script executables
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 26 18:26:07 UTC 2007
On Fri, 2007-01-26 at 10:25 -0800, Michael Thomas wrote:
> Stephen Smalley wrote:
> > On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote:
> >> I'm working on selinux protection for a python script daemon that is
> >> started inside of an init.d script. Inside the init.d script the python
> >> daemon is invoked as:
> >>
> >> python myscript.py --daemon --pid=... --log=...
> >>
> >> I'd like to have this process run under its own domain. The worst thing
> >> I could do is to relabel python with that domain, but that would just be
> >> really bad and sloppy, and not really an option.
> >>
> >> Another option that I've gotten to work is to use a wrapper shell script
> >> to invoke the python commands. The init.d script invokes the wrapper
> >> script, which is labeled with the desired domain.
> >>
> >> But I was wondering of there was another way to get myscript.py to run
> >> under a specific domain without using an application-specific wrapper.
> >> Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
> >> Is the wrapper script my only option?
> >
> > If myscript.py starts with #!//usr/bin/python -E, then you can just
> > label the file with an appropriate _exec_t type and have it
> > automatically transition into its own domain. SELinux supports domain
> > transitions on scripts (unlike setuid), although naturally you should
> > only do that when you trust the calling domain.
> >
> > You can also use runcon -t to manually launch a program of any kind in a
> > particular domain.
>
> runcon is exactly what I need. Thanks!
>
> Unfortunately... It seems that runcon is greedy about parsing command
> line options. If I use any '--foo' arguments to my command, runcon
> interprets them as its own arguments and usually throws an error:
>
> # runcon system_u:object_r:httpd_exec_t ls --all
That's a file context, not a process context.
And you can disable option parsing via the usual trick, "--", e.g.
runcon -t httpd_t -- ls --all
but that will fail on the entrypoint permission check. So you are
better off doing:
chcon -t httpd_exec_t myscript.py
and letting it do an automatic transition via direct execution, e.g.
./myscript.py
> runcon: unrecognized option `--all'
> Usage: runcon CONTEXT COMMAND [args]
> or: runcon [ -c ] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] COMMAND
> [args]
> Run a program in a different security context.
>
> CONTEXT Complete security context
> -c, --compute compute process transition context before modifying
> -t, --type=TYPE type (for same role as parent)
> -u, --user=USER user identity
> -r, --role=ROLE role
> -l, --range=RANGE levelrange
> --help display this help and exit
> --version output version information and exit
>
>
> I'll file this in bugzilla.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list