(Non)Domain Transitioning
Kirk Vogelsang
kvogelsa at ccs.neu.edu
Mon Jun 14 19:38:51 UTC 2004
I'm having some problems getting the snortcenter agent (miniserv.pl)
to start snort and transition snort to the appropriate snort_t domain.
When miniserv starts snort, snort continues to run in the miniserv
domain, snort_agent_t (domain I created.)
avc messages show miniserv starting snort with execute_no_trans,
which I believe is the problem:
audit(108724131.465:0): avc: denied { execute_no_trans } for pid=7136 exe=/bin//bash path=/usr/tools/adm/packages/snort/bin/snort dev=sda2 ino=256078 scontext=system_u:system_r:snort_agent_t tcontext=system_u:object_r:snort_exec_t tclass=file
When snort is started via run_init, it runs appropriately within the
snort_t domain. I have:
allow snort_agent_t snort_exec_t:file { read execute entrypoint };
...
...
allow snort_agent_t snort_t:process transition;
My question: How do I force a process (snort) to transition to the
correct domain (snort_t) when exec'd from another domain
(snort_agent_t)?
-----
Kirk M. Vogelsang <kvogelsa at ccs.neu.edu>
Northeastern University College of Computer Science
More information about the fedora-selinux-list
mailing list