Initially filed by adelton as https://fedorahosted.org/autoqa/ticket/220

Recently I've came across issue

​https://bugzilla.redhat.com/show_bug.cgi?id=628495

when daemons run as initrc_t.

In this case it was in spite of the fact that there was a SELinux policy module loaded, simply because the file context was pointing to a file that no longer existed in that rpm and which was no longer run during service startup.

I believe that with older Fedoras and with older versions of that package, the file context was actually correct and the daemons run confined.

So avoid any such regressions, it would be nice when doing some post-installation tests and starting services to also check the SELinux domain of the processes that are started by those services (ps Z).

Thanks, Jan

Comments:

jlaska: "Joza, is this something to consider with the initscripts tests?"

jskladan: "not really sure, if the initscripts are the right place, but sure, it can be appended to the initscript tests. My concern is, though, how would we determine the correct type - is there some reference table? Is it the same in both Fedora & RHEL?

The main drawback i see in adding the test to initscripts is, that we'd need to add almost the same lines to a bunch of separate files - or maybe we could have it as a separate part of run_once - you know - the initscript test itself, and then the SElinux context test. But it still requires some mapping between $ServiceName? & $RequiredContext?"

adelton: "Just checking that whatever gets started does not end up being initrc_t would be enough."

Adam notes: we'd have to see how systemd changes this, and also whether we wanted to care about implementing the check as described for things that aren't converted from sysv yet.