script executables
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 26 19:08:57 UTC 2007
On Fri, 2007-01-26 at 10:48 -0800, Michael Thomas wrote:
> That explains this:
>
> type=AVC msg=audit(1169836492.684:217): avc: denied { entrypoint } for
> pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390
> scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0
> tclass=file
>
> Couldn't I just add this to my policy file, or is it too dangerous?:
>
> allow pokerd_t bin_t:file entrypoint;
It doesn't make much difference in this case, since it is a script and
it isn't particularly privileged (any more so than the caller). But use
the refpolicy interface instead:
domain_entry_file(pokerd_t, bin_t)
> That won't work in this case, unfortunately. The full command that I'm
> running is:
>
> /usr/bin/python /usr/bin/twistd
> --pidfile=/var/run/poker-network/poker-server.pid --python
> /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --...
>
> It's a python script framework (twistd) that is invoking the real
> application specified on the command line. As before, it wouldn't make
> sense to label the entire framework. I'm working with the app
> developers to see if they can work around this and invoke the script
> directly, but for now I have to assume that it might not be an option.
Ok.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list