Making a python/shell script run in httpd_t (or some other domain)

David Caplan dac at tresys.com
Mon Mar 12 11:54:11 UTC 2007 

 

> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com 
> [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of 
> Forrest Taylor
> Sent: Saturday, March 10, 2007 11:56 AM
> To: fedora-selinux-list at redhat.com
> Subject: Making a python/shell script run in httpd_t (or some 
> other domain)
> 
> I am trying to make a python script run in the httpd_t domain 
> on RHEL5 RC4.  I have assigned the script the httpd_exec_t 
> type.  I searched the archives, and I saw an earlier post 
> that stated that I should use the -E option to python:
> 
> #!/usr/bin/python -E
> 
> I see the same entry in python scripts like setroubleshootd.  
> However, when I try to run my script (or setroubleshootd, for 
> that matter) directly, it runs in unconfined_t.  I have the 
> same problem with shell executables.  Any tips?
> 

You need to make sure you have all the rules required for your source
domain to transition to your target domain. The unconfined_t domain
generally does not transition; it is designed to run most things in its
domain which has a wide range of permissions (hence the name
"unconfined"). 

You need these three rules to permit a transition:
allow source_domain target_domain:process transition;
allow source_domain entrypoint_type:file {read getattr execute};
allow target_domain entrypoint_type:file entrypoint;

If you want the transition to be automatic, you also need a
type_transition rule:
type_transition source_domain entrypoint_type:process target_domain;

You can use apol's domain transition analysis to test your policy to
make sure you have all the necessary rules. There is also a good
explanation of domain transitions in the Help menu. (Or Chapter 5 of
_Selinux by Example_ :))

You also probably don't want to run your script in httpd_t, but in a
more restricted domain.

> run_init will run as expected, but it does also ask for the 
> root password.  I know that I could change the pam.d/ entry, 
> but I don't want to do that at this point.
> 
> I created an init script that simply calls the executable.  
> This works as expected, as long as the script starts with the 
> interpreter (e.g., #!/bin/bash).  If I leave out that line, 
> it does not transition.  Any idea why?
> 
> Thanks,
> 
> Forrest
>

More information about the fedora-selinux-list mailing list