dragoran escribió:
Ismael Luceno wrote:dragoran escribió:Hello,Since the fedora-extras review for initng started work has started to add selinux support for initng. I started by porting the sysvinit patches to initng. This made it possible that selinux loads its policy at all.But then we run into an other problem:The selinux policy does not allow initng to do what it should do (=> does not work in enforcing mode).This is whats still missing until today. There is a bugreport in redhats bugzilla about this issue: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179761 One of the problems is that there are some fd leaks in initng.When a daemon or a script gets started in its own selinux domain it picks up one of the still open fds but they are not in its domain which causes problems (not allowed to use them; does not work correctly).I have no idea how to fix this thats why I am asking here... Any ideas how to get rid of the fd leaks issue?When this is solved we can see what avs are remaining and if they are fixable inside initng or not. If not we can modificy the policy to work with this.The attached patch _may_ fix the fd-leaking issue. But be careful, it's untested.thx for the patch.I have used current-svn + your patch, ifiles 0.1.0 but initng fails to find the default runlevel (no boot). I tryed passing runlevel:runlevel/default to initng but no success. any idea whats wrong?
sed -i 's:^system$:runlevel/system:' /etc/initng/runlevel/*.runlevel That should fix the problem.However i've noticed a problem with the patch, it may close the directory fd before it ends reading /proc/self/fd, so it will not
work... Well, the fix is trivial, it should skip the directory fd...
signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ Initng mailing list [email protected] http://jw.dyndns.org/mailman/listinfo/initng
