Domain transition missing
Vadym Chepkov
chepkov at yahoo.com
Sat Jul 4 13:18:37 UTC 2009
That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:
> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Saturday, July 4, 2009, 8:57 AM
> On Sat, 2009-07-04 at 05:48 -0700,
> Vadym Chepkov wrote:
> > I really get used to running my scripts unconfined,
> how I can accomplish it in this scenario?
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
>
> if you want the system to run jobs you will need to write
> some policy or
> extend the system_cronjob_t domain i think
>
>
> Were those the only avc denial you got? I would expect more
> denials.
>
> > --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> wrote:
> >
> > > From: Dominick Grift <domg472 at gmail.com>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > Date: Saturday, July 4, 2009, 8:41 AM
> > > On Sat, 2009-07-04 at 14:38 +0200,
> > > Dominick Grift wrote:
> > > > On Sat, 2009-07-04 at 05:11 -0700, Vadym
> Chepkov
> > > wrote:
> > > > > Hi,
> > > > >
> > > > > Last night I got a nasty surprise from
> selinux. I
> > > am using winbind for external authentication and
> since it
> > > has history of failures I have a simple watchdog
> implemented
> > > to check the status and restart it if necessary.
> That
> > > is what happened last night and as a law
> abiding
> > > selinux citizen I used 'service winbind restart',
> but it
> > > seems the proper domain transitions is missing
> and winbind
> > > was started in system_cronjob_t domain instead of
> winbind_t
> > > and none of other domains could connect to it.
> > > > >
> > > > > I think jobs running from cron should
> be granted
> > > the same transition rules as from
> unconfined_t.
> > > > >
> > > > > I will file bugzilla report about it,
> but could
> > > somebody help me with modifying my local policy
> until/if it
> > > gets implemented, please? Thank you.
> > > > >
> > > > > Sincerely yours,
> > > > > Vadym Chepkov
> > > >
> > > > A domain transition would be:
> > > >
> > > > policy_module(mywinbind, 0.0.1)
> > > >
> > > > require { type system_cronjob_t,
> winbind_exec_t,
> > > winbind_t; }
> > > > domain_auto_trans(system_cronjob_t,
> winbind_exec_t,
> > > winbind_t)
> > > >
> > > > Can you show us the full raw avc denial?
> > >
> > >
> > > But personally would deal with this in a
> different way. I
> > > would write
> > > policy for the script that restarts winbind and
> then i
> > > would create a
> > > domain transition for the domain in which the
> script runs
> > > to winbind_t.
> > >
> > > Mainly because i wouldnt want to extend/modify
> > > system_cronjob_t
> > >
> > > So: system_cronjob_t -> myscript_exec_t ->
> myscript_t
> > > -> winbind_exec_t
> > > -> winbind_t
> > >
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >
> > >
> > >
>
>
More information about the fedora-selinux-list
mailing list