I've created the patches to allow selinux context to be specified for xinetd and they seem to work, however one problem is that xinetd isn't allowed to transition to any other domains. Eg:
type=AVC msg=audit(1164755336.496:24242): avc: denied { transition } for
pid=22285 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116
scontext=user_u:system_r:inetd_t:s0 tcontext=user_u:system_r:httpd_t:s0
tclass=process
type=AVC msg=audit(1164755097.924:24194): avc: denied { transition } for
pid=21497 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116
scontext=user_u:system_r:inetd_t:s0
tcontext=user_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1164755203.968:24207): avc: denied { entrypoint } for
pid=21825 comm="xinetd" name="in.cat.msg" dev=md0 ino=7619116
scontext=user_u:system_r:fingerd_t:s0 tcontext=user_u:object_r:httpd_exec_t:s0
tclass=file
...so either the setexeccon fails, because xinetd isn't allowed to
transition to that context ... or the context doesn't have the ability
to exec anything but itself (you can transition to fingerd_t and then
exec fingerd_exec_t ... but that doesn't do anything).
Example config.:
# selinux_context = user_u:system_r:inetd_t:SystemLow-SystemHigh
selinux_context = user_u:system_r:httpd_t
# selinux_context = user_u:system_r:fingerd_t
Anyway, here are the patches/rpms:
http://people.redhat.com/jantill/xinetd/
--
James Antill <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
