script executables

Michael Thomas wart at kobold.org
Fri Jan 26 18:25:55 UTC 2007 

Stephen Smalley wrote:
> On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote:
>> I'm working on selinux protection for a python script daemon that is 
>> started inside of an init.d script.  Inside the init.d script the python 
>> daemon is invoked as:
>>
>> python myscript.py --daemon --pid=... --log=...
>>
>> I'd like to have this process run under its own domain.  The worst thing 
>> I could do is to relabel python with that domain, but that would just be 
>> really bad and sloppy, and not really an option.
>>
>> Another option that I've gotten to work is to use a wrapper shell script 
>> to invoke the python commands.  The init.d script invokes the wrapper 
>> script, which is labeled with the desired domain.
>>
>> But I was wondering of there was another way to get myscript.py to run 
>> under a specific domain without using an application-specific wrapper. 
>> Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
>> Is the wrapper script my only option?
> 
> If myscript.py starts with #!//usr/bin/python -E, then you can just
> label the file with an appropriate _exec_t type and have it
> automatically transition into its own domain.  SELinux supports domain
> transitions on scripts (unlike setuid), although naturally you should
> only do that when you trust the calling domain.
> 
> You can also use runcon -t to manually launch a program of any kind in a
> particular domain.

runcon is exactly what I need.  Thanks!

Unfortunately...  It seems that runcon is greedy about parsing command 
line options.  If I use any '--foo' arguments to my command, runcon 
interprets them as its own arguments and usually throws an error:

# runcon system_u:object_r:httpd_exec_t ls --all
runcon: unrecognized option `--all'
Usage: runcon CONTEXT COMMAND [args]
   or:  runcon [ -c ] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] COMMAND 
[args]
Run a program in a different security context.

   CONTEXT            Complete security context
   -c, --compute      compute process transition context before modifying
   -t, --type=TYPE    type (for same role as parent)
   -u, --user=USER    user identity
   -r, --role=ROLE    role
   -l, --range=RANGE  levelrange
       --help         display this help and exit
       --version      output version information and exit


I'll file this in bugzilla.

--Wart

More information about the fedora-selinux-list mailing list