add a transition rule

Vadym Chepkov chepkov at yahoo.com
Mon Aug 3 13:25:59 UTC 2009 

Hi,

My policy is very simplistic

local.te
apache_content_template(svn)
domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t)

local.fc
# svn
/var/svn(/.*)?                                                  gen_context(system_u:object_r:httpd_svn_script_ro_t,s0)
/var/svn/(.*/)?hooks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_exec_t,s0)
/var/svn/(.*/)?dav(/.*)?                            gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?locks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?db(/.*)?                             gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)

Works well

Sincerely yours,
  Vadym Chepkov


--- On Tue, 7/28/09, Paul Howarth <paul at city-fan.org> wrote:

> From: Paul Howarth <paul at city-fan.org>
> Subject: Re: add a transition rule
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Tuesday, July 28, 2009, 9:46 AM
> Hi Vadym,
> 
> On 19/07/09 04:35, Vadym Chepkov wrote:
> > I have a script, executed by apache, which is running
> in httpd_svn_script_t domain. This script calls
> svn-mailer(bin_t) which in turns calls
> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
> is no transition defined, sendmail still runs in
> httpd_svn_script_t and I get humongous amount of avc's. What
> would be the proper rule to add to the local policy to make
> sendmail running in the proper domain, sendmail_t?
> > And for that matter if httpd_can_sendmail --> 
> on, shouldn't it be happening automatically? Thank you.
> > 
> > Sincerely yours,
> >    Vadym Chepkov
> 
> I'm just back off vacation and saw your email. Funnily
> enough I wrote an svnmailer policy a few weeks ago, so it
> would be interesting to compare notes:
> 
> I've actually split it into two modules, svnmailer for the
> policy itself, and svnmailer-extras for additional
> interfaces needed in other policy modules. I find this
> arrangement is easier to manage when getting policy merged
> upstream.
> 
> I made my hook scripts httpd_sys_script_exec_t and
> transition from there to httpd_svnmailer_script_t via a
> domtrans. The svn repository itself is
> httpd_sys_content_rw_t.
> 
> Paul.
>

More information about the fedora-selinux-list mailing list