script executables

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 26 19:08:57 UTC 2007


On Fri, 2007-01-26 at 10:48 -0800, Michael Thomas wrote:
> That explains this:
> 
> type=AVC msg=audit(1169836492.684:217): avc:  denied  { entrypoint } for 
>   pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390 
> scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0 
> tclass=file
> 
> Couldn't I just add this to my policy file, or is it too dangerous?:
> 
> allow pokerd_t bin_t:file entrypoint;

It doesn't make much difference in this case, since it is a script and
it isn't particularly privileged (any more so than the caller).  But use
the refpolicy interface instead:
	domain_entry_file(pokerd_t, bin_t)

> That won't work in this case, unfortunately.  The full command that I'm 
> running is:
> 
> /usr/bin/python /usr/bin/twistd 
> --pidfile=/var/run/poker-network/poker-server.pid --python 
> /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --...
> 
> It's a python script framework (twistd) that is invoking the real 
> application specified on the command line.  As before, it wouldn't make 
> sense to label the entire framework.  I'm working with the app 
> developers to see if they can work around this and invoke the script 
> directly, but for now I have to assume that it might not be an option.

Ok.  

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list