add a transition rule
Dominick Grift
domg472 at gmail.com
Sun Jul 19 11:06:25 UTC 2009
On Sat, 2009-07-18 at 20:35 -0700, Vadym Chepkov wrote:
> Hi,
>
> I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
> And for that matter if httpd_can_sendmail --> on, shouldn't it be happening automatically? Thank you.
Not sure about all this (sesearch and review of source policy might
reveal the answer). I am not in my usual location so i cannot verify at
the moment, however my personal opinion is that you might as well write
some policy yourself to make this happen. Those httpd booleans are
generally coarse grained.
If you write a policy for your script and do a transition from
httpd_svn_script_t to myscript_t and than allow myscript_t to transition
to the mail domain (probably something like
sendmail_domtrans(myscript_t)). That way you do not pollute your
httpd_svn_script_t domain too much with access vectors that are really
meant for your script and not svn.
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list