1 |
Anytime you launch a daemon from initscripts it will need a policy. This |
2 |
is because it needs to run in it's own domain with only the privileges |
3 |
it needs. Launching it from the initscripts without a policy will cause |
4 |
it to run in the init domain which has no privileges beyond launching |
5 |
apps into their own domain. |
6 |
|
7 |
So the answer is, you will have to write or find a policy for this |
8 |
daemon, so that it runs in it's own domain before it will function with |
9 |
selinux. |
10 |
|
11 |
Joshua Brindle |
12 |
|
13 |
Jansson Fredrik wrote: |
14 |
|
15 |
> Hi! |
16 |
> |
17 |
> I am trying to get p4d running in enforcing mode. The problem seem to be |
18 |
> that p4d can't read and write from sockets: |
19 |
> |
20 |
> audit(1094655218.690:0): avc: denied { write } for pid=19802 |
21 |
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370 |
22 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
23 |
> tclass=tcp_socket |
24 |
> audit(1094655218.691:0): avc: denied { read } for pid=19870 |
25 |
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370 |
26 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
27 |
> tclass=tcp_socket |
28 |
> audit(1094655218.691:0): avc: denied { read } for pid=19870 |
29 |
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370 |
30 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
31 |
> tclass=tcp_socket |
32 |
> |
33 |
> Is there any way I can modify the policies to allow this? |
34 |
> |
35 |
> Best regards |
36 |
> Fredrik Jansson |
37 |
> |
38 |
> -- |
39 |
> gentoo-hardened@g.o mailing list |
40 |
> |
41 |
> |
42 |
|
43 |
|
44 |
-- |
45 |
gentoo-hardened@g.o mailing list |