On Wed, Mar 23, 2011 at 1:27 PM, Jamie Nguyen <[email protected]>wrote:
> Mauras Olivier wrote: > > Thing is it doesn't look like there's any reference to the real path > > > > From the process view: > > (Automatic startup) > > 25: 0 +- lxc-start (2301) <kernel> /etc/init.d/local > > /libexec/rc/sh/runscript.sh /usr/bin/lxc-start > > 26: 0 +- init (2318) <kernel> /sbin/init > > 27: 0 +- syslogd (2433) <kernel> /sbin/init /etc/rc.d/rc.M > > /usr/sbin/syslogd > > 28: 0 +- klogd (2558) <kernel> /sbin/init /etc/rc.d/rc.M > > /usr/sbin/klogd > > 29: 0 +- sshd (2662) <kernel> /usr/sbin/sshd > > 30: 0 +- named (2667) <kernel> /sbin/init /etc/rc.d/rc.M > > /etc/rc.d/rc.bind /usr/sbin/named > > 31: 0 +- crond (2805) <kernel> /sbin/init /etc/rc.d/rc.M > > /etc/rc.d/rc.crond /usr/sbin/crond > > 32: 0 +- master (2881) <kernel> /sbin/init /etc/rc.d/rc.M > > /usr/sbin/postfix /usr/libexec/postfix/postfix-script > > /usr/libexec/postfix/master > > 33: 0 +- qmgr (2884) <kernel> /sbin/init /etc/rc.d/rc.M > > /usr/sbin/postfix /usr/libexec/postfix/postfix-script > > /usr/libexec/postfix/master /usr/libexec/postfix/qmgr > > 34: 0 +- pickup (14946) <kernel> /sbin/init > /etc/rc.d/rc.M > > /usr/sbin/postfix /usr/libexec/postfix/postfix-script > > /usr/libexec/postfix/master /usr/libexec/postfix/pickup > > It appears as though this domain: > > <kernel> /etc/init.d/local /libexec/rc/sh/runscript.sh /usr/bin/lxc-start > > is doing "file execute /sbin/init". > > > Try removing the other entries in exception policy that I have > previously asked you to put in, and put this in instead: > > initialize_domain /usr/bin/lxc-start from any > no_initialize_domain /sbin/init from /usr/bin/lxc-start > > > You should create these domains: > > <kernel> /usr/bin/lxc-start > <kernel> /usr/bin/lxc-start /sbin/init > > Now these domains should manage all containers that you start > (hopefully, if I have understood these containers correctly). > > > Kind regards, > Jamie > > _______________________________________________ > tomoyo-users-en mailing list > [email protected] > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en > Very nice! I added another "no_initialize_domain /usr/sbin/sshd from /etc/rc.d/rc.sshd" to have sshd in the same tree and it gives me: 704: 1 /etc/rc.d/rc.sshd 705: 1 /usr/sbin/sshd /usr/sbin/sshd ( -> 809 ) 706: 1 /sbin/ifconfig Following /usr/sbin/sshd ( -> 809 ) returns me to the host sshd process is it normal? should i try to avoid having it in the tree? Another problem i see, is that with that setting, i'll match all my containers under the same domain, which i'd like to avoid to have a domain per container. Can i match on for example "file append/file read" as i see container references in the lxc-start policy?
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
