Domains, interpreted languages, and Cron scripts
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 22 15:03:14 UTC 2004
Bill McCarty wrote:
> Hi all,
>
> I've run into an architectural headache that someone else must already
> have visited, and perhaps solved. But, I find no mention of the
> problem in list archives or elsewhere.
>
> I have several Python scripts that run under Cron. Some of these
> scripts access or modify sensitive data, and so I'd like to define one
> or more domains by means of which to limit their privileges. However,
> the exe name associated with such scripts is /usr/bin/python2.3,
> rather than the name of the script. Consistent with the principle of
> least privilege, I'd prefer to define distinct domains for each
> script, rather than an overly broad python_t domain, for instance.
>
> Has anyone else been here already? What techniques are useful for
> constraining the privileges given to scripts?
>
Instead of running
python script
Change script to start with
#! /usr/bin/python
And you can set context on the script
> One idea: Would it be a good thing to modify Run-parts to transition
> to a domain named for the Cron script it launches? Doing so would seem
> to solve my problem, but it might create others <g>.
>
> Thanks,
>
More information about the fedora-selinux-list
mailing list