Domain transition missing

Vadym Chepkov chepkov at yahoo.com
Sat Jul 4 14:00:54 UTC 2009 

This worked well too, thank you

system_u:system_r:winbind_t:SystemLow root 11926   1  0 09:57 ?        00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11928 11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11954 11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11956 11926  0 09:57 ?      00:00:00 winbindd
system_u:system_r:winbind_t:SystemLow root 11957 11926  0 09:57 ?      00:00:00 winbindd


Sincerely yours,
  Vadym Chepkov


--- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Saturday, July 4, 2009, 9:28 AM
> On Sat, 2009-07-04 at 06:18 -0700,
> Vadym Chepkov wrote:
> > That would be unfortunate. Mine approach is not
> uncommon. If you look closely you will see the same
> technique in wast scripts. spamassassin restarts itself when
> it updates anti-spam rules, clamav does that (antivirus) and
> on and on. I use Fedora 11, by the way.
> > 
> > For now, instead of creating a new policy I just added
> 'runcon -t unconfind_t ' in the cron, and it seemed to did
> the trick.  
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
> 
> Looking here:
> http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if
> line 235 to line 269.
> 
> That seems like a interface one might use in your
> situation:
> 
> cron_system_entry(winbind_t, winbind_exec_t)
> 
> I admit that using cron with SELinux is not very easy
> currently
> 
> > --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> wrote:
> > 
> > > From: Dominick Grift <domg472 at gmail.com>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > Date: Saturday, July 4, 2009, 8:57 AM
> > > On Sat, 2009-07-04 at 05:48 -0700,
> > > Vadym Chepkov wrote:
> > > > I really get used to running my scripts
> unconfined,
> > > how I can accomplish it in this scenario?
> > > > 
> > > > Sincerely yours,
> > > >   Vadym Chepkov
> > > > 
> > > 
> > > if you want the system to run jobs you will need
> to write
> > > some policy or
> > > extend the system_cronjob_t domain i think
> > > 
> > > 
> > > Were those the only avc denial you got? I would
> expect more
> > > denials.
> > > 
> > > > --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> > > wrote:
> > > > 
> > > > > From: Dominick Grift <domg472 at gmail.com>
> > > > > Subject: Re: Domain transition missing
> > > > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > > > Date: Saturday, July 4, 2009, 8:41 AM
> > > > > On Sat, 2009-07-04 at 14:38 +0200,
> > > > > Dominick Grift wrote:
> > > > > > On Sat, 2009-07-04 at 05:11 -0700,
> Vadym
> > > Chepkov
> > > > > wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > Last night I got a nasty
> surprise from
> > > selinux. I
> > > > > am using winbind for external
> authentication and
> > > since it
> > > > > has history of failures I have a simple
> watchdog
> > > implemented
> > > > > to check the status and restart it if
> necessary.
> > > That
> > > > > is  what happened last night and
> as a law
> > > abiding
> > > > > selinux citizen I used 'service winbind
> restart',
> > > but it
> > > > > seems the proper domain transitions is
> missing
> > > and winbind
> > > > > was started in system_cronjob_t domain
> instead of
> > > winbind_t
> > > > > and none of other domains could connect
> to it.
> > > > > > > 
> > > > > > > I think jobs running from
> cron should
> > > be granted
> > > > > the same transition rules as 
> from
> > > unconfined_t. 
> > > > > > > 
> > > > > > > I will file bugzilla report
> about it,
> > > but could
> > > > > somebody help me with modifying my
> local policy
> > > until/if it
> > > > > gets implemented, please? Thank you.
> > > > > > > 
> > > > > > > Sincerely yours,
> > > > > > >   Vadym
> Chepkov
> > > > > > 
> > > > > > A domain transition would be:
> > > > > > 
> > > > > > policy_module(mywinbind, 0.0.1)
> > > > > > 
> > > > > > require { type system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t; }
> > > > > >
> domain_auto_trans(system_cronjob_t,
> > > winbind_exec_t,
> > > > > winbind_t)
> > > > > > 
> > > > > > Can you show us the full raw avc
> denial?
> > > > > 
> > > > > 
> > > > > But personally would deal with this in
> a
> > > different way. I
> > > > > would write
> > > > > policy for the script that restarts
> winbind and
> > > then i
> > > > > would create a
> > > > > domain transition for the domain in
> which the
> > > script runs
> > > > > to winbind_t.
> > > > > 
> > > > > Mainly because i wouldnt want to
> extend/modify
> > > > > system_cronjob_t
> > > > > 
> > > > > So: system_cronjob_t ->
> myscript_exec_t ->
> > > myscript_t
> > > > > -> winbind_exec_t
> > > > > -> winbind_t
> > > > > 
> > > > > > > --
> > > > > > > fedora-selinux-list mailing
> list
> > > > > > > fedora-selinux-list at redhat.com
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > > 
> > > > > 
> > > > > 
> > > 
> > > 
> 
>

More information about the fedora-selinux-list mailing list