>> to add selinux support for initng. I started by porting the sysvinit
>>>> patches to initng. This made it possible that selinux loads its
>>>> policy at all.
>>>> But then we run into an other problem:
>>>> The selinux policy does not allow initng to do what it should do (=>
>>>> does not work in enforcing mode).
>>>> This is whats still missing until today.
>>>> There is a bugreport in redhats bugzilla about this issue:
>>>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179761
>>>> One of the problems is that there are some fd leaks in initng.
>>>> When a daemon or a script gets started in its own selinux domain it
>>>> picks up one of the still open fds but they are not in its domain
>>>> which causes problems (not allowed to use them; does not work
>>>> correctly).
>>>> I have no idea how to fix this thats why I am asking here...
>>>> Any ideas how to get rid of the fd leaks issue?
>>>> When this is solved we can see what avs are remaining and if they
>>>> are fixable inside initng or not. If not we can modificy the policy
>>>> to work with this.
>>> The attached patch _may_ fix the fd-leaking issue.
>>> But be careful, it's untested.
>>>
>> thx for the patch.
>> I have used current-svn + your patch, ifiles 0.1.0 but initng fails to
>> find the default runlevel (no boot).
>> I tryed passing runlevel:runlevel/default to initng but no success.
>> any idea whats wrong?
>
> sed -i 's:^system$:runlevel/system:' /etc/initng/runlevel/*.runlevel
>
> That should fix the problem.
>
> However i've noticed a problem with the patch, it may close the
> directory fd before it ends reading /proc/self/fd, so it will not
> work...
>
> Well, the fix is trivial, it should skip the directory fd...
>
Ok, here's the new patch! :)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: fd_leak_fix-2.patch
Url: http://jw.dyndns.org/pipermail/initng/attachments/20070225/8bbb9bba/attachment.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://jw.dyndns.org/pipermail/initng/attachments/20070225/8bbb9bba/attachment.pgp
More information about the Initng
mailing list