Domain transition missing

Dominick Grift domg472 at gmail.com
Sat Jul 4 13:28:58 UTC 2009 

On Sat, 2009-07-04 at 06:18 -0700, Vadym Chepkov wrote:
> That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
> 
> For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.  
> 
> Sincerely yours,
>   Vadym Chepkov
> 

Looking here:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if line 235 to line 269.

That seems like a interface one might use in your situation:

cron_system_entry(winbind_t, winbind_exec_t)

I admit that using cron with SELinux is not very easy currently

> --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:
> 
> > From: Dominick Grift <domg472 at gmail.com>
> > Subject: Re: Domain transition missing
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > Date: Saturday, July 4, 2009, 8:57 AM
> > On Sat, 2009-07-04 at 05:48 -0700,
> > Vadym Chepkov wrote:
> > > I really get used to running my scripts unconfined,
> > how I can accomplish it in this scenario?
> > > 
> > > Sincerely yours,
> > >   Vadym Chepkov
> > > 
> > 
> > if you want the system to run jobs you will need to write
> > some policy or
> > extend the system_cronjob_t domain i think
> > 
> > 
> > Were those the only avc denial you got? I would expect more
> > denials.
> > 
> > > --- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com>
> > wrote:
> > > 
> > > > From: Dominick Grift <domg472 at gmail.com>
> > > > Subject: Re: Domain transition missing
> > > > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > > > Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> > > > Date: Saturday, July 4, 2009, 8:41 AM
> > > > On Sat, 2009-07-04 at 14:38 +0200,
> > > > Dominick Grift wrote:
> > > > > On Sat, 2009-07-04 at 05:11 -0700, Vadym
> > Chepkov
> > > > wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > Last night I got a nasty surprise from
> > selinux. I
> > > > am using winbind for external authentication and
> > since it
> > > > has history of failures I have a simple watchdog
> > implemented
> > > > to check the status and restart it if necessary.
> > That
> > > > is  what happened last night and as a law
> > abiding
> > > > selinux citizen I used 'service winbind restart',
> > but it
> > > > seems the proper domain transitions is missing
> > and winbind
> > > > was started in system_cronjob_t domain instead of
> > winbind_t
> > > > and none of other domains could connect to it.
> > > > > > 
> > > > > > I think jobs running from cron should
> > be granted
> > > > the same transition rules as  from
> > unconfined_t. 
> > > > > > 
> > > > > > I will file bugzilla report about it,
> > but could
> > > > somebody help me with modifying my local policy
> > until/if it
> > > > gets implemented, please? Thank you.
> > > > > > 
> > > > > > Sincerely yours,
> > > > > >   Vadym Chepkov
> > > > > 
> > > > > A domain transition would be:
> > > > > 
> > > > > policy_module(mywinbind, 0.0.1)
> > > > > 
> > > > > require { type system_cronjob_t,
> > winbind_exec_t,
> > > > winbind_t; }
> > > > > domain_auto_trans(system_cronjob_t,
> > winbind_exec_t,
> > > > winbind_t)
> > > > > 
> > > > > Can you show us the full raw avc denial?
> > > > 
> > > > 
> > > > But personally would deal with this in a
> > different way. I
> > > > would write
> > > > policy for the script that restarts winbind and
> > then i
> > > > would create a
> > > > domain transition for the domain in which the
> > script runs
> > > > to winbind_t.
> > > > 
> > > > Mainly because i wouldnt want to extend/modify
> > > > system_cronjob_t
> > > > 
> > > > So: system_cronjob_t -> myscript_exec_t ->
> > myscript_t
> > > > -> winbind_exec_t
> > > > -> winbind_t
> > > > 
> > > > > > --
> > > > > > fedora-selinux-list mailing list
> > > > > > fedora-selinux-list at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > 
> > > > 
> > > > 
> > 
> >

More information about the fedora-selinux-list mailing list