[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Domain transition missing

From: Dominick Grift <domg472 gmail com>
To: Vadym Chepkov <chepkov yahoo com>
Cc: Fedora SELinux <fedora-selinux-list redhat com>
Subject: Re: Domain transition missing
Date: Sat, 04 Jul 2009 14:38:03 +0200

On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
> Hi,
> 
> Last night I got a nasty surprise from selinux. I am using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is  what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
> 
> I think jobs running from cron should be granted the same transition rules as  from unconfined_t. 
> 
> I will file bugzilla report about it, but could somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
> 
> Sincerely yours,
>   Vadym Chepkov

A domain transition would be:

policy_module(mywinbind, 0.0.1)

require { type system_cronjob_t, winbind_exec_t, winbind_t; }
domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)

Can you show us the full raw avc denial?

> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: Domain transition missing
  - From: Dominick Grift

References:
- Domain transition missing
  - From: Vadym Chepkov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]