Domain transition missing

Daniel J Walsh dwalsh at redhat.com
Mon Jul 6 12:53:32 UTC 2009 

On 07/04/2009 08:48 AM, Vadym Chepkov wrote:
> I really get used to running my scripts unconfined, how I can accomplish it in this scenario?
>
> Sincerely yours,
>    Vadym Chepkov
>
>
> --- On Sat, 7/4/09, Dominick Grift<domg472 at gmail.com>  wrote:
>
>> From: Dominick Grift<domg472 at gmail.com>
>> Subject: Re: Domain transition missing
>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>> Cc: "Fedora SELinux"<fedora-selinux-list at redhat.com>
>> Date: Saturday, July 4, 2009, 8:41 AM
>> On Sat, 2009-07-04 at 14:38 +0200,
>> Dominick Grift wrote:
>>> On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
>> wrote:
>>>> Hi,
>>>>
>>>> Last night I got a nasty surprise from selinux. I
>> am using winbind for external authentication and since it
>> has history of failures I have a simple watchdog implemented
>> to check the status and restart it if necessary. That
>> is  what happened last night and as a law abiding
>> selinux citizen I used 'service winbind restart', but it
>> seems the proper domain transitions is missing and winbind
>> was started in system_cronjob_t domain instead of winbind_t
>> and none of other domains could connect to it.
>>>> I think jobs running from cron should be granted
>> the same transition rules as  from unconfined_t.
>>>> I will file bugzilla report about it, but could
>> somebody help me with modifying my local policy until/if it
>> gets implemented, please? Thank you.
>>>> Sincerely yours,
>>>>     Vadym Chepkov
>>> A domain transition would be:
>>>
>>> policy_module(mywinbind, 0.0.1)
>>>
>>> require { type system_cronjob_t, winbind_exec_t,
>> winbind_t; }
>>> domain_auto_trans(system_cronjob_t, winbind_exec_t,
>> winbind_t)
>>> Can you show us the full raw avc denial?
>>
>> But personally would deal with this in a different way. I
>> would write
>> policy for the script that restarts winbind and then i
>> would create a
>> domain transition for the domain in which the script runs
>> to winbind_t.
>>
>> Mainly because i wouldnt want to extend/modify
>> system_cronjob_t
>>
>> So: system_cronjob_t ->  myscript_exec_t ->  myscript_t
>> ->  winbind_exec_t
>> ->  winbind_t
>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


It looks like standard SELinux policy should have allowed

system_cronjob_t to transition to initrc_t when executing an initrc 
script.  How is the windbind script labeled?

ls -lZ /etc/init.d/winbind
-rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 
/etc/init.d/winbind

More information about the fedora-selinux-list mailing list