Domain transition missing

Dominick Grift domg472 at gmail.com
Sat Jul 4 12:57:53 UTC 2009 

On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote:
> I really get used to running my scripts unconfined, how I can accomplish it in this scenario?
> 
> Sincerely yours,
>   Vadym Chepkov
> 

if you want the system to run jobs you will need to write some policy or
extend the system_cronjob_t domain i think


Were those the only avc denial you got? I would expect more denials.

> --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:
> 
> > From: Dominick Grift <domg472 at gmail.com>
> > Subject: Re: Domain transition missing
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > Date: Saturday, July 4, 2009, 8:41 AM
> > On Sat, 2009-07-04 at 14:38 +0200,
> > Dominick Grift wrote:
> > > On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
> > wrote:
> > > > Hi,
> > > > 
> > > > Last night I got a nasty surprise from selinux. I
> > am using winbind for external authentication and since it
> > has history of failures I have a simple watchdog implemented
> > to check the status and restart it if necessary. That
> > is  what happened last night and as a law abiding
> > selinux citizen I used 'service winbind restart', but it
> > seems the proper domain transitions is missing and winbind
> > was started in system_cronjob_t domain instead of winbind_t
> > and none of other domains could connect to it.
> > > > 
> > > > I think jobs running from cron should be granted
> > the same transition rules as  from unconfined_t. 
> > > > 
> > > > I will file bugzilla report about it, but could
> > somebody help me with modifying my local policy until/if it
> > gets implemented, please? Thank you.
> > > > 
> > > > Sincerely yours,
> > > >   Vadym Chepkov
> > > 
> > > A domain transition would be:
> > > 
> > > policy_module(mywinbind, 0.0.1)
> > > 
> > > require { type system_cronjob_t, winbind_exec_t,
> > winbind_t; }
> > > domain_auto_trans(system_cronjob_t, winbind_exec_t,
> > winbind_t)
> > > 
> > > Can you show us the full raw avc denial?
> > 
> > 
> > But personally would deal with this in a different way. I
> > would write
> > policy for the script that restarts winbind and then i
> > would create a
> > domain transition for the domain in which the script runs
> > to winbind_t.
> > 
> > Mainly because i wouldnt want to extend/modify
> > system_cronjob_t
> > 
> > So: system_cronjob_t -> myscript_exec_t -> myscript_t
> > -> winbind_exec_t
> > -> winbind_t
> > 
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > 
> > 
> >

More information about the fedora-selinux-list mailing list