add a transition rule

Paul Howarth paul at city-fan.org
Tue Jul 28 13:46:47 UTC 2009


Hi Vadym,

On 19/07/09 04:35, Vadym Chepkov wrote:
> I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
> And for that matter if httpd_can_sendmail -->  on, shouldn't it be happening automatically? Thank you.
>
> Sincerely yours,
>    Vadym Chepkov

I'm just back off vacation and saw your email. Funnily enough I wrote an 
svnmailer policy a few weeks ago, so it would be interesting to compare 
notes:

I've actually split it into two modules, svnmailer for the policy 
itself, and svnmailer-extras for additional interfaces needed in other 
policy modules. I find this arrangement is easier to manage when getting 
policy merged upstream.

I made my hook scripts httpd_sys_script_exec_t and transition from there 
to httpd_svnmailer_script_t via a domtrans. The svn repository itself is 
httpd_sys_content_rw_t.

Paul.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.fc
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.if
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.te
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.fc
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.if
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.te
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090728/9e8fd3e0/attachment-0005.ksh>


More information about the fedora-selinux-list mailing list